在自動化Python代碼得到錯誤owsap ZAP公司對應用

Question

我試圖掃描項目自動OWASP ZAP識別按照下面文章的安全漏洞：在下面一行

https://www.securify.nl/blog/SFY20150303/automating-security-tests-using-owasp-zap-and-jenkins.html

我收到錯誤的代碼： -

zap.spider.scan(target) 

腳本源： -

https://github.com/zaproxy/zaproxy/wiki/ApiPython

代碼我使用： -

#!/usr/bin/env python 

import time 
from pprint import pprint 
from zapv2 import ZAPv2 

# Here the target is defined and an instance of ZAP is created. 
target = 'http://google.com/' 
zap = ZAPv2() 

# Use the line below if ZAP is not listening on 8090. 
# zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:9090'}) 

# ZAP starts accessing the target. 
print 'Accessing target %s' % target 
zap.urlopen(target) 
time.sleep(2) 

# The spider starts crawling the website for URLs 
print 'Spidering target %s' % target 
zap.spider.scan(target) 

# Progress of spider 
time.sleep(2) 
print 'Status %s' % zap.spider.status 
while (int(zap.spider.status) < 100): 
    print 'Spider progress %: ' + zap.spider.status 

    time.sleep(400) 

print 'Spider completed' 

# Give the passive scanner a chance to finish 
time.sleep(5) 

# The active scanning starts 
print 'Scanning target %s' % target 
zap.ascan.scan(target) 
while (int(zap.ascan.status) < 100): 
    print 'Scan progress %: ' + zap.ascan.status 

    time.sleep(600) 

print 'Scan completed' 

# Report the results 
print 'Hosts: ' + ', '.join(zap.core.hosts) 
print 'Alerts: ' 
pprint(zap.core.alerts()) 

錯誤我得到： -

root@kali:~/.jenkins/workspace/zap# python website-scan.py Accessing target http://google.com/ Spidering target http://google.com/ Traceback (most recent call last): File "website-scan.py", line 21, in zap.spider.scan(target) File "build/bdist.linux-x86_64/egg/zapv2/spider.py", line 189, in scan return six.next(six.itervalues(self.zap._request(self.zap.base + 'spider/action/scan/', params))) File "build/bdist.linux-x86_64/egg/zapv2/init.py", line 158, in _request File "/usr/lib/python2.7/dist-packages/requests/models.py", line 850, in json return complexjson.loads(self.text, **kwargs) File "/usr/lib/python2.7/dist-packages/simplejson/init.py", line 516, in loads return _default_decoder.decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 374, in decode obj, end = self.raw_decode(s) File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 404, in raw_decode return self.scan_once(s, idx=_w(s, idx).end()) simplejson.scanner.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

請讓我知道如果我錯過什麼

Answer 1

http://google.com/將重定向到https://google.com/之類的東西，所以你需要使用它。

順便說一句，你真的有權限攻擊google.com嗎？

您正在使用哪種ZAP版本，以及如何啓動它？

從ZAP 2.6.0默認情況下，您將需要使用API​​密鑰，並且只能從本地主機連接。頁面上的腳本，你鏈接到已更新爲使用API​​密鑰（https://github.com/zaproxy/zaproxy/wiki/ApiPython）

如果你不想使用API​​密鑰，或需要從遠程計算機連接，然後看到這個常見問題：https://github.com/zaproxy/zaproxy/wiki/FAQapikey