Authenticated advanced ZAP scan fails in the Juice Shop demo #615
Description
🐞 Bug report
Describe the bug
Steps To Reproduce
- Create a separate namespace:
kubectl create namespace juiceshop - Install OWASP juice-shop:
helm upgrade --install juice-shop secureCodeBox/juice-shop -n juiceshop - Install zap-advanced:
helm upgrade --install zap-advanced secureCodeBox/zap-advanced -n juiceshop - Apply the demo-juiceshop-scan-authenticated scan and update the service name and namespace beforehand
apiVersion: v1
kind: ConfigMap
metadata:
name: zap-advanced-scan-config
namespace: juiceshop
data:
2-zap-advanced-scan.yaml: |-
contexts:
- name: scb-juiceshop-context
url: http://juice-shop.juiceshop.svc:3000/
...
- Inspect the logs of the scanner container
Expected behavior
The scanner should not fail and generate the findings.
System
- secureCodeBox: 3.0.1
- OS: macOS
- Kubernetes Version: v1.22.0 (client), v1.21.2 (server)
- Docker Version: 20.10.8
Screenshots / Logs
ZAP logs
2021-08-27 09:37 zapclient INFO : :: Configuring ZAP Instance with {'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}
2021-08-27 09:37 zapclient INFO : :: Starting SCB ZAP Automation Framework with config /home/securecodebox/configs/
2021-08-27 09:37 ZapClient INFO : Importing YAML files for ZAP configuration at dir: '['/home/securecodebox/configs/1-zap-advanced-scantype.yaml', '/home/securecodebox/configs/2-zap-advanced-scan.yaml']'
2021-08-27 09:37 zapclient INFO : :: Starting SCB ZAP Scan with target http://juice-shop.juiceshop.svc:3000/
2021-08-27 09:37 ZapClient INFO : Configuring ZAP Global
2021-08-27 09:37 ZapConfigureSettings INFO : Creating a new ZAP session with the name: secureCodeBox
2021-08-27 09:37 ZapClient INFO : Configuring ZAP Context
2021-08-27 09:37 ZapConfigureContext INFO : Existing Contexts will be removed: ['Default Context']
2021-08-27 09:37 ZapConfigureContext INFO : Configuring a new ZAP Context with name: scb-juiceshop-context
2021-08-27 09:37 ZapConfigureContextAuthentication INFO : HTTP ZAP HTTP JSON Params: 'loginUrl=http://juice-shop.juiceshop.svc:3000/rest/user/login&loginRequestData={"email":"[email protected]","password":"admin123"}'
2021-08-27 09:37 ZapConfigureContext INFO : Existing Users will be removed before adding new ones.
2021-08-27 09:37 ZapConfigureContext INFO : Configuring the ZAP session management (type=scriptBasedSessionManagement)
2021-08-27 09:37 ZapClient INFO : Loading new Script 'juiceshop-session-management.js' at '/home/zap/.ZAP_D/scripts/scripts/session/juiceshop-session-management.js' with type: 'session' and engine 'Oracle Nashorn'
2021-08-27 09:37 ZapClient ERROR : The script couldn't be loaded due to errors!
2021-08-27 09:37 zapclient ERROR : Unexpected error: The script couldn't be loaded due to errors!
Traceback (most recent call last):
File "/zap-client/zapclient/__main__.py", line 64, in process
zap_automation.scan_target(target=args.target)
File "/zap-client/zapclient/zap_automation.py", line 84, in scan_target
zap_context.configure_contexts()
File "/zap-client/zapclient/context/zap_context.py", line 64, in configure_contexts
self._configure_context(context)
File "/zap-client/zapclient/context/zap_context.py", line 97, in _configure_context
self._configure_context_session_management(sessions_config=context["session"], context_id=context_id)
File "/zap-client/zapclient/context/zap_context.py", line 229, in _configure_context_session_management
self._configure_context_session_management_scriptbased(script_config=script_config, context_id=context_id)
File "/zap-client/zapclient/context/zap_context.py", line 245, in _configure_context_session_management_scriptbased
self._configure_load_script(script_config=script_config, script_type="session")
File "/zap-client/zapclient/zap_abstract_client.py", line 115, in _configure_load_script
self.check_zap_result(
File "/zap-client/zapclient/zap_abstract_client.py", line 71, in check_zap_result
raise Exception(exception_message)
Exception: The script couldn't be loaded due to errors!
2021-08-27 09:37 ZapClient INFO : :: Show all Statistics
2021-08-27 09:37 ZapClient INFO : []
2021-08-27 09:37 ZapClient INFO : :: Shutting down the running ZAP Instance.