ZAP - Jenkins integration, how to set up the default host and port
1,188 views
Skip to first unread message
Albert
Dec 3, 2015, 9:43:30 AM12/3/15
to OWASP ZAP Developer Group
Hi,
Following the configuration example:
I can't see the Default Host and Default Port configuration section on neither the Jenkins main configuration page (Jenkins > Manage Jenkins> Configure System) neither on the job that has the Custom tool configured (Jenkins > ZAProxy > Configure).
Where should it be located? I assume that means the zap-proxy plugin is not installed?
I can see the ZAProxy job unpacking the tar file and installing the tool at /var/lib/jenkins/tools. Shouldn't that mean the zap-proxy plugin is installed?
"Once “zaproxy-plugin” is installed, two fields are available in Jenkins administration allowing to specify the host and port on which ZAProxy will run" where is the jenkins administration?
Regards,
Albert
Albert
Dec 3, 2015, 11:31:48 AM12/3/15
to OWASP ZAP Developer Group
I am referring to this option.
My current configuration has:
Jenkins > Manage Jenkins > Configure System: The Custom Tool section has the download URL and the subdirectory to extract the file and install automatically checked.
The Jenkins > ZAProxy job > Configure: Build Environment section has a checked Install custom tools checked and ZAProxy selected.
I can build the job and downloads successfully ZAP.
This is my log:
Started by user anonymous [CustomTools] - ZAProxy: Starting installation [CustomTools] - ZAProxy: Tool is installed at /var/lib/jenkins/tools/com.cloudbees.jenkins.plugins.customtools.CustomTool/ZAProxy/ZAP_2.4.2 [CustomTools] - ZAProxy: Setting ZAProxy_HOME=/var/lib/jenkins/tools/com.cloudbees.jenkins.plugins.customtools.CustomTool/ZAProxy/ZAP_2.4.2 Building in workspace /var/lib/jenkins/jobs/ZAProxy/workspace Finished: SUCCESS
Why I can't see the ZAProxy Default host and port configuration entry?
Is there anything needed besides restart or run the job to have the zap-proxy plugin installed?
Thilina Madhusanka
Dec 3, 2015, 11:39:05 PM12/3/15
to OWASP ZAP Developer Group
Hi
Can you verify that you have installed zaproxy plugin ?
Custom tool plugin is used to install zap application not the plugin
You can install plugin by Jenkins->Manage Jenkins >Manage Plugin >
select "Available" tab and type zaproxy in filter filed then you can install zaproxy plugin.
Custom tool is use to install zap application that need to run on daemon mode.
cheers.
Custom tool is use to install zap application that need to run on daemon mode.
cheers.
Albert
Dec 4, 2015, 6:00:51 AM12/4/15
to OWASP ZAP Developer Group
Hi Thilinia,
Thanks a lot! I was indeed missing installing the plugin.
I manage to run a job with the ZAP plugin against the Jenkins url in the same VM.
I am however not able to see the reports generated. The build is failing but reports successive alerts before the fail.
I would expect to get the report under the workspace folder as I have the Generate report checked and selected html and set a test1 name for filename for report.
Any idea if i need to set up something else to have a report generated?
Thilina Madhusanka
Dec 4, 2015, 6:04:21 AM12/4/15
to OWASP ZAP Developer Group
Hi
Can you send the Jenkins log file and screen shot of your configuration ?
Cheers
Thilina Madhusanka Perera
Dec 5, 2015, 8:10:00 AM12/5/15
to OWASP ZAP Developer Group
Hi
Can you test it on other site than jenkins itself
Albert
Dec 8, 2015, 4:38:24 AM12/8/15
to OWASP ZAP Developer Group
I tested it agains a WebGoat instances and finally got the reporting in place.
I do have a concern thougth when using the Spider. I get the same report as when i was running it against a not logged user. How can I validate that the login is actually happening? Looking at the log seems everything is fine but the scan does not report any extra finding which should not be the case as once logged the scanner should have wider visibility.
Someone with experience using the spider, can from the logs see if its actually if its really spidering. Seems that after authenticating the spider process gets to complete state.
I do have a concern thougth when using the Spider. I get the same report as when i was running it against a not logged user. How can I validate that the login is actually happening? Looking at the log seems everything is fine but the scan does not report any extra finding which should not be the case as once logged the scanner should have wider visibility.
Someone with experience using the spider, can from the logs see if its actually if its really spidering. Seems that after authenticating the spider process gets to complete state.
13164 [Thread-5] INFO org.zaproxy.zap.spider.Spider - Starting spider... 13190 [Thread-5] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/WebGoat/login.mvc 13216 [Thread-5] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/robots.txt 13223 [Thread-5] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/sitemap.xml Status spider = 66% Alerts number = ApiResponseElement numberOfAlerts = 0 15508 [pool-1-thread-2] WARN org.zaproxy.zap.spider.URLCanonicalizer - Error while Processing URL in the spidering process (on base ): Host could not be reliably evaluated from: http://getbootstrap.com) Status spider = 45% Alerts number = ApiResponseElement numberOfAlerts = 0 16120 [pool-1-thread-1] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down... 16129 [Thread-7] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true Skip Ajax spidering the site [http://localhost:8080/WebGoat/login.mvc] Setting up Authentication URL http://localhost:8080/WebGoat/login.mvc added to Context [2] Form Based Authentication added to context Logged in indicator <a\s+(?:[^>]*?\s+)?href="([^"]*)" added to context New user added. username :guest User : guest is now Enabled Spider the site [http://localhost:8080/WebGoat/login.mvc] as user [guest] 18138 [Thread-8] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on SpiderApi-1 at Fri Dec 04 13:28:09 CET 2015 18144 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Spider initializing... 18145 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Starting spider... 18145 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Scan will be performed from the point of view of User: guest 18145 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/WebGoat/login.mvc 18195 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/robots.txt 18197 [Thread-8] INFO org.zaproxy.zap.spider.Spider - Adding seed for spider: http://localhost:8080/sitemap.xml 18199 [pool-2-thread-1] INFO org.zaproxy.zap.users.User - Authenticating user: guest Status spider = 0% Alerts number = ApiResponseElement numberOfAlerts = 0 19111 [pool-2-thread-2] INFO org.zaproxy.zap.users.User - Authenticating user: guest 19713 [pool-2-thread-2] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down... 19768 [Thread-9] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true Scan the site [http://localhost:8080/WebGoat/login.mvc] Scan url [http://localhost:8080/WebGoat/login.mvc] with the policy by default 20812 [ZAP-ProxyThread-25] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Path Traversal
Thilina Madhusanka
Dec 8, 2015, 11:43:19 PM12/8/15
to OWASP ZAP Developer Group
Hi
you cant test you web app directly using ZAP application with login and then you can compare the result.
Have you configured login details correctly ?
Plugin only support for form based authentication.
cheers
Reply all
Reply to author
Forward
0 new messages