Automation Framework and Scan Hooks

[DC GRC]

Hi there

I was exploring ZAP for a while and in my opinion Automation Framework provides more flexibility and granularity. I'm also intrigued by the simplicity and power of scan hooks from the packaged scan world.

So my question is it possible to use scan hooks along with Automation Framework? If not, is there any option to leverage the APIs while running AF?

A bit of background:

1. I have my own enterprise-approved base image with zap installed. My plan is to run zap with AF using CLI options.

2. While the scan runs, I must fetch the scan metadata and stats for observability.

It could be as simple as fetching the time taken for the scan to complete, which will help us to tune and tweak the scans accordingly.

This is where I think something like scan hooks can be very helpful. My observation was that I cannot access the APIs while running in -cmd mode, which is a requirement for AF.

Any help will be appreciated. Thanks in advance.

[thc...@gmail.com]

Hi.

The hooks do not work with AF right now, as an alternative you can
execute scripts from ZAP (which can call external scripts or do directly
what you want/need).

The ZAP API is still accessible while running in command line mode.

Best regards.

[DC GRC]

Hi there

Thanks for the quick response. Appreciate it! I will explore the scripts.

Apologies if I was not clear before regarding the APIs. I noticed that the APIs were not accessible when zap was started with -cmd mode. When tried, I get an empty response.

Works fine if started in -daemon mode.

Please let me know if I'm doing something wrong or if this is the expected behavior. 

Also, is it recommended to use AF with -daemon mode?

Thanks in advance. 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/df45f677-9759-93c1-ed94-98aaa9fd654b%40gmail.com.

[psiinon]

By default ZAP will set a random API key - if you dont use that then any calls to the API will fail https://www.zaproxy.org/faq/why-is-an-api-key-required-by-default/

The packaged scan disable the API key - you will need to do that or specify and use one.

Daemon mode means that ZAP will run in the background and will only stop when told to. This is not typically what you will want whwn using the AF.

The recommended ways to use the AF are either in the desktop (for setting it up) or using the "-cmd" option.

Cheers,

Simon

[DC GRC]

Hi Simon

Thank you for your input. I tried using "-config api.disablekey=true". The result is the same. Please let me know if I'm missing something.

Please note that I see the same behavior in Mac OS, Windows, and Linux (Ubuntu).

[psiinon]

Which version of ZAP are you using?

That should work...

[DC GRC]

Hi Simon, 

Using the latest 2.12.0 version.

[psiinon]

So ... that _should_ have worked, but we just testedit here and found out that it doesnt :(

However we can fix that, and then release the network add-on to support it.

I'll let you know when its been updated.

Cheers,

Simon

[DC GRC]

Hi Simon, thanks for the quick response and all the help. Appreciate it! :)