Task Failed. Error: {"Success":false,"Message":"400 - \"{\\\"code\\\":\\\"illegal_parameter\\\",\\\"message\\\":\\\"Provided parameter has illegal or unrecognized value\\\"}\""}

[yk-kuang]

Hi

Thank you for creating the add-on in VSTS. Really appreciated.
I have issue while running the add on.
My OWASP ZAP is public with SSL: https://owaspzap.xxxx.com with port 8483.

I selected a VSTS 2017 Host to run the steps and got this error message. Could you please provide suggestion to fix this issue? thank you!

Below is the output from VSTS.

2018-09-04T22:08:06.7088720Z ##[debug]Evaluating condition for step: 'OWASP ZAP Scan'
2018-09-04T22:08:06.7089733Z ##[debug]Evaluating: succeeded()
2018-09-04T22:08:06.7089976Z ##[debug]Evaluating succeeded:
2018-09-04T22:08:06.7090297Z ##[debug]=> True
2018-09-04T22:08:06.7090632Z ##[debug]Result: True
2018-09-04T22:08:06.7090956Z ##[section]Starting: OWASP ZAP Scan
2018-09-04T22:08:06.7095939Z ==============================================================================
2018-09-04T22:08:06.7096098Z Task : OWASP Zed Attack Proxy Scan
2018-09-04T22:08:06.7096257Z Description : Visual Studio Team Services build/release task for running OWASP ZAP automated security tests
2018-09-04T22:08:06.7096389Z Version : 2.0.7
2018-09-04T22:08:06.7096490Z Author : Kasun Kodagoda
2018-09-04T22:08:06.7096631Z Help : More Information
2018-09-04T22:08:06.7096771Z ==============================================================================
2018-09-04T22:08:07.0251648Z ##[debug]agent.TempDirectory=D:\a_temp
2018-09-04T22:08:07.0279517Z ##[debug]loading inputs and endpoints
2018-09-04T22:08:07.0285671Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
2018-09-04T22:08:07.0299379Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
2018-09-04T22:08:07.0301735Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
2018-09-04T22:08:07.0303774Z ##[debug]loading INPUT_ENABLEVERIFICATIONS
2018-09-04T22:08:07.0305905Z ##[debug]loading INPUT_EXECUTEACTIVESCAN
2018-09-04T22:08:07.0307110Z ##[debug]loading INPUT_EXECUTESPIDERSCAN
2018-09-04T22:08:07.0308924Z ##[debug]loading INPUT_INSCOPEONLY
2018-09-04T22:08:07.0310116Z ##[debug]loading INPUT_MAXHIGHRISKALERTS
2018-09-04T22:08:07.0312005Z ##[debug]loading INPUT_MAXLOWRISKALERTS
2018-09-04T22:08:07.0313155Z ##[debug]loading INPUT_MAXMEDIUMRISKALERTS
2018-09-04T22:08:07.0315015Z ##[debug]loading INPUT_RECURSE
2018-09-04T22:08:07.0316795Z ##[debug]loading INPUT_RECURSESPIDER
2018-09-04T22:08:07.0317954Z ##[debug]loading INPUT_REPORTFILEDESTINATION
2018-09-04T22:08:07.0319691Z ##[debug]loading INPUT_REPORTFILENAME
2018-09-04T22:08:07.0320797Z ##[debug]loading INPUT_REPORTTYPE
2018-09-04T22:08:07.0322518Z ##[debug]loading INPUT_SUBTREEONLY
2018-09-04T22:08:07.0323609Z ##[debug]loading INPUT_TARGETURL
2018-09-04T22:08:07.0325114Z ##[debug]loading INPUT_ZAPAPIKEY
2018-09-04T22:08:07.0327391Z ##[debug]loading INPUT_ZAPAPIURL
2018-09-04T22:08:07.0331823Z ##[debug]loaded 19
2018-09-04T22:08:07.0346565Z ##[debug]Agent.ProxyUrl=undefined
2018-09-04T22:08:07.0347778Z ##[debug]Agent.CAInfo=undefined
2018-09-04T22:08:07.0348193Z ##[debug]Agent.ClientCert=undefined
2018-09-04T22:08:07.0348513Z ##[debug]Agent.SkipCertValidation=undefined
2018-09-04T22:08:07.4751156Z ##[debug]check path : D:\a_tasks\OwaspZapScan_xxxxxxxxxxxxxxxxxxx\2.0.7\task.json
2018-09-04T22:08:07.4753245Z ##[debug]adding resource file: D:\a_tasks\OwaspZapScan_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\2.0.7\task.json
2018-09-04T22:08:07.4753548Z ##[debug]system.culture=en-US
2018-09-04T22:08:07.4789152Z ##[debug]ZapApiUrl=owaspzap.xxxxxxxx.com
2018-09-04T22:08:07.4791921Z ##[debug]ZapApiKey=xxxxxxxxxxxxxxxxxxxxxxxx
