ZAP active scan rule export
80 views
Skip to first unread message
Pushpinder Kaur
Aug 1, 2023, 11:13:42 AM8/1/23
to ZAP User Group
Hi!
I am developing an automated vulnerability scanner and was wondering if there is a way to export/call single active scan rule like UserEnumerationScanRule.java for example in my project to scan a list of URLs for this vulnerability. I am new to ZAP, esp the usage of active scan add-ons. Are there any resources you could please forward me to. Is this even possible?
Thanks,
Pushpinder
Pushpinder Kaur
Aug 1, 2023, 11:16:28 AM8/1/23
to ZAP User Group
I want to use a few scan rules from the addon activescanruleBeta
psiinon
Aug 1, 2023, 11:18:15 AM8/1/23
to zaprox...@googlegroups.com
Hi Pushpinder,
Anything is possible :)
But you will need to provide all of the environment that the scan rules expect.
Thats very well documented .. by the code :D
I suggest you start diving into it ;)
We also have some docs which may help you here: https://www.zaproxy.org/docs/contribute/scan-rules/
Cheers,
Simon
--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/e9c6f4c9-5892-491c-88f7-ca7da8a93fc4n%40googlegroups.com.
--
OWASP ZAP Project leader
Pushpinder Kaur
Aug 1, 2023, 11:26:47 AM8/1/23
to ZAP User Group
Hi Simon,
Thank you for your response and the encouragement.
I've only started digging yesterday and have cloned the zap proxy and zap extension repositories, and sorted out the dependencies. Just unsure about the usage of scan rules separately. Thanks for sharing the documentation link, will start studying it as well :)
thc...@gmail.com
Aug 1, 2023, 11:28:14 AM8/1/23
to zaprox...@googlegroups.com
The test infrastructure is a good place to know the minimum required to
run the scan rules (you would still have to provide some Paros/ZAP
classes though).
You can also use ZAP to scan specific URLs with individual rules.
Best regards.
>>> <https://groups.google.com/d/msgid/zaproxy-users/e9c6f4c9-5892-491c-88f7-ca7da8a93fc4n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.zaproxy.org/> Project leader
>>
>
run the scan rules (you would still have to provide some Paros/ZAP
classes though).
You can also use ZAP to scan specific URLs with individual rules.
Best regards.
>>> .
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.zaproxy.org/> Project leader
>>
>
Pushpinder Kaur
Aug 1, 2023, 5:24:23 PM8/1/23
to ZAP User Group
Hi!
Thank you! Sorry for being ignorant, but by test infrastructure you mean setting up my own test env like running on a vulnerable test app? Or is some there resource from ZAP that I am missing? Thanks
thc...@gmail.com
Aug 1, 2023, 5:36:52 PM8/1/23
to zaprox...@googlegroups.com
I was referring to the tests of the scan rules done in zap-extensions repo.
The `testutils` project provides the necessary/minimum set up to test
both active and passive scan rules in isolation:
https://github.com/zaproxy/zap-extensions/tree/bd85de3a6a7ab8f884462afe3319fe99921414ff/testutils/src/main/java/org/zaproxy/zap/testutils
You would have to do something similar if you want to execute them
without a full ZAP instance.
Best regards.
The `testutils` project provides the necessary/minimum set up to test
both active and passive scan rules in isolation:
https://github.com/zaproxy/zap-extensions/tree/bd85de3a6a7ab8f884462afe3319fe99921414ff/testutils/src/main/java/org/zaproxy/zap/testutils
You would have to do something similar if you want to execute them
without a full ZAP instance.
Best regards.
Reply all
Reply to author
Forward
0 new messages