org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused: connect error while connecting to ZAP using Java API

Question

I am trying to integrate selenium with ZAP.

To achieve this, I have used the below code to open the ZAP tool automatically before launching the browser using selenium.

The issue I am facing is that the ZAP tool is not opening properly, it got stuck in the middle.

The below code I have used to open the ZAP tool.

Code:

public void triggerZAP() throws IOException, InterruptedException, ClientApiException
{       
    String[] command = { "CMD", "/C",zapLocation + "ZAP.exe" };
    ProcessBuilder build = new ProcessBuilder(command);
    build.directory(new File(zapLocation));
    Process p = build.start();
    p.waitFor();
    Thread.sleep(5000);
    ClientApi api = new ClientApi(zapAddress, zapPort);
    currentURL = controls.getCurrentUrl();
    System.out.println("Spider : " + currentURL);
    ApiResponse resp = api.spider.scan(currentURL, null, null, null, null);
    scanId = ((ApiResponseElement) resp).getValue();
    while (true)
    {
        Thread.sleep(1000);
        progress = Integer.parseInt(((ApiResponseElement) api.spider.status(scanId)).getValue());
        System.out.println("Spider progress : " + progress + "%");
        if (progress >= 100)
        {
            break;
        }
    }
    System.out.println("Spider complete");
    System.out.println(new String(api.core.xmlreport()));

}

Error:

org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused: connect
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:329)
at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:311)
at org.zaproxy.clientapi.gen.Spider.scan(Spider.java:220)
at com.exterro.fusion.selenium.controls.ZAPConfigurations.triggerZAP(ZAPConfigurations.java:61)
at com.exterro.fusion.selenium.core.FusionSignin.config(FusionSignin.java:54)
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.net.NetworkClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient$1.run(Unknown Source)
at sun.net.www.http.HttpClient$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.net.www.http.HttpClient.privilegedOpenServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.<init>(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(ClientApi.java:338)
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:327)
... 31 more
... Removed 27 stack frames

Answer 1

It looks like you are not specifying an API key when you start ZAP. If thats the case then ZAP will create one for you, but you wont know what it is so wont be able to use it and ZAP will ignore you API calls.

To set an API key via the command line use an option like: -config api.key=change-me-9203935709

You can also disable the API key in a safe environment - more details here: https://github.com/zaproxy/zaproxy/wiki/FAQapikey

Answer 2

This error message...

org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused: connect
at org.zaproxy.clientapi.core.ClientApi.callApiDom(ClientApi.java:329)

...implies that the Java Client was unable to initiate a new connection with the zap Proxy.

---

This error can surface due to several reasons. A couple of checkpoints to solve this error are as follows:

• Ensure that the ZAP Proxy is up and running before the Java Client tries to communicate with the proxy. You can find a relevant discussion in How to start using the Java based ZAP APIs
• Ensure that the API settings on the proxy side are enabled.

You can find a relevant discussion in Unable to perform zap spider scan using zap-java-api

• While you initiate the Java Client connection you need to mention the API keys mandatorily as ZAP requires the API key by default in order to invoke API operations that make changes to ZAP. Hence the API key is required by default in order to invoke any of the API operations. This is a security feature to prevent malicious sites from invoking the ZAP API. The API security options, including the API key, can be found in the API Options screen.

  • Code Block:

    private static final int ZAP_PORT = 8080;
    private static final String ZAP_API_KEY = "abcdefghijklmnop123456789";
    private static final String ZAP_ADDRESS = "localhost";
    private static final String TARGET = "https://public-firing-range.appspot.com";
    

You can find a relevant discussion in Scanning using OWASP Zap Api