Starting scanner via CLI about securecodebox HOT 5 CLOSED

I get same even when I provide valid scanid (marked as successfull) using the swagger-ui.html

from securecodebox.

I found the issue, but before applying the fix, why does cli submit HOST without protocol?

from securecodebox.

Hi @wheelq
thanks for your hint and question. We have tried to implement the CLI in a more generic way, so that's easy to use and start some securityTests.

For example (short version)

• ./run_scanner.sh zap https://some.system/somepath
• ./run_scanner.sh nmap some.system

The CLI script the tries to identify if the "target parameter" contains a protocol, a port or just an IP and uses this informations separately to configure the different security scanner. ZAP for example needs an URL as target parameter, Nikto needs an hostname and port...

In which case is the protocol missing, can you explain your usecase or CLI call a bit?

from securecodebox.

Thanks @rseedorff

zap.template.json looks like this:

After issuing scan (like in the first post), run_scanner.sh does the following:

HOST_PORT=echo ${TARGET} | sed 's!^https?://!!g' | sed 's!/.$!!g' # hostname including user-provided port
HOST=echo ${HOST_PORT} | sed 's!:.$!!g' # hostname only

So HOST becomes just the hostname, without the http(s)://
And this, when passed to the scanner, fails with error 500. After I modified the run_scanner.sh and swapped HOST with TARGET, scans are running fine.

from securecodebox.

Closed due to inactivity

from securecodebox.