ZAP container compatible with RHEL 8

[maria cristina]

Hi,

I'm new in ZAP and linux, but I was assign to test an web app with ZAP tool. OS is RHEL 8.

What installer is it best to use: linux package, linux installer or docker?

Is it docker compatible with RHEL 8?

Thank you,

Maria

[Simon Bennetts]

Hi Maria,

I'd recommend the linux installer but the linux package should work fine.

According to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/building_running_and_managing_containers/index Docker is not supported on RHEL 8 but I've not actually tried it myself.

Cheers,

Simon

[maria cristina]

Hi,

thank you!

But now I have other question:

copied the package file, started it as daemon, it working for localhost

but when i exit from the cmd its stop

is it ok or i have to do something?

[Simon Bennetts]

Hi Maria,

Sorry, I'm not really sure what you are doing :/

Can you explain in a bit more detail, giving the exact commands you are using if possible?

Thanks,

Simon

[maria cristina]

Hi Simon,

command executed is ./zap.sh -daemon

and its started the zaproxy

4077 [ZAP-daemon] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
4086 [ZAP-daemon] INFO  org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:42283
4185 [ZAP-daemon] INFO  org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on localhost:8080

its keep running until i exit from the session or when i do ctrl+c

does it make sense ?

what are the next steps I should follow after installation?

1. configure Firefox for Linux, I think it's next

but after this step?

sorry, but I so new in this.

[Simon Bennetts]

OK, so it really depends on what you are trying to do :)

Do you want to do automated testing or manual testing?

If you are new to security then its probably best to start with automated testing.

For that you can use the packaged scans - there are 3 of them, the baseline, API and fulle scans and more details are linked off https://www.zaproxy.org/docs/docker/

To learn more about manual testing see https://www.zaproxy.org/getting-started/

We also have loads of videos linked off https://www.zaproxy.org/videos/

Cheers,

Simon

[maria cristina]

Hi,

Me again.

My colleague has installed the linux package and the OS is RHEL 8.

If it isn't docker I can't run the automatic scan from the command line, right?

Can I use the quick scan command line?

Also I'm thinking to see if my colleague can apply what is here:

https://www.zaproxy.org/blog/2021-02-03-run-zap-without-java-using-docker-and-webswing/

Thank you,

Maria

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/8sBdNE6XH7E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/9a0c1c09-5fb1-4753-b40f-fcef27357f1cn%40googlegroups.com.

[maria cristina]

one more thing: installation has been performed as a headless installation

[Simon Bennetts]

Hi Maria,

You cant use the packaged scans as they depend on Docker and Docker does not appear to be supported on RHEL 8.

However there are other options for automating ZAP: https://www.zaproxy.org/docs/automate/

The command line option will work but is very limited.

The API and daemon option will work but is a bit more complicated.

The Automation Framework will work but is still at an early stage.

Cheers,

Simon