ZAP API

[Larry Kiggundu]

Hi,

I am a Test Analyst with a keen interest in web application security and automation. I’m looking at integrating ZAP with Gauntlt

I'm exploring the ZAP API with the intention of understanding the process required to programmatically invoke the actions for the available ZAP components.

To illustrate, here is an example Nmap test within Gaunlt:

Feature: nmap attacks for example.com

  Background:

    Given "nmap" is installed

    And the following profile:

      | name | value |

      | hostname | google.com |

      | tcp_ping_ports | 22,25,80,443 |

  Scenario: Verify server is open on expected set of ports using the nmap fast flag

    When I launch an "nmap" attack with:

      """

      nmap -F <hostname>

      """

    Then the output should contain:

      """

      80/tcp open http

      443/tcp open https

      3128/tcp open squid-http

      8080/tcp open http-proxy

      """

  Scenario: Verify that there are no unexpected ports open

    When I launch an "nmap" attack with:

      """

      nmap -F <hostname>

      """

    Then the output should not contain:

      """

      22/tcp

      25/tcp

      """

Is there access to more ZAP components beyond those listed here? http://code.google.com/p/zaproxy/wiki/ApiDetailsUI

Does this granularity extend further? I want to be able to break down the features of ZAP into discrete attack methods/tests (for the Cucumber tests within gauntlt) as per the examples in the list below, but is this possible?

1. Spider

2. Identifying incorrectly set cookies & http header issues

3. XSS

4. XSRF

5. SQL injection

6. Parameter tampering

7. Fuzzing

8. Brute force

9. URL redirect abuse

10. Weak authentication

11. Password auto-complete in browser

12. Potential file path manipulation

13. Secure page browser cache

14. Sensitive information in URLs

If so, are they invoked via the API URLs as per the active scanner - http://zap/<format>/ascan/<operation>/<operation name>[/?<parameters>]

Kind regards,

Larry

[psiinon]

Hi Larry,

Thanks for taking this on - I've assigned Issue 439 to you :)

The API you linked to is all thats supported for 1.4.x, but as I'm sure you know version 2.0.0 is going to be released very shortly.
The API that supports is documented here: http://code.google.com/p/zaproxy/wiki/ApiGen_Index
You can also browse (and invoke) the API locally by accessing http://zap/ via a browser proxying through ZAP.
So there are quite a few more operations possible, but you way well want to do more. Thats not a problem - we can add them in and they'll be in the next functional release (2.1.0 I guess).

I'd start with spidering the app (which will by default include passive scanning it) and using the active scanner (which will scan for a wide range of issues).
Fine grain control of the scanning would be really nice but will require some API changes. I _might_ be able to get some of them into 2.0.0 (they're on my list) but no promises;)

We've started documenting which scanning rules are available under https://code.google.com/p/zap-extensions/wiki/V2Extensions but theres still lots to do :)

Many thanks,

Simon

[Larry Kiggundu]

Thanks for the information Simon and congratulations on the new ZAP 2.0 release :-)