How to get the list of all commands for using ZAP in command line,create session,scan,report?
5,730 views
Skip to first unread message
jai laxmi
Aug 26, 2014, 8:37:39 AM8/26/14
to zaprox...@googlegroups.com
Hi Buddies,
How to get the list of all commands for using ZAP in command line,create session,scan,report?
I finally cracked how to start the ZAP in command Line with all the posts in this Google blog,thanks to all the discussions in here..Very happy for that.
But I need help as to what all commands are there?
What I want is,In UI we create a session,scan the application,get the report.
I want to know the command for that.
What i know is
zap.bat -daemon -newsession /path
quickurl
there are very less commands mentioned here.https://code.google.com/p/zaproxy/wiki/HelpCmdline
Please help me guys.
Thanks and regards,
Jailaxmi
How to get the list of all commands for using ZAP in command line,create session,scan,report?
I finally cracked how to start the ZAP in command Line with all the posts in this Google blog,thanks to all the discussions in here..Very happy for that.
But I need help as to what all commands are there?
What I want is,In UI we create a session,scan the application,get the report.
I want to know the command for that.
What i know is
zap.bat -daemon -newsession /path
quickurl
there are very less commands mentioned here.https://code.google.com/p/zaproxy/wiki/HelpCmdline
Please help me guys.
Thanks and regards,
Jailaxmi
Simon Bennetts
Aug 26, 2014, 10:21:50 AM8/26/14
to zaprox...@googlegroups.com
The help/wiki includes all of the 'built in' options.
However any extension/add-on can add new command line options, so it all depends on what you have installed.
The '-h' option will show you all of the ones available, eg
If you have the Quick Start add-on installed (which is included by default) then you can do something like:
This will not handle authentication - more configuration will be required for that.
If you have the 'scripts' add-on installed (which is included by default) then one of the options is '-script [script_path]'
The script can do anything you like...
Do the quickurl + quickout options do what you need?
If not please provide more details.
Cheers,
Simon
However any extension/add-on can add new command line options, so it all depends on what you have installed.
The '-h' option will show you all of the ones available, eg
GUI usage:
zap.sh [-dir directory]
Command line usage:
zap.sh [-h |-help] [-newsession session_file_path | -session existing_session_file_path]
[options] [-dir directory] [-installdir directory] [-host host] [-port port]
[-daemon] [-cmd] [-version]options:
-quickurl [target url]: The URL to attack, eg http://www.example.com
-quickout [output filename]: The file to write the XML results to
-last_scan_report [file_path]: Generate 'Last Scan Report' into the file_path provided.
-script [script_path]: Script to run from commandline or load in GUI
zap.sh [-dir directory]
Command line usage:
zap.sh [-h |-help] [-newsession session_file_path | -session existing_session_file_path]
[options] [-dir directory] [-installdir directory] [-host host] [-port port]
[-daemon] [-cmd] [-version]options:
-quickurl [target url]: The URL to attack, eg http://www.example.com
-quickout [output filename]: The file to write the XML results to
-last_scan_report [file_path]: Generate 'Last Scan Report' into the file_path provided.
-script [script_path]: Script to run from commandline or load in GUI
If you have the Quick Start add-on installed (which is included by default) then you can do something like:
zap.bat -quickurl http://www.example.com -quickout report.xml
This will not handle authentication - more configuration will be required for that.
If you have the 'scripts' add-on installed (which is included by default) then one of the options is '-script [script_path]'
The script can do anything you like...
Do the quickurl + quickout options do what you need?
If not please provide more details.
Cheers,
Simon
jai laxmi
Aug 27, 2014, 1:07:52 AM8/27/14
to zaprox...@googlegroups.com
Hi Simon,
Thanks for the reply, what I want is
I have an application, I would set ZAP as proxy using command line and record actions,navigation in the application and save the session.
Now through the command line only i want to run the scan for that saved session.,in ZAP UI how we run active scan same way I want to run active scan all URL's and get the report displayed for that.
I want to know the commands for that,also commands specific to ZAP Rest API I am not getting anywhere.
All needs to be purely automated.
So I have the ZAP Rest API downloaded,but till now not clear where to place that jar file.It is in Downloads currently.
this information from the following links is not enough.
I need guidance Simon.
thanks and regards
Jailaxmi
Simon Bennetts
Aug 28, 2014, 7:48:45 AM8/28/14
to zaprox...@googlegroups.com
If you are using ZAP as a proxy then you'll need some sort of scripting or coding controlling the API.
Otherwise theres no way for ZAP to 'know' when you've finished proxying and want to start the attack.
One option is to use Ant tasks.
