How to do Bulk Baseline/Full Scan
149 views
Skip to first unread message
Chaitanya CSE
Jun 28, 2022, 7:18:30 AM6/28/22
to OWASP ZAP User Group
Team,
How can I perform a baseline/full scan by passing the list of domains via file? please assist. thanks.
EX: docker run -t owasp/zap2docker-stable zap-baseline.py -t domains.txt
domains.txt contains:
Regards,
Chaitanya D
Simon Bennetts
Jun 28, 2022, 7:29:08 AM6/28/22
to OWASP ZAP User Group
You would need to write a wrapper around the calls to the packaged scans - they are designed to just scan one site/domain at a time.
Have a look at https://github.com/zaproxy/community-scripts/tree/main/api/mass-baseline - this is no longer maintained but could be a good starting point.
Cheers,
Simon
Chaitanya CSE
Jun 30, 2022, 9:26:58 AM6/30/22
to zaprox...@googlegroups.com
Thanks Simon and can you please assist me with the below error?
I'm running ZAP baseline scan on a particular URL where I need to save the scan results in HTML format. thanks.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/26aedc03-6705-4577-a08a-0135bfb30a8cn%40googlegroups.com.
Simon Bennetts
Jun 30, 2022, 9:54:33 AM6/30/22
to OWASP ZAP User Group
See the error message :)
With the options you have chosen you need to mount a /zap/wrk directory.
- If you use ‘file’ params then you need to mount the directory those file are in or will be generated in, eg
- docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t https://www.example.com -g gen.conf -r testreport.html
Cheers,
Simon
Chaitanya CSE
Jul 4, 2022, 6:30:31 AM7/4/22
to zaprox...@googlegroups.com
the err still persists, but by adding the --user root the error is resolved now.
Is there any possibility of eliminating False Positives in the following scan using CLI (I meant the above way)?
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/axv3g9rcgZs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/aa18d521-d4c9-4d75-a886-3210585a8c6dn%40googlegroups.com.
Simon Bennetts
Jul 6, 2022, 4:56:09 AM7/6/22
to OWASP ZAP User Group
Er, so is that all ok now?
Re False Positives - see https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/
Cheers,
Simon
Chaitanya CSE
Jul 11, 2022, 8:26:29 AM7/11/22
to zaprox...@googlegroups.com
Yeah, kind of. but I'm unable to see the reports on the filesystem after running this command but the scan was successful. any ideas?
docker run -v $(pwd):/zap/wrk/:rw --user root -t owasp/zap2docker-stable zap-baseline.py -t $(cat domains.txt) -r scan.html
domains.txt
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/60474c5b-5700-4d5e-85a6-04678b8318c5n%40googlegroups.com.
Simon Bennetts
Jul 13, 2022, 9:01:55 AM7/13/22
to OWASP ZAP User Group
The "-t" parameter only accepts one target - supplying multiple ones will not work.
Cheers,
Simon
Chaitanya CSE
Jul 25, 2022, 9:00:32 AM7/25/22
to OWASP ZAP User Group
Thanks, Simon, got it, can we track all the scans/status/vulnerabilities on the dashboard? I mean do these scans reflect on any dashboard/URL?
Simon Bennetts
Jul 25, 2022, 9:04:34 AM7/25/22
to OWASP ZAP User Group
ZAP currently only persists things to the session db.
If you want to implement a dashboard you'll need to persist them somewhere else and create the dashboard - thats out of ZAP's scope :)
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages