DAST failing when logging into the target
Summary
DAST test does not complete successfully when adding the login script. (Works fine without attempting to login)
Steps to reproduce
- Add the dast step to the .gitlab-ci.yml as directed by the setup guide. Added below
- Replace the variables with the required credentials
- Run the pipeline
dast:
stage: test_security
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
variables:
website: "https://test.com/"
login_url: "https://test.com/login"
username: "mytestaddress@test.com"
password: "123123"
allow_failure: true
script:
- mkdir /zap/wrk/
- /zap/zap-baseline.py -J gl-dast-report.json -t $website
--auth-url $login_url
--auth-username $username
--auth-password $password
- cp /zap/wrk/gl-dast-report.json .
artifacts:
paths: [gl-dast-report.json]What is the current bug behavior?
The DAST step fails and throws an error.
What is the expected correct behavior?
The DAST step passing and displaying a list of security vulnerabilities
Relevant logs and/or screenshots
Running with gitlab-runner 11.2.0 (35e8515d)
on ip-172-31-89-116 379c3d34
Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/zaproxy ...
Pulling docker image registry.gitlab.com/gitlab-org/security-products/zaproxy ...
Using docker image sha256:0e87216511f144e84a006e7c978183be04c418e04a146e8ffade980ca2ee0043 for registry.gitlab.com/gitlab-org/security-products/zaproxy ...
Running on runner-379c3d34-project-37-concurrent-0 via ip-172-31-89-116...
Cloning repository...
Cloning into '/builds/Trint/trint.com/trint-frontend'...
Checking out 1d4b2b4d as feature/add-dast-testing...
Skipping Git submodules setup
$ mkdir /zap/wrk/
$ /zap/zap-baseline.py -J gl-dast-report.json -t $website --auth-url $login_url --auth-username-field $username_field --auth-username $username --auth-password $password
Aug 29, 2018 11:56:00 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
2018-08-29 11:56:22,464 Unexpected error: <class 'selenium.common.exceptions.WebDriverException'>
Traceback (most recent call last):
File "/zap/zap-baseline.py", line 396, in main
driver = webdriver.Firefox(profile)
File "/usr/local/lib/python2.7/dist-packages/selenium/webdriver/firefox/webdriver.py", line 162, in __init__
keep_alive=True)
File "/usr/local/lib/python2.7/dist-packages/selenium/webdriver/remote/webdriver.py", line 154, in __init__
self.start_session(desired_capabilities, browser_profile)
File "/usr/local/lib/python2.7/dist-packages/selenium/webdriver/remote/webdriver.py", line 243, in start_session
response = self.execute(Command.NEW_SESSION, parameters)
File "/usr/local/lib/python2.7/dist-packages/selenium/webdriver/remote/webdriver.py", line 312, in execute
self.error_handler.check_response(response)
File "/usr/local/lib/python2.7/dist-packages/selenium/webdriver/remote/errorhandler.py", line 242, in check_response
raise exception_class(message, screen, stacktrace)
WebDriverException: Message: Process unexpectedly closed with status: 1
ERROR <class 'selenium.common.exceptions.WebDriverException'>
ERROR: Job failed: exit code 1Output of checks
This happens on self hosting
Possible fixes
I'm not entirely sure what's causing this issue, or if it's a problem with the zaproxy image? I haven't seen any gitlab issues from others having the same problem.