Connection aborted
Closed this issue · 5 comments
Hello,
In attempting to run zap-cli from Ubuntu, I am receiving connection errors according to the following:
zap-cli quick-scan --self-contained --spider -r -s xss http://127.0.0.1
[INFO] Starting ZAP daemon
[WARNING] ZAP is already running on port 8090
[INFO] Running a quick scan for http://127.0.0.1
Traceback (most recent call last):
File "/home/osboxes/.local/bin/zap-cli", line 11, in
sys.exit(cli())
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 664, in call
return self.main(*args, **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 644, in main
rv = self.invoke(ctx)
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 991, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 837, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 464, in invoke
return callback(*args, **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/click/decorators.py", line 26, in new_func
return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/click/core.py", line 464, in invoke
return callback(*args, **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/zapcli/cli.py", line 281, in quick_scan
zap_helper.set_enabled_scanners(options['scanners'])
File "/home/osboxes/.local/lib/python2.7/site-packages/zapcli/zap_helper.py", line 295, in set_enabled_scanners
self.zap.ascan.disable_all_scanners(apikey=self.api_key)
File "/home/osboxes/.local/lib/python2.7/site-packages/zapv2/ascan.py", line 275, in disable_all_scanners
return next(self.zap._request(self.zap.base + 'ascan/action/disableAllScanners/', params).itervalues())
File "/home/osboxes/.local/lib/python2.7/site-packages/zapv2/init.py", line 155, in _request
return self._request_api(url, get).json()
File "/home/osboxes/.local/lib/python2.7/site-packages/zapv2/init.py", line 145, in _request_api
return self.session.get(url, params=query, proxies=self.__proxies, verify=False)
File "/home/osboxes/.local/lib/python2.7/site-packages/requests/sessions.py", line 501, in get
return self.request('GET', url, **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/home/osboxes/.local/lib/python2.7/site-packages/requests/adapters.py", line 473, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))
In researching this issue, it appears to be a problem with Python, specifically with python 2.7. I have tried using the recommended solution of Python3. This has not worked.
Has anyone else experienced this issue and are there any steps to try to troubleshoot so that I may use the zap-cli tool properly?
Thanks.
Changing the version of Python to 3.5 does not work as there appears to be a bug in ZAP to not install/configure correctly when using Python 3.5.
Traceback (most recent call last):
File "/home/osboxes/.local/bin/zap-cli", line 7, in
from zapcli.cli import cli
File "/home/osboxes/.local/lib/python3.5/site-packages/zapcli/cli.py", line 15, in
from zapcli.zap_helper import ZAPHelper
File "/home/osboxes/.local/lib/python3.5/site-packages/zapcli/zap_helper.py", line 16, in
from zapv2 import ZAPv2
File "/home/osboxes/.local/lib/python3.5/site-packages/zapv2/init.py", line 27, in
from acsrf import acsrf
ImportError: No module named 'acsrf'
https://groups.google.com/forum/#!topic/zaproxy-users/pWaukbxtG-M
Hi @benpick! Sorry you've run into issues installing zap-cli. Yeah, the official Python ZAP API client does not currently support Python 3, but hopefully will soon.
Can you tell me the version of Ubuntu, Python 2.7, and OWASP ZAP that you are running? And are you installing it globally or within a virtualenv?
I am currently running Ubuntu 16.04.2 with Python 2.7.12 and OWASP ZAP 2.6.0 and cannot reproduce the issue.
Hi @Grunny. Thank you for the quick response.
The tools I am using are:
Ubuntu 16.10
Python 2.7.12
OWASP ZAP 2.6.0
Java version 1.8.0_121
I will try to downgrade ubuntu and see if that resolves the issue.
As a point of reference, below is the zap-cli command I am running and the initial output before the errors above occur:
zap-cli quick-scan --self-contained --spider -r -s xss http://127.0.0.1/
[INFO] Starting ZAP daemon
[WARNING] ZAP is already running on port 8090
[INFO] Running a quick scan for http://127.0.0.1/
Traceback (most recent call last):
File "/home/osboxes/.local/bin/zap-cli", line 11, in
I have also used a target web application box in my local network and https://google-gruyere.appspot.com/ as sanity checks. These have all received this error.
Ah ha, I think I can reproduce that exact error by unsetting the API key. As of ZAP 2.6.0, an API key is required for all requests to ZAP, not just the state changing requests, and it closes the connection if it's missing (I'll try to see if we can handle that error better in zap-cli so users know what is probably happening).
You should be able to fix it by setting the environment variable ZAP_API_KEY to whatever ZAP's API key is. i.e. export ZAP_API_KEY=my-zap-api-key-here. You can also pass it to the commandline directly, but the environment variable stops you needing to provide it every time.
Let me know if that fixes your issue @benpick. :)
Thank you so much for you help. That has resolved the issue.
The cli I am working with is now:
zap-cli --port 8099 --api-key 12345 quick-scan --self-contained -o '-config api.key=12345' --spider -r -s xss http://127.0.0.1/
Part of the problem is that the environment had a daemon of zap started on the default port. I needed to use an entirely different port otherwise the api-key would not match with the default.