Exclude URL in ZAP proxy scanning run as daemon - owasp

How can I exclude certain URL from ZAP proxy scanning when starting it in daemon mode with following command:
zap.sh -daemon -host 0.0.0.0 -port 8090 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true
Is there any argument or config parameter I can set to exclude certain URLs?
I'm using official docker image owasp/zap2docker-stable:latest.

For anyone who has the same issue the solution is to use following argument in the start command:
-config globalexcludeurl.url_list.url.regex='^((?!http:\/\/example\.com\/).*)$'
In this example it will ignore all urls except the one that begin with http://example.com/.

Related

Exporting https certificate fails with 'dotnet dev-certs' tool

I am trying to use the 'dotnet dev-certs' tool to export an https certificate to include with a Docker image. Right now I am using:
dotnet dev-certs https -v -ep $(HOME)\.aspnet\https -p <password>
and I get the error:
Exporting the certificate including the private key.
Writing exported certificate to path 'xxx\.aspnet\https'.
Failed writing the certificate to the target path
Exception message: Access to the path 'xxx\.aspnet\https' is denied.
An error ocurred exporting the certificate.
Exception message: Access to the path 'xxx\.aspnet\https' is denied.
There was an error exporting HTTPS developer certificate to a file.
The problem I see is that no matter what path I supply to export the certificate to I get the same 'Access to the path is denied' error. What am I missing? I know this command has been suggested in numerous places. But I cannot seem to get it to work.
Thank you.
The export path should specify a file, not a directory. This fixed the issue for me on Mac:
dotnet dev-certs https -v -ep ${HOME}/.aspnet/https/aspnetapp.pfx -p <password>
For Ubuntu users:
install libnss3-tools:
sudo apt-get update -y
sudo apt-get install -y libnss3-tools
create or verify if the folder below exists on machine:
$HOME/.pki/nssdb
export the certificate:
dotnet dev-certs https -v -ep ${HOME}/.aspnet/https/aspnetapp.pfx
Run the following commands:
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i /home/<REPLACE_WITH_YOUR_USER>/.aspnet/https/aspnetapp.pfx
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n localhost -i /home/<REPLACE_WITH_YOUR_USER>/.aspnet/https/aspnetapp.pfx
exit and restart the browser
Source: https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-5.0&tabs=visual-studio#ssl-linux
For me the problem was I was using .Net 5 under CentOS 7.8. Uninstalling .Net 5 and using .Net Core 3.1 SDK instead solved the problem.

jupyter-scala install behind a proxy

I'm trying to install jupyter-scala to get a scala kernel working with jupyterlab. I'm behind a proxy and it's timing out. I have the http(s)_proxy host and port environment variables set properly.
Following the instructions here: https://github.com/alexarchambault/jupyter-scala#jupyter-installation
Looking into jupyter-scala and coursier, I cannot find where I can set proxy settings. Anyone know?
Thanks!
The command run: sh -x -vvvv jupyter-scala and the interesting bit + the error:
/tmp/coursier.e5brtL0K launch -r sonatype:releases -r sonatype:snapshots -i ammonite -I ammonite:org.jupyter-scala:ammonite-runtime_2.11.11:0.8.3-1 -I ammonite:org.jupyter-s
cala:scala-api_2.11.11:0.4.2 org.jupyter-scala:scala-cli_2.11.11:0.4.2 -- --id scala --name Scala
Error while downloading https://oss.sonatype.org/content/repositories/releases/io/get-coursier/coursier-cli_2.11/1.0.0-RC1/coursier-cli_2.11-1.0.0-RC1-standalone.jar: Connecti
on timed out (Connection timed out), ignoring it
also when i run wget https://oss.sonatype.org/content/repositories/releases/io/get-coursier/coursier-cli_2.11/1.0.0-RC1/coursier-cli_2.11-1.0.0-RC1-standalone.jar the jar downloads so the url is fine.
An (ugly) solution is to download the jar by hand and then using the following command line to launch coursier:
java -Dhttps.proxyHost=proxy -Dhttps.proxyPort=80 \
-cp coursier-cli_2.11-1.0.0-RC1-standalone.jar coursier.cli.Coursier

