Scripts in autimation framework

[Илья Романов]

Hi everyone, how to use community scripts in automation framework, i cant get it? For example, how to add httpfuzzerprocessor? Im using docker webswing to configure this and zap.sh to run it.  When im trying to add it through job "script" option "action -> add" and run in zap.sh, it appears that script "httpfuzzerprocessor can not be used with action: add". But in automation framework manual it says that first you need to add a script, before enable or run. What am i missing?

[Simon Bennetts]

That should work.

Could you share the YAML you are using, obfuscating anything sensitive.

Have you made sure that your script is accessible in docker in the location you have specified?

Cheers,

Simon

[Илья Романов]

Here it is, out+command im using, so it should be in docker, im configuring and choosing files in webswing, which starting with same -v flag. May be the issue in script, or in order of jobs? scripttest.js im using is just template from git page of httpfuzzerprocessor, just for test case.

 

вторник, 7 марта 2023 г. в 12:24:05 UTC+3, psi...@gmail.com:

[Simon Bennetts]

Ah, sorry, I should have looked at this more closely.

Fuzzing is currently a manual technique in ZAP and requires the Desktop to work.

As such it is not supported by the API or AF.

What are you actually trying to achieve?

Cheers,

Simon

[Илья Романов]

Sad, but thank you. Actually im trying to automate scanning web resources i need. In an ideal scenario, I should integrate this into CI/CD and scanning after each deploy. But at the moment i have to automate this using vm instance in cloud, also i need to automatically deploy it using saltstack, so i choose AF and docker image. And then i want exporting report into defectdojo, also i wanted to automate directory scanning, thought it was possible. Maybe i should try to automate it through API? But it seems too hard for me right now. More likely i would use any dir scanner in addition to zap.

вторник, 7 марта 2023 г. в 13:00:19 UTC+3, psi...@gmail.com:

[Simon Bennetts]

The AF supports active scanning via the activeScan job: https://www.zaproxy.org/docs/desktop/addons/automation-framework/job-ascan/

I dont think you need the fuzzer for your usecase...

FYI the API doesnt support the fuzzer either - in ZAP terms its a manual technique and not generally suitable for automation.

Cheers,

Simon

[Илья Романов]

Yeah, i already set it up for full scan job template, but management want to see results of dir scanning in defect dojo also, reason why im tried =) Appreciate your quick help, thank you. Also, can you help me if not bother and tell me which direction to look to achieve "In an ideal scenario, I should integrate this into CI/CD and scanning after each deploy."? Is there any best practices for it? Like use .gitlab-ci.yaml and calling bash script with zap python scanning in? Btw, thank you very much

вторник, 7 марта 2023 г. в 13:29:39 UTC+3, psi...@gmail.com:

[Simon Bennetts]

By dir scanning I'm guessing you mean Froced Browsing?

https://www.zaproxy.org/docs/desktop/addons/forced-browse/

This is not currently supported by the AF or the API.

In theory you might be able to control it via a script, but thats not something I've tried.

I think the AF is an ideal option for integrating with CI/CD.

ZAP scans can take a while so running a full scan after a deploy usually makes more sence that running one on each PR.

More limited ZAP scans can be run on each PR though.

Cheers,

Simon