ZAP keeps scanning unnecessary URLs - owasp

What I'm doing is:
Starting ZAP to listen on some port
zap.bat -daemon -host localhost -port 2355 -config api.disablekey=true
Starting new session
curl -X GET "http://localhost:2355/JSON/core/action/newSession/?zapapiformat=JSON&formMethod=GET&name=&overwrite=" -H "cache-control: no-cache"
Through REST service, giving it a context, which includes only one URL pattern
curl -X GET "http://localhost:2355/JSON/context/action/importContext/?zapapiformat=JSON&formMethod=GET&contextFile=some-test-context.context" -H "cache-control: no-cache"
HERE I launch selenium test with browser bind to a proxy:2355
Starting spider
curl -X GET "http://localhost:2355/JSON/spider/action/scan/?zapapiformat=JSON&apikey=&formMethod=GET&url=&maxChildren=&recurse=&contextName=some-test-context&subtreeOnly=" -H "cache-control: no-cache"
Starting active scan
curl -X GET "http://localhost:2355/JSON/ascan/action/scan/?zapapiformat=JSON&apikey=&formMethod=GET&url=&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=2" -H "cache-control: no-cache"
(2, because there is always id#1 context, Default one)
And in the end I'm getting report
curl -X GET "http://localhost:2355/OTHER/core/other/htmlreport/?formMethod=GET" -H "cache-control: no-cache" -H "content: application/json"
I'm pretty sure the context path is correct and exists (no read error)
I'm pretty sure I specified correct name of context and id
Anyway, when I get report, there are scan results NOT only on the URL from the context. But also on production links, 3rd party sites, etc.
Am I expecting smth wrong or forgetting smth?

The browser will be requesting those URLs. ZAP will perform passive scanning on all requests that are proxied through it, and any potential vulnerabilities it finds will end up in the report. So its working as expected :)
You can either just ignore them or use one of the optional add-ons that allows you to filter the report.

You could define a Context that includes the sites/apps that you want results for (right click, add to context, in the history tab or sites tree) and enable the passive scan option that limits scanning to only messages that are in-scope.
Contexts can also be exported and imported for clean re-use.
Supporting references:
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsPscanner
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsContexts

Related

Is there a kibana rest API to get and set default-route of a space?

I need to programmatically retrieve and set default route of a kibana space. On Kibana application, this can be set at stack management -> Advanced Settings page. I looked at the elasticsearch REST documentation, but could not find a suitable API. Any help is appreciated.
Not sure what version you are referring to. But the documentation link in the original post points to 7.13. And the suggestion below (from https://discuss.elastic.co/t/kibana-7-5-server-defaultroute-parameter/212191/4) works with 7.13:
these advanced settings are stored as a Saved Object of type config. So you can update them using the Saved Object APIs
So here's how I used the API to 'set' and 'retrieve' the defaultRoute in and from my space:
$ curl --user elastic:******* -X PUT "localhost:${ES_KB_PORT}/s/${my_space}/api/saved_objects/config/7.13.2" -H "kbn-xsrf: true" -H "Content-Type: application/json" -d '{"attributes": {"defaultRoute": "/app/dashboards#/view/285828e0-b713-11eb-aba9-211e5623385d"}}'
{"id":"7.13.2","type":"config","updated_at":"2021-08-02T08:53:19.824Z","version":"WzEzOTksMl0=","namespaces":["mz81"],"attributes":{"defaultRoute":"/app/dashboards#/view/285828e0-b713-11eb-aba9-211e5623385d"}}
$ curl --user elastic:******* -X POST "localhost:${ES_KB_PORT}/s/${my_space}/api/saved_objects/_export" -H "kbn-xsrf: true" -H "Content-Type: application/json" -d '{"type": "config"}'
{"attributes":{"buildNum":40943,"defaultRoute":"/app/dashboards#/view/285828e0-b713-11eb-aba9-211e5623385d"},"coreMigrationVersion":"7.13.2","id":"7.13.2","migrationVersion":{"config":"7.13.0"},"references":[],"sort":[1627896123137,107],"type":"config","updated_at":"2021-08-02T09:22:03.137Z","version":"WzE0MDYsMl0="}
{"exportedCount":1,"missingRefCount":0,"missingReferences":[]}

How can I connect to MSTR library via CURL to get the session state?

I am trying to connect to MicroStrategy REST API via curl in order to obtain the session state.
I have tried a PHP code using this example https://community.microstrategy.com/s/article/Library-REST-API-Login-PHP?language=en_US.
I get the following error:
{"code":"ERR009","message":"The user's session has expired, please reauthenticate","ticketId":"d2a5595614634adba2bb07e5b15bedc9"}
I've also tried to call the API directly from curl on Windows command line.
curl -X POST "http://localhost:8080/MicroStrategyLibrary/api/auth/login"
-H "accept: application/json" -H "Content-Type: application/json"
-d "{\"username\":\"Administrator\",\"password\":\"myPassword\",
\"loginMode\":1,\"maxSearch\":3,\"workingSet\":10,\"changePassword\":false,
\"newPassword\":\"string\",\"metadataLocale\":\"en_us\",
\"warehouseDataLocale\":\"en_us\",\"displayLocale\":\"en_us\",
\"messagesLocale\":\"en_us\",\"numberLocale\":\"en_us\",\"timeZone\":\"UTC\",
\"applicationType\":35}"
I do not get any response for this call.
What is the reason for this error?

What would be Openshift REST API equivalent of a process template command

I am automating some continuous delivery processess that use openshift 3.5. They work fine from a command line, but I can hardly find any documentation of how the oc commands map to the OCP REST API. I've figured out how talk to the API and use what it directly offers. For example, I have a line:
oc process build-template -p APPLICATION_NAME=worldcontrol -n openshift | oc create -f - -n conspiracyspace
That takes a template named "build-template" from "openshift" namespace and processes it, piping the resulting definition to build a few objects like application image, into another namespace. I would appreciate an example of how this could be expressed in http request terms.
edit
Following #Graham's hint, here is what I got. First request is getting the contents of the template:
curl -k -v -XGET -H "User-Agent: oc/v3.5.5.15 (linux/amd64) openshift/4b5f317" -H "Authorization: Bearer ...." -H "Accept: application/json, */*" https://example.com/oapi/v1/namespaces/openshift/templates/build-template
Then apparently the oc client expands the parameters internally, and feeds the result into the POST:
curl -k -v -XPOST -H "Content-Type: application/json" -H "User-Agent: oc/v3.5.5.15 (linux/amd64) openshift/4b5f317" -H "Accept: application/json, */*" -H "Authorization: Bearer ...." https://example.com/oapi/v1/namespaces/openshift/processedtemplates
Run the oc command with the option --loglevel=10. This will show you what REST API calls it makes underneath and thus you can work out what you need to do to do the same thing with just the REST API. Do note that certain things may be partly done in the oc client, rather than delegating to a REST API endpoint call.
I did this, and at the very end of the output from the CLI, I saw this:
service "trade4-65869977-9d56-49a5-afa2-4a547df82d5c" created
deploymentconfig "trade4-65869977-9d56-49a5-afa2-4a547df82d5c" created
When piping to oc create -f -, then, the CLI must be inspecting the resulting template and creating each object in the objects array. No evidence of those calls were outputted to my command window, other than the two "created" statements.
So to fully automate this through the REST API, we would still need to parse that objects array returned by processtemplates and POST to the appropriate endpoints, correct?

ApiAxle: cannot access stat URL in order to view analytics

I am following the instructions at: http://apiaxle.com/docs/statistics-and-analytics-in-apiaxle/ . Unfortunately currently (May 17, 2014) apiAxle is redirecting me to the endPointserver and I am not getting statist
menelaos:~$ curl 'http://localhost:3000/v/api/test/stats?
granularity=hour&format_timestamp=ISO'
Response:
{"meta":{"version":1,"status_code":404},"results":{"error":
{"type":"ApiUnknown","message":"No api specified (via subdomain)"}}}
I also tried using the subdomain but that didn't work either:
menelaos:~$ curl 'http://test.api.localhost:3000/v/api/test/stats?granularity=hour&format_timestamp=ISO'
Typically you run multiple instances of apiaxle-proxy (which provides access to your endpoints), and a single instances of apiaxle-api (which provides access to statistics, key creation, and other API management functionality).
For example, you might be running the proxy like this:
apiaxle-proxy -f 1 -p 3000 -q
To run the API, you would run something like this:
apiaxle-api -f 1 -p 5000 -q
Note that the API needs to run on a separate port. Also note that it shouldn't be accessible to the outside world as it doesn't have any authentication.
Using the above example, your curl command would look like this:
curl -H 'content-type: application/json' \
-X GET \
'http://localhost:5000/v1/api/test/stats' \
-d '{"granularity":"hour","format_timestamp":"ISO"}'
Note that the parameters need to be sent as JSON.

Need an example for Add User to Group function in JIRA REST API 6.1

I am developing an application that uses the JIRA 6.1 REST API. Can I know a sample JSON Object that I should use, to add a user to a given group in JIRA?
This is the relevant API call: https://docs.atlassian.com/jira/REST/latest/#d2e1694
curl -D- -u admin:password -X POST --data "{\"name\": \"charlie\",\"password\": \"abracadabra\",\"emailAddress\": \"charlie#atlassian.com\",\"displayName\": \"Charlie of Atlassian\"}" -H "Content-Type: application/json" http://jira.server.com/rest/api/2/user/
For more info see. Expand part under application/json, there you can find data example.
How to send queries, refer to Atlassian's documentation.
Came across this thread while looking to do the exact same thing. The answer from #ThePavolC was very good, but it is creating a new user, not adding a user to a group. I combined his answer with info from https://answers.atlassian.com/questions/255778 and came up with this one-liner:
curl --insecure -D- -u admin:password -X POST --data "{\"name\": \"username\"}" -H "Content-Type: application/json" https://myjiraserver.com/rest/api/2/group/user?groupname=mygroupname
Replace password" with the actual admin password.
Replace username" with the name of the user you're adding to the
group.
Replace myjiraserver.com with your JIRA server's FQDN.
Replace mygroupname with the name of the group to which you are
adding this user.
I added the --insecure option because of the private SSL certs used on my server. You may not need that, or you may not be using HTTPS at all (in which case edit the URL to use HTTP).