Unable to perform zap spider scan using zap-java-api

0
votes

I'm trying to run spider scan for target url using the zap-java-api. Please find the below code i got online.

import org.zaproxy.clientapi.core.ApiResponse;
import org.zaproxy.clientapi.core.ApiResponseElement;
import org.zaproxy.clientapi.core.ClientApi;

public class SimpleExample {

    private static final String ZAP_ADDRESS = "localhost";
    private static final int ZAP_PORT = 8500;
    private static final String ZAP_API_KEY =
            "q0tgadu0fperhi21q0870gc37"; // Change this if you have set the apikey in ZAP via Options / API

    private static final String TARGET = "https://demo.testfire.net/";

    public static void main(String[] args) {
        ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);

        try {
            // Start spidering the target
            System.out.println("Spider : " + TARGET);
            // It's not necessary to pass the ZAP API key again, already set when creating the
            // ClientApi.
            ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);
            String scanid;
            int progress;

            // The scan now returns a scan id to support concurrent scanning
            scanid = ((ApiResponseElement) resp).getValue();

            // Poll the status until it completes
            while (true) {
                Thread.sleep(1000);
                progress =
                        Integer.parseInt(
                                ((ApiResponseElement) api.spider.status(scanid)).getValue());
                System.out.println("Spider progress : " + progress + "%");
                if (progress >= 100) {
                    break;
                }
            }
            System.out.println("Spider complete");

            // Give the passive scanner a chance to complete
            Thread.sleep(2000);

            System.out.println("Active scan : " + TARGET);
            resp = api.ascan.scan(TARGET, "True", "False", null, null, null);

            // The scan now returns a scan id to support concurrent scanning
            scanid = ((ApiResponseElement) resp).getValue();

            // Poll the status until it completes
            while (true) {
                Thread.sleep(5000);
                progress =
                        Integer.parseInt(
                                ((ApiResponseElement) api.ascan.status(scanid)).getValue());
                System.out.println("Active Scan progress : " + progress + "%");
                if (progress >= 100) {
                    break;
                }
            }
            System.out.println("Active Scan complete");

            System.out.println("Alerts:");
            System.out.println(new String(api.core.xmlreport()));

        } catch (Exception e) {
            System.out.println("Exception : " + e.getMessage());
            e.printStackTrace();
        }
    }
}

I keep getting this below exception:

Spider : https://demo.testfire.net/
Exception : java.net.SocketException: Unexpected end of file from server
org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server
    at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:350)
    at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:331)
    at org.zaproxy.clientapi.gen.Spider.scan(Spider.java:239)
    at com_test.SimpleExample.main(SimpleExample.java:24)
Caused by: java.net.SocketException: Unexpected end of file from server
    at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
    at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
    at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
    at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    at java.net.HttpURLConnection.getResponseCode(Unknown Source)
    at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.java:361)
    at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:348)
    ... 3 more

I'm not sure what else to pass inside the spider scan except target url. hence passing it as null.

ApiResponse resp = api.spider.scan(TARGET, null, null, null, null);

All i'm trying to do is run spider scan for target url and generate html & xml report through zap-java-api. Any working example on this would be really helpful. Thanks in advance.

2
javazap

2 Answers

0
votes

Thats an indication that ZAP has blocked your API call. Is the API enabled in ZAP? Are you using the correct API key?

You can look in the zap.log file which may well have more info: https://github.com/zaproxy/zaproxy/wiki/FAQlogging

0
votes

This error message...

Exception : java.net.SocketException: Unexpected end of file from server
org.zaproxy.clientapi.core.ClientApiException: java.net.SocketException: Unexpected end of file from server
    at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:350)

...implies that the remote server though accepted the connection but closed the connection without sending a response.

Reasons

There can be many reasons behind this error and some of them are as follows:

  • Possibly the remote system is too busy to handle the request, so dropping the connection.
  • There may be missing/invalid header values in the request which causes an internal error and the server closes the connection instead of sending a HTTP error response normally as it should.
  • There may be a network delay and due to that the application randomly drops connections.

I don't see any such issue in your code block. However I suspect all the API settings are not properly enabled.

Solution

Ensure that all the API settings are enabled within the tool (ZAP -> Tool -> Options -> API):

ZAP_API_enable