Can't execute command using Chef

I am using chef to automate deployment. In that Starting of jboss is needed so I used this code to start it.
bash "jboss_checking" do
code <<-EOL
JBOSS_DIR='/home/Documents/jboss-as-7.1.1.Final'
cd $JBOSS_DIR
nohup ./bin/standalone.sh -b 0.0.0.0 --server-config=standalone-full.xml -bmanagement 0.0.0.0 &
EOL
end
when I run this script jboss not going to start.When i put the same commands in .sh file and run it, jboss started. Can anybody suggest me where I need to change?
I find out new way.If I remove '&' from this line
"nohup ./bin/standalone.sh -b 0.0.0.0 --server-config=standalone-full.xml -bmanagement 0.0.0.0 &"
JBOSS is running but it paused chef script to continue.
I would probably do it this way:
bash 'jboss_checking' do
code <<-EOL
nohup ./bin/standalone.sh -b 0.0.0.0 --server-config=standalone-full.xml -bmanagement 0.0.0.0 &
EOL
user '...username...'
cwd '/home/Documents/jboss-as-7.1.1.Final'
environment(
'JAVA_HOME' => '...'
)
end
which
specifies working directoy explicitly
defines the user under which the command is executed
as Tensibai already said: You'll need to specify at least JAVA_HOME and probably other environment variables, too.
An even better solution would be to deploy an sysv-init/upstart/systemd/launchd script…

How to set up cron using curl command?

After apache rebuilt my cron jobs stopped working.
I used the following command:
wget -O - -q -t 1 http://example.com/cgi-bin/loki/autobonus.pl
Now my DC support suggests me to change the wget method to curl. What would be the correct value in this case?
-O - is equivalent to curl's default behavior, so that's easy.
-q is curl's -s (or --silent)
--retry N will substitute for wget's -t N
All in all:
curl -s --retry 1 http://example.com/cgi-bin/loki/autobonus.pl
try run change with the full path of wget
/usr/bin/wget -O - -q -t 1 http://example.com/cgi-bin/loki/autobonus.pl
you can find the full path with:
which wget
and more, check if you can reach the destination domain with ping or other methods:
ping example.com
Update:
based on the comments, seems to be caused by the line in /etc/hosts:
127.0.0.1 example.com #change example.com to the real domain
It seems that you have restricted options in terms that on the server where the cron should run you have the domain pinned to 127.0.0.1 but the virtual host configuration does not work with that.
What you can do is to let wget connect by IP but send the Host header so that the virtual host matching would work:
wget -O - -q -t 1 --header 'Host: example.com' http://xx.xx.35.162/cgi-bin/loki/autobonus.pl
Update
Also probably you don't need to run this over the web server, so why not just run:
perl /path/to/your/script/autobonus.pl

Jmeter - Run .jmx file through command line and get the summary report in a excel

