We would love to hear your feedback, and are here to help should you encounter any problems. Please drop us a line at firstname.lastname@example.org.
- Incomplete or Missing URLs Found by Spider
- Still Stuck?
To troubleshoot hawkscan errors related to networking, disk access or unexplained failures it may be necessary to inspect the hawkscan docker container itself.
--entrypoint=bash option to your docker command to start the hawkscan container without running the usual entrypoint, the
docker run -e API_KEY=$HAWK_API_KEY --rm --name hawkscan --entrypoint=bash -v $(pwd):/hawk -it stackhawk/hawkscan
After running the above command you will be at bash terminal in the hawkscan container as the
zap user in the
shawk command in the bash terminal to kick off a scan.
shawk command completes you can check the
zap.out logs file for errors of interest.
zap@732aa0ebcfdd:/zap$ cat zap.out
Sometimes the scanner may not have the correct permissions to access the host volume mount specified with the
-v $(pwd):/hawk option.
Check the permissions of the
/hawk directory by running…
zap@732aa0ebcfdd:/zap$ ls -lah /hawk
Read permissions to the
/hawk directory will be required for the
zap user in the hawkscan container.
In some cases running the hawkscan container as the root user is required for hawkscan to access the docker host
machines file system. In this case you can run the docker command with the
docker run -e API_KEY=$HAWK_API_KEY --rm --name hawkscan --user=root -v $(pwd):/hawk -it stackhawk/hawkscan
To debug your custom scripts you should take advantage of logging your scripts activity with a logger.
import org.apache.log4j.LogManager val logger = LogManager.getLogger("my-script")
From the hawkscan container bash terminal run the
shawk command and look for the log statements from your script.
zap@732aa0ebcfdd:/zap$ cat zap.out | grep my-script
You can also run this in single command…
docker run -e API_KEY=$HAWK_API_KEY --rm --name hawkscan --entrypoint=bash -v $(pwd):/hawk -it stackhawk/hawkscan -c 'shawk; cat zap.out | grep my-script'
To scan your application effectively, it is important that HawkScan find all the paths being served by your application. By default, HawkScan will first run a web crawler or “spider” to discover all the paths of your application before running active scans. For example you will see output on the terminal that will look something like this:
[INFO] shawk 2019-10-10 17:44:20,868 Spider complete [INFO] shawk 2019-10-10 17:44:20,875 24 URLs after spiders http://localhost:3000 http://localhost:3000/about http://localhost:3000/assets http://localhost:3000/assets/account_activation.self-877aef30ae1b040ab8a3aba4e3e309a11d7f2612f44dde450b5c157aa5f95c05.js?body=1 http://localhost:3000/assets/account_activations.self-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.css?body=1 http://localhost:3000/assets/action_cable.self-69fddfcddf4fdef9828648f9330d6ce108b93b82b0b8d3affffc59a114853451.js?body=1 http://localhost:3000/contact http://localhost:3000/help http://localhost:3000/microposts http://localhost:3000/microposts/2 http://localhost:3000/microposts/56 http://localhost:3000/microposts/8 http://localhost:3000/robots.txt http://localhost:3000/search http://localhost:3000/searchresults http://localhost:3000/sitemap.xml http://localhost:3000/users http://localhost:3000/users/1 http://localhost:3000/users/1/followers http://localhost:3000/users/1/following http://localhost:3000/users/2 http://localhost:3000/users/2/edit http://localhost:3000/users/2/followers http://localhost:3000/users/2/following Scan status Stock-Default-Policy (http://host.docker.internal:3000) [4%]
If you do not see URLs and paths that you expect your application to serve,
you may need to modify your
stackhawk.yml to include form authentication or an api specification.
See the app.authentication,
app.soapConf configuration help for more detail.
Problem: localhost scans fail, returning the following error:
Error: Unable to scan localhost on ports 0..1023. Please use a permitted port 1024..65535 to proceed.
Solution: HawkScan reports this error when a kernel port (0..1023) is set to a scan against localhost.
HawkScan runs in an unprivileged container which provides permissions for the userland context only. This requires scans against localhost to use a permitted ephemeral port (eg. 1024-65535).
Please refer to the Docker User Guide for more information.
Shoot us a note at email@example.com. We’d love to help you out.