ZAP CLI active scan from session files - zap

Background: I created session files with the daemon in headless mode by running ZAP OWASP as a proxy on the server itself (so I get an exhaustive test by our teams of testers without asking all of them to change their proxy settings).
Now, after copying those session files back to my computer, I can open the GUI, do File -> Open Session
This adds my website and all the targets.
I can now right click on it and do "attack -> active scan".
So the question is:
=> How do I do the same from CLI ? ie: run an "active scan" on CLI based on those session files ?
In case it might help, the end goal is to:
run the daemon regularly on our test environment to populate session files
use those sessions files in our CI/CD
ps: this is kind of a duplicate of How to pass zap session files to dockerized zap scanner? , but because the question was vague, there were no answers.

Of course, I found part of the solution shortly after asking the question...
In short, launch zap in headless and launch the scan from cli after loading the session
# Launch zap:
docker run --rm --name zap -u zap -p 8080:8080 -v "$(pwd)/reports":/zap/reports/:rw -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true
# Load the session (assuming the session was copied to $(pwd)/reports)
docker exec zap zap-cli session load /zap/reports/session/session.session
# Launch the scan:
docker exec zap zap-cli --verbose active-scan https://<MYSITE>
However, running from GUI, this active scan takes a long time (more than 30min) and scans all urls; while the CLI scan seems to only scan the https:// and exits

Related

Change Master Password on Payara/Glassfish Server

Background: I need to change the payara-server master-password. According to the docs the master-password must match the password in the keystore & truststore for the SSL Certificates to work properly. To make my website run on https instead of http.
I got Payara-Server running in a Docker Container through the guide:
I tried to change the payaradomain master-password, but I get an acyclic error.
1. made sure the payara-domain isn't running.
- ./asadmin stop-domain --force=true payaradomain
When I run this command, instead domain1 gets killed. & then kicked out of the docker container:
./asadmin stop-domain --kill=true payaradomain
When I execute this command:
./asadmin list-domains
Response:
domain1 running
payaradomain not running
Command list-domains executed successfully.
Then tried command:
./asadmin stop-domain --force=true payaradomain
Response:
CLI306: Warning - The server located at /opt/payara41/glassfish/domains/payaradomain is not running.
I'm happy with that, but when I try:
./asadmin change-master-password payaradomain
I get this response:
Domain payaradomain at /opt/payara41/glassfish/domains/payaradomain is running. Stop it first.
I have attached the picture below: please help...
If you want to configure Payara server in docker, including the master password, you should do it by creating your own docker image by extending the default Payara docker image. This is the simplest Dockerfile:
FROM payara/server-full
# specify a new master password "newpassword" instead of the default password "changeit"
RUN echo 'AS_ADMIN_MASTERPASSWORD=changeit\nAS_ADMIN_NEWMASTERPASSWORD=newpassword' >> /opt/masterpwdfile
# execute asadmin command to apply the new master password
RUN ${PAYARA_PATH}/bin/asadmin change-master-password --passwordfile=/opt/masterpwdfile payaradomain
Then you can build your custom docker image with:
docker build -t my-payara/server-full .
And then run my-payara/server-full instead of payara/server-full.
Also note that with the default Payara docker image, you should specify the PAYARA_DOMAIN variable to run payaradomain instead of domain1, such as:
docker run --env PAYARA_DOMAIN=payaradomain payara/server-full
The sample Dockerfile above redefines this variable so that payaradomain is used by default, without need to specify it when running the container.
Alternative way to change master password
You cn alternatively run the docker image without running Payara Server. Instead, you can run bash shell first, perform necessary commands in the console and the run the server from the shell.
To do that, you would run the docker image with:
docker run -t -i --entrypoint /bin/bash payara/server-full
The downside of this approach is that the docker container runs in foreground and if you restart it then payara server has to be started again manually, so it's really only for testing purposes.
The reason you get the messages saying payaradomain is running is because you have started domain1. payaradomain and domain1 use the same ports and the check to see if a domain is running looks to see if the admin port for a given domain are in use.
In order to change the master password you must either have both domains stopped or change the admin port for payaradomain.
instead of echoing passwords in the dockerfile it is safer to COPY a file during build containing the passwords and remove that when the build is finished.

Not able to open the deck UI for spinnaker

I installed spinnaker using the command
bash <(curl --silent https://spinnaker.bintray.com/scripts/InstallSpinnaker.sh)
on a local ubuntu machine.
After installation I am not able to connect to the Deck UI of spinnaker using URL: http://localhost:9000
Check logs in /var/log/apache2 for errors, and /etc/apache2/ports.conf to see if it is is listening on 127.0.0.1:9000
The install script should have made those changes for you, but maybe you had a permissions issue or some other kind of local system policy preventing the installation from working properly.

CentOS7: Are you trying to connect to a TLS-enabled daemon without TLS?

I've installed Docker on CentOS7, now I try to launch the server in a Docker container.
$ docker run -d --name "openshift-origin" --net=host --privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /tmp/openshift:/tmp/openshift \
openshift/origin start
This is the output:
Post http:///var/run/docker.sock/v1.19/containers/create?name=openshift-origin: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS?
I have tried the same command with sudo and that works fine (I can also run images in OpenShift bash etc.) But it feels wrong to use it, am I right? What is a solution to let is work as normal user?
Docker is running (sudo service docker start). Restarting the CentOS did not help.
The error is:
/var/run/docker.sock: permission denied.
That seems pretty clear: the permissions on the Docker socket at /var/run/docker.sock do not permit you to access it. This is reasonably common, because handing someone acccess to the Docker API is effectively the same as giving them sudo privileges, but without any sort of auditing.
If you are the only person using your system, you can:
Create a docker group or similar if one does not already exist.
Make yourself a member of the docker group
Modify the startup configuration of the docker daemon to make the socket owned by that group by adding -G docker to the options. You'll probably want to edit /etc/sysconfig/docker to make this change, unless it's already configured that way.
With these changes in place, you should be able to access docker from your user account with requiring sudo.

