Zap, docker, Azure Container Instances, dotnet API

11 views

Skip to first unread message

pkbfs

unread,

Jul 12, 2019, 6:58:01 AM7/12/19

to OWASP ZAP Documentation Group

Hi,

I am new to OWASP Zap and would like to be able to amend the following page with various insights I have gained :

https://github.com/zaproxy/zaproxy/wiki/Docker

I am creating a CI/CD DevOps solution for a website and want to be able to proxy the c#-selenium tests we have through a docker container using an instance of zap2docker.

After the tests have completed the solution would then grab hold of the HTML report that ZAP can generate using the zap-api-dotnet package.

I am using Azure DevOps for builds and releases, Microsoft Azure to host the test environments and Azure Container Instances (ACI) to run the zap2docker container.

What I have seen so far are the static baseline scans

https://marketplace.visualstudio.com/items?itemName=kasunkodagoda.owasp-zap-scan

https://devblogs.microsoft.com/premier-developer/azure-devops-pipelines-leveraging-owasp-zap-in-the-release-pipeline/

How do I update the github wiki page?

https://stackoverflow.com/questions/10642928/how-to-pull-request-a-wiki-page-on-github

I did download the full wiki {in wiki syntax}, but then what to do to update it.

Several things I would like to add

1. When using Zap in a docker container the need to proxy your web browser to the external IP of the container in order to be able to browse the API UI.

Otherwise you get an infinite loop error as Zap tries to lookup the external address you have browsed to: https://github.com/zaproxy/zaproxy/issues/3594

had no joy with following parameter -config api.addrs.addr.name='(127.0.0.1|myzapdockercontainer.uksouth.azurecontainer.io)'

2. How to generate the private/public key certificate initially by running the daemon and then reusing it on subsequent runs of the zap2docker container.

zap.sh -daemon -certfulldump wrk/cert1full.pem

zap.sh -daemon -certload wrk/cert1full.pem .... other params ....

With ACI every restart results in a fresh image being pulled [which is what is needed so that you always have the latest version].

It would be easier to have just one certificate that gets installed on the test environments rather than constantly updating it with each run of the zap2docker container.

3. How to proxy the zap-api-dotnet package against the container - managed to retrieve the html report after some code modifications.

Cheers

pkbfs

Reply all

Reply to author

Forward

0 new messages