Nodejs program to scan a web app for vulnerabilities

[Priyam Pratap Singh (Devil)]

I'm new to zap, i want to test my web application for vulnerabilities, How can i create a node js program to scan my website and generate a JSON report of the response.

[psiinon]

Does it need to be a NodeJS program?

You can run ZAP from the commandline: https://www.zaproxy.org/docs/automate/

Cheers,

Simon

On Thu, Jul 27, 2023 at 10:51 AM Priyam Pratap Singh (Devil) <priyam...@gmail.com> wrote:

I'm new to zap, i want to test my web application for vulnerabilities, How can i create a node js program to scan my website and generate a JSON report of the response.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/ee8abc4c-574b-4262-bfed-05b9070e4595n%40googlegroups.com.

--

OWASP ZAP Project leader

[Muhammad Zubair]

I can help you with that. Here are the steps on how to create a NodeJS program to scan your website and generate a JSON report of the response:

1. Install the zaproxy module.

npm install zaproxy

2. Instantiate the ZapClient object.

const ZapClient = require('zaproxy'); const zapOptions = { apiKey: 'eahhr6h6kal92j21gkcnhkp80t', proxy: { host: '127.0.0.1', port: 8080, }, }; const zaproxy = new ZapClient(zapOptions);

3. Use the spider.scanAsUser() method to scan your website.

let params = { contextid: contextid, userid: userid, url: sutbaseurl, maxchildren: maxchildren, recurse: recurse, subtreeonly: subtreeonly, }; let response = await zaproxy.spider.scanAsUser(params);

4. Convert the response object to JSON.

const jsonResponse = JSON.stringify(response);

5. Write the JSON response to a file.

fs.writeFile('report.json', jsonResponse);

Here is an example of a NodeJS program that scans a website and generates a JSON report of the response:

const ZapClient = require('zaproxy'); const fs = require('fs'); const zapOptions = { apiKey: 'eahhr6h6kal92j21gkcnhkp80t', proxy: { host: '127.0.0.1', port: 8080, }, }; const zaproxy = new ZapClient(zapOptions); let params = { contextid: 1, userid: 1, url: 'https://www.example.com', maxchildren: 100, recurse: true, subtreeonly: false, }; let response = await zaproxy.spider.scanAsUser(params); const jsonResponse = JSON.stringify(response); fs.writeFile('report.json', jsonResponse);

To run this program, you will need to have ZAP installed and running. You can then run the program by typing the following command into your terminal:

node scan.js

This will generate a JSON report of the scan results in the report.json file. You can then open this file in a text editor to view the results.

I hope this helps! Let me know if you have any other questions.

[thc...@gmail.com]

That's not waiting for the spider to finish (nor the passive scanner).
It's also not generating a report (the response from starting the spider
is the ID of the scan).

Best regards.

On 27/07/2023 10:04, Muhammad Zubair wrote:
>
>
> I can help you with that. Here are the steps on how to create a NodeJS
> program to scan your website and generate a JSON report of the response:
>

> 1. Install the zaproxy module.
>
> npm install zaproxy
>
> 1. Instantiate the ZapClient object.

>
> const ZapClient = require('zaproxy'); const zapOptions = { apiKey:
> 'eahhr6h6kal92j21gkcnhkp80t', proxy: { host: '127.0.0.1', port: 8080, }, };
> const zaproxy = new ZapClient(zapOptions);
>

> 1. Use the spider.scanAsUser() method to scan your website.

>
> let params = { contextid: contextid, userid: userid, url: sutbaseurl,
> maxchildren: maxchildren, recurse: recurse, subtreeonly: subtreeonly, };
> let response = await zaproxy.spider.scanAsUser(params);
>

> 1. Convert the response object to JSON.
>
> const jsonResponse = JSON.stringify(response);
>
> 1. Write the JSON response to a file.

>>> <https://groups.google.com/d/msgid/zaproxy-users/ee8abc4c-574b-4262-bfed-05b9070e4595n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.zaproxy.org/> Project leader
>>
>

[Priyam Pratap Singh (Devil)]

Yes you're right, what can i do to achieve that?

[kingthorin+owaspzap]

https://www.zaproxy.org/docs/api/#pscanviewrecordstoscan

[Priyam Pratap Singh (Devil)]

still no luck, any other way to do so?

[thc...@gmail.com]

You need to check/poll the status of the spider, using the corresponding
scan ID, e.g.:
https://github.com/zaproxy/zap-api-nodejs/blob/d53ac9de22bac9affd516d0eb889f755c432666b/src/spider.js#L34

You also need to poll the "records to scan" after the spider has finished:
https://github.com/zaproxy/zap-api-nodejs/blob/d53ac9de22bac9affd516d0eb889f755c432666b/src/pscan.js#L39

For the report:
https://github.com/zaproxy/zap-api-nodejs/blob/d53ac9de22bac9affd516d0eb889f755c432666b/src/reports.js#L63

Best regards.

[psiinon]

Or you can run ZAP from the commandline, as I mentioned earlier :P

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/7cb85f42-fd15-4cd8-ff28-e73649b8fa5c%40gmail.com.

[Priyam Pratap Singh (Devil)]

Sir i can run the zap from command line, but i need to make a node js program that runs that command on cli when i execute that node program.