Docker: What is the simplest way to secure a private registry?

Our Docker images ship closed sources, we need to store them somewhere safe, using own private docker registry.
We search the simplest way to deploy a private docker registry with a simple authentication layer.
I found :
this manual way http://www.activestate.com/blog/2014/01/deploying-your-own-private-docker-registry
and the shipyard/docker-private-registry docker image based on stackbrew/registry and adding basic auth via Nginx - https://github.com/shipyard/docker-private-registry
I think use shipyard/docker-private-registry, but is there one another best way?
I'm still learning how to run and use Docker, consider this an idea:
# Run the registry on the server, allow only localhost connection
docker run -p 127.0.0.1:5000:5000 registry
# On the client, setup ssh tunneling
ssh -N -L 5000:localhost:5000 user#server
The registry is then accessible at localhost:5000, authentication is done through ssh that you probably already know and use.
Sources:
https://blog.codecentric.de/en/2014/02/docker-registry-run-private-docker-image-repository/
https://docs.docker.com/userguide/dockerlinks/
You can also use an Nginx front-end with a Basic Auth and an SSL certificate.
Regarding the SSL certificate I have tried couple of hours to have a working self-signed certificate but Docker wasn't able to work with the registry. To solve this I have a free signed certificate which work perfectly. (I have used StartSSL but there are others).
Also be careful when generating the certificate. If you want to have the registry running at the URL registry.damienroch.com, you must give this URL with the sub-domain otherwise it's not going to work.
You can perform all this setup using Docker and my nginx-proxy image (See the README on Github: https://github.com/zedtux/nginx-proxy).
This means that in the case you have installed nginx using the distribution package manager, you will replace it by a containerised nginx.
Place your certificate (.crt and .key files) on your server in a folder (I'm using /etc/docker/nginx/ssl/ and the certificate names are private-registry.crt and private-registry.key)
Generate a .htpasswd file and upload it on your server (I'm using /etc/docker/nginx/htpasswd/ and the filename is accounts.htpasswd)
Create a folder where the images will be stored (I'm using /etc/docker/registry/)
Using docker run my nginx-proxy image
Run the docker registry with some environment variable that nginx-proxy will use to configure itself.
Here is an example of the commands to run for the previous steps:
sudo docker run -d --name nginx -p 80:80 -p 443:443 -v /etc/docker/nginx/ssl/:/etc/nginx/ssl/ -v /var/run/docker.sock:/tmp/docker.sock -v /etc/docker/nginx/htpasswd/:/etc/nginx/htpasswd/ zedtux/nginx-proxy:latest
sudo docker run -d --name registry -e VIRTUAL_HOST=registry.damienroch.com -e MAX_UPLOAD_SIZE=0 -e SSL_FILENAME=private-registry -e HTPASSWD_FILENAME=accounts -e DOCKER_REGISTRY=true -v /etc/docker/registry/data/:/tmp/registry registry
The first line starts nginx and the second one the registry. It's important to do it in this order.
When both are up and running you should be able to login with:
docker login https://registry.damienroch.com
I have create an almost ready to use but certainly ready to function setup for running a docker-registry: https://github.com/kwk/docker-registry-setup .
Maybe it helps.
Everything (Registry, Auth server, and LDAP server) is running in containers which makes parts replacable as soon as you're ready to. The setup is fully configured to make it easy to get started. There're even demo certificates for HTTPs but they should be replaced at some point.
If you don't want LDAP authentication but simple static authentication you can disable it in auth/config/config.yml and put in your own combination of usernames and hashed passwords.

Allowing Apache on EC2 to run sudo commands via CGI script

I have an Amazon (AMI) Linux EC2 instance running on AWS. I'm create a perl script that will create directories when it is called through a web url (CGI script).
However, because the browser is executing the script, the user apache is running the perl script. Because apache is not allowed to do mkdir command without using sudo none of the directories are being created.
I've modified the scripts permissions to execute (755) via the browser, however none of the mkdir commands work.
I even tried using the sudo command within the perl script, but I have no luck. However, all of the non sudo commands work such as 'cd' etc.
If anyone knows how to resolve this issue I would appreciate it.
I've found the answer through searching.
The first thing you need to do is disable tty for the current user.. my web browser executes anything as the user 'apache' on the server.
So in my /etc/sudoers file i added
Defaults:apache !requiretty
Also i created a list of commands that I want apache to use without requiring the sudo password
Cmnd_Alias APACHE = /bin/mkdir, /bin/rmdir
apache ALL=(ALL) NOPASSWD: APACHE
This allows only certain sudo commands to execute on my web server without requring the password.
NOTE: only open the /etc/sudoers file using the visudo command... DO NOT open it using just regular vim or nano because if you save it and theres an error it will **** your machine up and you may have to create a whole new server because any sudo commands wont execute.
u can specify your editor using visudo.. e.g
EDITOR=nano visudo