ZAP as a Service (ZaaS)

[saber boukhriss]

Hello,

I'm working on turning O'Zap into a cloud service accessible for anyone for a university graduation project, i.e., so it can be run in a ''server'' mode.

I installed O'zap on the server (headless Debian 11 server), yet an error keeps popping "zap request to api url not permitted."

 I tried to edit the firewall rules on many sets then disabled it completely. I also tried to add the options: 

• Sudo owasp-zap -daemon -port 8080 -host <SERVER_IP> -config api.disablekey=true
• sudo owasp-zap -daemon -port 8080 -host  <SERVER_IP>  -config api.disablekey=true -config network.localServers.mainProxy.behindNat=true

And many others, if someone has any suggestions or any help will be appreciated.

Thanks

[psiinon]

Hiya,

Sounds like a fun project :D

Pro tip - ZAP is not designed to be run as a long running service.

Instead we recommend that a new instance is launched for each scan - these tend to be long running anyway.

I'd also recommend controlling ZAP with the Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/

That way you can run ZAP with one YAML file which tells it what to do.

Very happy to have a video call with you if you'd like some more advice and guidance on this :)

Cheers,

Simon