2018-09-04T22:08:07.4793620Z ##[debug]TargetUrl=target.xxxxxxxx.com
2018-09-04T22:08:07.4796825Z ##[debug]ExecuteSpiderScan=true
2018-09-04T22:08:07.4798359Z ##[debug]RecurseSpider=false
2018-09-04T22:08:07.4800045Z ##[debug]SubtreeOnly=false
2018-09-04T22:08:07.4801031Z ##[debug]MaxChildrenToCrawl=null
2018-09-04T22:08:07.4801411Z ##[debug]ContextName=null
2018-09-04T22:08:07.4802984Z ##[debug]ExecuteActiveScan=true
2018-09-04T22:08:07.4803499Z ##[debug]ContextId=null
2018-09-04T22:08:07.4805274Z ##[debug]Recurse=true
2018-09-04T22:08:07.4807898Z ##[debug]InScopeOnly=false
2018-09-04T22:08:07.4808185Z ##[debug]ScanPolicyName=null
2018-09-04T22:08:07.4808546Z ##[debug]Method=null
2018-09-04T22:08:07.4809021Z ##[debug]PostData=null
2018-09-04T22:08:07.4811026Z ##[debug]ReportType=html
2018-09-04T22:08:07.4813849Z ##[debug]ReportFileDestination=D:\a\1\s
2018-09-04T22:08:07.4816041Z ##[debug]ReportFileName=OWASP-ZAP-Report-1578
2018-09-04T22:08:07.4816608Z ##[debug]Build.Repository.Name=WebOwaspZapSecurityTesting
2018-09-04T22:08:07.4817794Z ##[debug]Build.DefinitionName=nightly-OWASPZAP
2018-09-04T22:08:07.4820206Z ##[debug]EnableVerifications=true
2018-09-04T22:08:07.4821580Z ##[debug]MaxHighRiskAlerts=0
2018-09-04T22:08:07.4824044Z ##[debug]MaxMediumRiskAlerts=2
2018-09-04T22:08:07.4826061Z ##[debug]MaxLowRiskAlerts=2
2018-09-04T22:08:07.4839235Z ##[debug]Spider Scan | Target URL: http://owaspzap.xxxxxxxx.com/JSON/spider/action/scan/ | Scan Options: {"apikey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","url":"target.xxxxxxxx.com","maxChildren":"","recurse":"false","subtreeOnly":"false","contextName":"","formMethod":"GET","zapapiformat":"JSON"}
2018-09-04T22:08:08.7435463Z ##[debug]task result: Failed
2018-09-04T22:08:08.7505502Z ##[error]Task Failed. Error: {"Success":false,"Message":"400 - "{\"code\":\"illegal_parameter\",\"message\":\"Provided parameter has illegal or unrecognized value\"}""}
2018-09-04T22:08:08.7518191Z ##[debug]Processed: ##vso[task.issue type=error;]Task Failed. Error: {"Success":false,"Message":"400 - "{\"code\":\"illegal_parameter\",\"message\":\"Provided parameter has illegal or unrecognized value\"}""}
2018-09-04T22:08:08.7534192Z ##[debug]Processed: ##vso[task.complete result=Failed;]Task Failed. Error: {"Success":false,"Message":"400 - "{\"code\":\"illegal_parameter\",\"message\":\"Provided parameter has illegal or unrecognized value\"}""}
2018-09-04T22:08:08.7545657Z ##[section]Finishing: OWASP ZAP Scan

[kasunkv]

@helloyzk Can you access the ZAP API from over HTTP as well? Coz at the moment the task does not support calling the ZAP API over HTTPS. It will be added in a future update. But it seems ZAP API cannot be accessed using HTTP. If you have HTTP disabled, pls re-enable it and see if it's working.

[yk-kuang]

@kasunkv Thank you so much for your reply. I changed the site to http only and I still get the same error message.

[shivakumarg06]

@helloyzk Am also facing the similar issues, I have running Zap on HTTP and able access from browser, but from VSTS its failed,

[ShoeQ]

Also getting this issue when calling Zap over just HTTP from Azure Dev Ops

[ShoeQ]

I'm guessing @kasunkv has no intention of looking into this matter.

[kasunkv]

@ShoeQ It's not that I have no intention of looking into this, but I simply could not find time to work on this due to being busy with work for the last few months. I am truly sorry for the delay about these issues, but please understand that I can only look into this when I have time. I will look at the issues this weekend and set up a pipeline to get the pending PRs merged and released ASAP. You should be able to get some update at the end of this week.

[thc202]

The TargetUrl needs to have the scheme.