zap-cli does not allow attacking an https site #101

maxg68 · 2021-04-16T14:43:00Z

Describe the bug
zap-cli does not allow attacking an https site

To Reproduce
Steps to reproduce the behavior:

zapcli-0.10.0]# zap-cli open-url https://10.10.10.10
[INFO] Accessing URL https://10.10.10.10
Traceback (most recent call last):
File "/usr/local/bin/zap-cli", line 11, in
load_entry_point('zapcli==0.10.0', 'console_scripts', 'zap-cli')()
File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 664, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 644, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 991, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 837, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 464, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/decorators.py", line 26, in new_func
return ctx.invoke(f, ctx.obj, *args[1:], **kwargs)
File "/usr/local/lib/python2.7/site-packages/click-4.0-py2.7.egg/click/core.py", line 464, in invoke
return callback(*args, **kwargs)
File "build/bdist.linux-x86_64/egg/zapcli/cli.py", line 105, in open_url
File "build/bdist.linux-x86_64/egg/zapcli/zap_helper.py", line 136, in open_url
File "build/bdist.linux-x86_64/egg/zapv2/init.py", line 124, in urlopen
File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/api.py", line 75, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='10.10.10.10', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL] EC lib (_ssl.c:727)'),))
See SSLError in log
File "/usr/local/lib/python2.7/site-packages/requests-2.20.1-py2.7.egg/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='10.10.10.10', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL] EC lib (_ssl.c:727)'),))

Expected behavior
I expect zap-cli to be able to perform an attack to https site, as done with OWASP-ZAP gui

Screenshots

Software versions

ZAP: zapcli-0.10.0
OS: Red Hat Enterprise Linux Server release 6.5 (Santiago)
Linux linuxsrv2 2.6.32-431.el6.x86_64 ValueError: invalid literal for int() with base 10: 'Does Not Exist' #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
Java: java version "1.8.0_152"
Java(TM) SE Runtime Environment (build 1.8.0_152-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16, mixed mode)
Python-2.7.17

Errors from the zap.log file
See previous log

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

zap-cli does not allow attacking an https site #101

zap-cli does not allow attacking an https site #101

maxg68 commented Apr 16, 2021

zap-cli does not allow attacking an https site #101

zap-cli does not allow attacking an https site #101

Comments

maxg68 commented Apr 16, 2021

Screenshots

Additional context

Would you like to help fix this issue?