A while ago I implemented a demo for doing this with BodgeIt: https://code.google.com/p/bodgeit/wiki/RegTests
If that sounds interesting then have a play and let us know if you have any problems - I havnt looked at that for a while :/
Otherwise you'll need to drive the ZAP API via one of the clients.
Theres an example using the java API here: https://code.google.com/p/zaproxy-test/source/browse/trunk/src/org/zaproxy/clientapi/core/WavsepStatic.java
You just need to include the API jar somewhere on your classpath - its just a standard jar.
Does that help?
If not let us know what you are having problems with and we can sort them out.
The documentation could definitely do with improving, and these sort of questions really help us understand where the docs are lacking ;)
Cheers,
Simon
Otherwise theres no way for ZAP to 'know' when you've finished proxying and want to start the attack.
One option is to use Ant tasks.
A while ago I implemented a demo for doing this with BodgeIt: https://code.google.com/p/bodgeit/wiki/RegTests
If that sounds interesting then have a play and let us know if you have any problems - I havnt looked at that for a while :/
Otherwise you'll need to drive the ZAP API via one of the clients.
Theres an example using the java API here: https://code.google.com/p/zaproxy-test/source/browse/trunk/src/org/zaproxy/clientapi/core/WavsepStatic.java
You just need to include the API jar somewhere on your classpath - its just a standard jar.
Does that help?
If not let us know what you are having problems with and we can sort them out.
The documentation could definitely do with improving, and these sort of questions really help us understand where the docs are lacking ;)
Cheers,
Simon
jai laxmi
Sep 1, 2014, 6:30:57 AM9/1/14
to zaprox...@googlegroups.com
Hi Simon,
Thanks for your reply. :)
there are few things listed below.
I followed this link https://code.google.com/p/bodgeit/wiki/RegTests which u had provided.
I don't know how to use tomcat, I learnt it because of you,Same way to use ANT / Maven also I am learning. Probably that will hep me to follow the exactly steps to get to the build.xml file which u shared.
What I did was I downloaded the tomcat, bodgetit.war and ZAP-API.zip
in the ..apache-tomcat-8.0.11\webapps\ROOT I unzipped the contents of the bodgetit.war
in the ..\apache-tomcat-8.0.11\webapps\ROOT\WEB-INF\lib I placed all the jar's of ZAP-API.zip
Then I changed the port number for tomcat server.xml to 6060.
Now started the tomcat server,Accessed the application in http://localhosr:6060
Next I started the ZAP in Command line, the command I gave was
$>zap.bat -daemon -newsession D:\session_ZAP\
next I checked if the session is created, in that particular location,It was created,
but in the command line I was getting this error,
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1.Please let me know how to fix this, this exception was displayed several times and then new session was started.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[ZAP-daemon] ERROR org.zaproxy.zap.control.AddOnLoader - error in opening zip file
.util.zip.ZipException: error in opening zip file
at java.util.zip.ZipFile.open(Native Method)
at java.util.zip.ZipFile.<init>(Unknown Source)
at java.util.zip.ZipFile.<init>(Unknown Source)
at java.util.jar.JarFile.<init>(Unknown Source)
at java.util.jar.JarFile.<init>(Unknown Source)
at org.zaproxy.zap.control.AddOnLoader.getJarClassNames(Unknown Source)
at org.zaproxy.zap.control.AddOnLoader.getClassNames(Unknown Source)
at org.zaproxy.zap.control.AddOnLoader.getImplementors(Unknown Source)
at org.zaproxy.zap.control.AddOnLoader.getImplementors(Unknown Source)
at org.zaproxy.zap.extension.authentication.ExtensionAuthentication.loadAuthenticationMethodTypes(Unknown Source)
at org.zaproxy.zap.extension.authentication.ExtensionAuthentication.hook(Unknown Source)
at org.parosproxy.paros.extension.ExtensionLoader.hookAllExtension(Unknown Source)
at org.parosproxy.paros.extension.ExtensionLoader.startLifeCycle(Unknown Source)
at org.parosproxy.paros.control.AbstractControl.loadExtension(Unknown Source)
at org.parosproxy.paros.control.Control.init(Unknown Source)
at org.parosproxy.paros.control.Control.initSingletonWithoutView(Unknown Source)
at org.zaproxy.zap.ZAP$2.run(Unknown Source)
-------------------------------------------------------------------------------
2.Command for saving the session I would like to know
--------------------------------------------------------------------------------
Next the command which I used was
$>zap.bat -daemon -quickurl http://localhost:6060/product.jsp?typeid=3 -quickout D:\session_ZAP\report1.xml
I got the report as well.