I am new to jmeter. I have the .jmx file containg all the required http samplers. I could run it throught the Jmeter UI using "Run-> Start" and view the result in the "Summary Report". I can then save the results to the .csv using "Save Table Data" button in "Summary Report".
Question is how can I achieve the same using command line.
JMeter can be launched in non-GUI mode as follows:
jmeter -n -t /path/to/your/test.jmx -l /path/to/results/file.jtl
You can set what would you like to see in result jtl file via playing with JMeter Properties.
See jmeter.properties file under /bin folder of your JMeter installation and look for those starting with
jmeter.save.saveservice.
Defaults are listed below:
#jmeter.save.saveservice.output_format=csv
#jmeter.save.saveservice.assertion_results_failure_message=false
#jmeter.save.saveservice.assertion_results=none
#jmeter.save.saveservice.data_type=true
#jmeter.save.saveservice.label=true
#jmeter.save.saveservice.response_code=true
#jmeter.save.saveservice.response_data=false
#jmeter.save.saveservice.response_data.on_error=false
#jmeter.save.saveservice.response_message=true
#jmeter.save.saveservice.successful=true
#jmeter.save.saveservice.thread_name=true
#jmeter.save.saveservice.time=true
#jmeter.save.saveservice.subresults=true
#jmeter.save.saveservice.assertions=true
#jmeter.save.saveservice.latency=true
#jmeter.save.saveservice.samplerData=false
#jmeter.save.saveservice.responseHeaders=false
#jmeter.save.saveservice.requestHeaders=false
#jmeter.save.saveservice.encoding=false
#jmeter.save.saveservice.bytes=true
#jmeter.save.saveservice.url=false
#jmeter.save.saveservice.filename=false
#jmeter.save.saveservice.hostname=false
#jmeter.save.saveservice.thread_counts=false
#jmeter.save.saveservice.sample_count=false
#jmeter.save.saveservice.idle_time=false
#jmeter.save.saveservice.timestamp_format=ms
#jmeter.save.saveservice.timestamp_format=yyyy/MM/dd HH:mm:ss.SSS
#jmeter.save.saveservice.default_delimiter=,
#jmeter.save.saveservice.default_delimiter=\t
#jmeter.save.saveservice.print_field_names=false
#jmeter.save.saveservice.xml_pi=<?xml-stylesheet type="text/xsl" href="../extras/jmeter-results-detail-report_21.xsl"?>
#jmeter.save.saveservice.base_prefix=~/
#jmeter.save.saveservice.autoflush=false
Uncomment the one you are interested in and set it's value to change the default. Another option is override property in user.properties file or provide it as a command-line argument using -J key as follows:
jmeter -Jjmeter.save.saveservice.print_field_names=true -n /path/to/your/test.jmx -l /path/to/results/file.jtl
See Apache JMeter Properties Customization Guide for more details on what can be done using JMeter Properties.
You can use this command,
jmeter -n -t /path to the script.jmx -l /path to save results with file name file.jtl
But if you really want to run a load test in a remote machine, you should be able to make it run eventhough you close the window. So we can use nohup to ignore the HUP (hangup) signal. So you can use this command as below.
nohup sh jmeter.sh -n -t /path to the script.jmx -l /path to save results with file name file.jtl &
You can run JMeter from the command line using the -n parameter for 'Non-GUI' and the -t parameter for the test plan file.
jmeter -n -t "PATHTOJMXFILE"
If you want to further customize the command line experience, I would direct you to the 'Getting Started' section of their documentation.
This worked for me on mac os High sierra 10.13.6, java 8 64-bit, jmeter 4.0
$ jmeter -n --testfile /path/to/Test_Plan.jmx
Sample output:
Creating summariser <summary>
Created the tree successfully using ./src/test/jmeter/Test_Plan.jmx
Starting the test # Fri Aug 24 17:18:18 PDT 2018 (1535156298333)
Waiting for possible Shutdown/StopTestNow/Heapdump message on port 4445
summary = 10 in 00:00:09 = 1.1/s Avg: 6666 Min: 1000 Max: 8950 Err:
0 (0.00%)
Tidying up ... # Fri Aug 24 17:18:28 PDT 2018 (1535156308049)
... end of run
To get the results in excel like file, you have one option to get it done with csv file.
Use below commands with provided options.
jmeter -n -t /path-to-jmeter-test/file.jmx -l TestResults.csv
-n states Non GUI mode
-t states Test JMX File
-l state Log the results in provided file
Also you can pass any results related parameters dynamically in command line arguments using -Jprop.name=value which are already defined in jmeter.properties in bin folder.
This would be the command line statement.
"%JMETER_HOME%\bin\jmeter.bat" -n -t <jmx test file path> -l <csv result file path> -Djmeter.save.saveservice.output_format=csv
In Command line mode:
I have planned on Linux OS.
download the latest jmeter version. Apache JMeter 3.2 (Requires Java 8 or later) as of now.
Extract in your desired directory. For example, extract to /tmp/
Now, default output file format will be csv. No need to change anything or specify in the CLI command.
for example:
./jmeter -n -t examples/test.jmx -l examples/output.csv
For changing the default format, change the following parameter in jmeter.properties : jmeter.save.saveservice.output_format=xml
Now if you run the command : ./jmeter -n -t examples/test.jmx -l examples/output.jtl
output get stored in xml format.
Now, make the request on multiple server(Additional info query): We can specify
host and port as tags in
./jmeter -n -t examples/test.jmx -l examples/output.jtl -JHOST=<HOST> -JPORT=<PORT>
Check my powershell command
$Date = Get-Date -Format ddMMyyyyhhmmss
jmeter -n -t jmetter\dev.jmx -l jmetter\TestResult-$Date.csv -o jmetter\Results-$Date\ -X
// For to know all parameter (like -n, -t, ...), use this command:
jmeter --?
Running JMeter in command line mode:
1.Navigate to JMeter’s bin directory
Now enter following command,
jmeter -n –t test.jmx
-n: specifies JMeter is to run in non-gui mode
-t: specifies name of JMX file that contains the Test Plan