-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Jenkins Version: Jenkins ver. 2.121.1
Latest - zap-plugin
Windows 7 x64
ZAP - Weekly Build : ZAP_D-2019-01-28
Trying to use the Script based authentication for zap-plugin to scan a site.
I created the JavaScript based authentication script and saved it using the GUI.
Created a Jenkins job to use the official owasp zap plugin.
In the configuration I was able to find the authentication script in the drop down list and was able to configure and save successfully.
When running the job, I get error unable to load the script with the following stack trace:
[ZAP Jenkins Plugin] LOAD SCRIPT FOR AUTHENTICATION
5428 [ZAP-ProxyThread-6] ERROR org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Unable to find script while loading Script Based Authentication Method for name: MyAuth.js
5430 [ZAP-ProxyThread-6] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/xml/authentication/action/setAuthenticationMethod/] from [127.0.0.1]:
No script with the provided name has been found (script_not_found) : MyAuth.js
at org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType$1.handleAction(ScriptBasedAuthenticationMethodType.java:751)
at org.zaproxy.zap.extension.authentication.AuthenticationAPI.handleApiAction(AuthenticationAPI.java:179)
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:449)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:456)
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:318)
at java.lang.Thread.run(Unknown Source)
ERROR: org.zaproxy.clientapi.core.ClientApiException: No script with the provided name has been found
at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(ApiResponseFactory.java:32)
at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:312)
at org.zaproxy.clientapi.gen.Authentication.setAuthenticationMethod(Authentication.java:78)
at org.jenkinsci.plugins.zap.ZAPDriver.setUpScriptBasedAuth(ZAPDriver.java:1526)
at org.jenkinsci.plugins.zap.ZAPDriver.setUpAuthentication(ZAPDriver.java:1715)
at org.jenkinsci.plugins.zap.ZAPDriver.executeZAP(ZAPDriver.java:1184)
at org.jenkinsci.plugins.zap.ZAPBuilder$ZAPDriverCallable.invoke(ZAPBuilder.java:448)
at org.jenkinsci.plugins.zap.ZAPBuilder$ZAPDriverCallable.invoke(ZAPBuilder.java:436)
at hudson.FilePath.act(FilePath.java:1047)
at hudson.FilePath.act(FilePath.java:1025)
at org.jenkinsci.plugins.zap.ZAPBuilder.perform(ZAPBuilder.java:292)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
at hudson.model.Build$BuildExecution.build(Build.java:206)
at hudson.model.Build$BuildExecution.doRun(Build.java:163)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
at hudson.model.Run.execute(Run.java:1794)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:429)
[ZAP Jenkins Plugin] SHUTDOWN [ START ]
[JENKINS-56075] Script based authentication unable to load authentication script file
I hit exactly the same issue using Jenkins, the ZAP pluging and ZAP on centos. This is a config issue that I was able to resolve (although I feel like the ZAP config should be smart enough to avoid this problem).
I am on centos 7, running Jenkins 2.150.2, and ZAP_2.7.0 and the official ZAP OWASP plugin 1.1.0. We don't use ZAP independently as a stand alone tool on the Centos system (meaning I don't create ZAP scripts on that system). Anyway....
I'm putting in a comment as this was crazy frustrating (and the various google groups etc. had no relevant responses), so hopefully this helps.
1. using the custom tool installation as part of the job in jenkins (if you follow the various instructions) will install the ZAP plugin in a location like this:
/var/lib/jenkins/tools/com.cloudbees.jenkins.plugins.customtools.CustomTool/Zap_2.7.0/ZAP_2.7.0 <-- based on the ZAP global tool configuration (manage jenkins)
However, you should kinda think as the above as a static directory that you don't mess with. The first time you run a Zap job it will create a .ZAP sub folder in the root jenkins folder. In my case it was
/var/lib/jenkins/.ZAP (remember this is hidden by default. So use ls -al to see the directory).
After you create a Zap auth script you need to drop the file into
/var/lib/jenkins/.ZAP/scripts/scripts/authentication/
Now set the ZAP home directory in the jenkins job (the one you want to run zap in) to : /var/lib/jenkins/.ZAP
It should find any file in the /var/lib/jenkins/.ZAP/scripts/scripts/authentication/ as long as the file extension is set to .zst file extension, and in the jenkins job you should be able to select your authentication script now.
HOWEVER....you will STILL SEE the error associated with the bug above because ZAP doesn't seem smart enough to look into its own scripts/scripts/authentication directory.
To fix that (and this is where I think ZAP needs to be smarter) you need to do the following.
At the bottom of the config.xml found in the .ZAP directory (so for me this was /var/lib/jenkins/.ZAP/config.xml) you need to add something like (which is generated for you automatically if you use ZAP on windows through the UI....but which doesn't exist if you run it headless on a linux box as part of a CI install).
<script><scripts>
<name>myLoginScript.zst</name>
<description/>
<engine>Mozilla Zest</engine>
<type>authentication</type>
<enabled>true</enabled>
<file>/var/lib/jenkins/.ZAP/scripts/scripts/authentication/myLoginScript.zst</file>
</scripts>
</script>
....
</config>
You obviously don't need the last config xml tag I just added that to show I've put the script element just above it.
Anyway as soon as we did that, the error went away and the script happily executed.
Hope that helps.
The same issue happens with the released version of ZAP 2.7.0 also.