I am happy with this output which I got with your help. :-)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3.Next step is could you please let me know the following:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a. Command to be used to scan with the authentication,
b .Command to fuzz a part of the request (Like how we do in ZAP UI)
c. Command to Attack a Tree/Sub-Tree (I don't know How to find the tree and sub-tree by just seeing the session.log, that also I need your guidance)
Thanks and Regards
Jailaxmi
Simon Bennetts
Sep 2, 2014, 8:52:00 AM9/2/14
to zaprox...@googlegroups.com
The -newsession parameter should be a file name, not a directory name.
Try something like:
2b: it doesnt make sense to try to automate fuzzing. Fuzzing just allows you to send a set of attack vectors, you need to manually check the results in order to find potential vulnerabilities. Thats why we dont support it via the command line or API.
2c: You can scan a tree/subtree by using the -quickurl parameter, eg
Try this above command first and then we can explore how you might use the API.
Cheers,
Simon
Cheers,
Simon
Try something like:
zap.bat -daemon -newsession D:\session_ZAP\session
2a: The best option it to start by getting the ZAP UI to handle authenticated scans, then we can move on to automating it. What sort of authentication does you application use?2b: it doesnt make sense to try to automate fuzzing. Fuzzing just allows you to send a set of attack vectors, you need to manually check the results in order to find potential vulnerabilities. Thats why we dont support it via the command line or API.
2c: You can scan a tree/subtree by using the -quickurl parameter, eg
zap.bat -newsession D:\session_ZAP\session -quickurl http://www.example.cpm/myapp -quickout result.xml
However you will have much more control if you use the API.Try this above command first and then we can explore how you might use the API.
Cheers,
Simon
Cheers,
Simon
jai laxmi
Sep 2, 2014, 10:41:32 AM9/2/14
to zaprox...@googlegroups.com
Hi Simon,
Thanks for the reply.
I used the following command.
zap.bat -daemon -newsession D:\session_ZAP\session3 -quickurl http://www.example.com -quickout result2.xml
Scan is running successful in headless mode and result is getting printed.
Could you please guide me on this part:
My requirement now is I want to use a command in headless mode of ZAP which will scan the already recorded session/all URL's in the recorded session,by just giving the session name.
how -quickurl is the command to scan the given URL, same way there should be a command to scan the entire session.
I want to know how we can do that?
API I am ready to use and also I tried using with bodgeit software,It gave me some idea, but still I am not that much clear about that API usage.
I have also listened to your youtube video about ZAP - zest script,Plug n and hack mozilla plugin and so on and so forth.
Thanks and regards
Jai
Thanks for the reply.
I used the following command.
zap.bat -daemon -newsession D:\session_ZAP\session3 -quickurl http://www.example.com -quickout result2.xml
Scan is running successful in headless mode and result is getting printed.
Could you please guide me on this part:
My requirement now is I want to use a command in headless mode of ZAP which will scan the already recorded session/all URL's in the recorded session,by just giving the session name.
how -quickurl is the command to scan the given URL, same way there should be a command to scan the entire session.
I want to know how we can do that?
API I am ready to use and also I tried using with bodgeit software,It gave me some idea, but still I am not that much clear about that API usage.
I have also listened to your youtube video about ZAP - zest script,Plug n and hack mozilla plugin and so on and so forth.
Thanks and regards
Jai
Simon Bennetts
Sep 4, 2014, 6:06:51 AM9/4/14
to zaprox...@googlegroups.com
Hi Jai,
Are there any particular reasons you want to reuse the session?
I think its better to spider and scan an application 'from scratch' each time - that way ZAP is testing the application as it is now rather than as it was when the first session was created.
For example - you perform a quick scan on your app.
Next week you change you app to add a new page or some new parameters.
If you keep using the first session then ZAP will never learn about the new pages or parameters and so wont test them.
The API is available is a variety of technologies, including Java (plus Ant tasks), Python, PHP, NodeJS and Ruby (https://code.google.com/p/zaproxy/wiki/ApiDetails)
It generally works the same way in all of them, but its probably easier if we focus on the technology that you're likely to use.
Do you know what that will be?
Cheers,
Simon
Are there any particular reasons you want to reuse the session?
I think its better to spider and scan an application 'from scratch' each time - that way ZAP is testing the application as it is now rather than as it was when the first session was created.
For example - you perform a quick scan on your app.
Next week you change you app to add a new page or some new parameters.
If you keep using the first session then ZAP will never learn about the new pages or parameters and so wont test them.
The API is available is a variety of technologies, including Java (plus Ant tasks), Python, PHP, NodeJS and Ruby (https://code.google.com/p/zaproxy/wiki/ApiDetails)
It generally works the same way in all of them, but its probably easier if we focus on the technology that you're likely to use.
Do you know what that will be?
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages