Configure - OWASP ZAP Automated Scan

[NCoder]

I'm looking at a scenario where OWASP ZAP Automated Scanner will do the following:

1. Go through every parameter in a request
2. Apply all stored payloads for XSS, SQL, Overflow vulnerabilities etc, Say a 100 payloads per vulnerability
3. This should repeat for all the requests that are recorded in ZAP.

Is it possible with the existing Automated Scanner ? If no, can i manually configure the fuzzer through ZAP API's to do so ? If Yes, please provide information on the same

[NCoder]

Just to add, Im looking for these details to setup a continuous integration environment using ZAP.

[Alex Leonhardt]

You could check out zapy on github .. It runs the zap attack against a target and produces a html report..

I'm not sure if xss payloads would go through in a headless mode..

Alex

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Bennetts]

This is pretty much what the ZAP active scanner does :)

You will need to explore your app first - this could be using the 'traditional' spider, the Ajax spider (which launches browsers) or by proxying regression tests through ZAP. Or any combination of those :)

The payloads used will depend on the Scan Policy you specify - the default one will use all of the scan rules installed. You can download new ones from the ZAP marketplace and have very fine grained control over exactly which ones get used if you like.
The number of attacks performed will depend on the number of 'unique' pages in the app, the number of parameters, the number of rules you specify and the 'attack strength' you specify for those rules. For more details see: https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/

As to how you use ZAP, you have various options:

• This simplest option is to launch ZAP from the command line and use the Quick start options: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsQuickstartCmdline
• You can use 4rd party tools tools like zapy as Alex mentioned
  
• You can use Jenkins and one of the 3rd party plugins to run ZAP
• For maximum control you can use the ZAP API

The ZAP API should give you complete control over how ZAP works. If you find theres something that you cant do via the API then let us know and we'll do our best to fix that :)

One of the things you cant currently do via the API is fuzzing. Fuzzing is a manual technique, and as such it much more suited to the ZAP GUI than then API.

Which of those options sounds the most useful for your requirements?

Cheers,

Simon

[Alex Leonhardt]

on that note, if you run zap headless, will it be able to do the xss scans ? 

alex

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

gpg public key: http://dpaste.com/1CEJ38Z 

[NCoder]

Hi Alex,

Thanks for the suggestion. I shall try, but im also more looking in terms of coverage. The more the application is explored, the more is the coverage.

[NCoder]

Hi Simon,

Thanks for the response. Like you said, that is what the scanner is supposed to do, but i have always felt the outcome was not as expected, probably due to config issues from my end.

The below options seems to be very helpful.I want to make the automated scanner as effective as possible. For that

1) you need the complete application coverage. For which, i shall use the AJAX spider you mentioned and also Selenium integration and run some test scripts.

2) To ensure every parameter is scanned for all the payloads. For that, again i shall configure the scan policy and other steps you mentioned in the mozilla blog.

Thanks,

Prav

For the application coverage