running authenticated scan using context file in concourse pipeline
102 views
Skip to first unread message
sumeet shrivastava
Aug 20, 2020, 7:01:15 AM8/20/20
to OWASP ZAP Scripts
Hello all,
I have been running an authenticated active scan in concourse pipeline using the context file, below i the approach i followed:
- First i pushed the context file in to my Git repo.
- then imported it from the repo using scripts of active scan and ran the commands for spidering, active scan.
- based on the scan results i am understanding that authenticated scan is behaving the same as without passing the context file
Below is the scripts that i have implemented:
apt-get update && apt-get install -q -y --fix-missing jq
pip install --upgrade pip && pip install --upgrade zapcli
zap-cli start --start-options '-config api.disablekey=true'
zap-cli context import ${PWD}/pipeline-git/zero.webappsecurity.com.context
zap-cli spider -c zero.webappsecurity.com --user-name username $TARGET_URL
zap-cli -v active-scan --scanners all --recursive -c zero.webappsecurity.com --user-name username $TARGET_URL
zap-cli alerts
zap-cli shutdown
I have attached the context file in the mail, and prepared this context file using ZAP GUI.
Requesting if anyone can come forward and help me in this.
Note: I am using testing site for this POC not actual production site.
Thanks,
Sumeet
thc...@gmail.com
Aug 21, 2020, 11:06:45 AM8/21/20
to zaproxy...@googlegroups.com
Hi.
The steps seem fine but the authentication will not work as the
anti-csrf token is being added dynamically (JavaScript) to the form and
ZAP is unable to see/refresh it. You would have to use an authentication
script to read the token from the response.
Some examples in
https://github.com/zaproxy/community-scripts/tree/master/authentication
could be adapted to do that.
Best regards.
On 20/08/2020 12:01, sumeet shrivastava wrote:
> Hello all,
>
> I have been running an authenticated active scan in concourse pipeline
> using the context file, below i the approach i followed:
>
> 1. First i pushed the context file in to my Git repo.
> 2. then imported it from the repo using scripts of active scan and ran
The steps seem fine but the authentication will not work as the
anti-csrf token is being added dynamically (JavaScript) to the form and
ZAP is unable to see/refresh it. You would have to use an authentication
script to read the token from the response.
Some examples in
https://github.com/zaproxy/community-scripts/tree/master/authentication
could be adapted to do that.
Best regards.
On 20/08/2020 12:01, sumeet shrivastava wrote:
> Hello all,
>
> I have been running an authenticated active scan in concourse pipeline
> using the context file, below i the approach i followed:
>
> 2. then imported it from the repo using scripts of active scan and ran
> the commands for spidering, active scan.
> 3. based on the scan results i am understanding that authenticated scan
Reply all
Reply to author
Forward
0 new messages