Passing Scan Policies in zap.ascan.scan
584 views
Skip to first unread message
Amit Kulkarni
Mar 9, 2018, 9:55:30 AM3/9/18
to OWASP ZAP Scripts
Hi All
Can anyone tell me how to set scan policies in ZAP python API for zap.ascan.scan ?
regards,
Amit
thc...@gmail.com
Mar 9, 2018, 10:20:49 AM3/9/18
to zaproxy...@googlegroups.com
Hi.
The scan policies can be created with the following API calls:
name = "MyScanPolicy"
zap.ascan.add_scan_policy(name)
# Configure which scanners are enabled and its properties:
zap.ascan.disable_all_scanners (name)
zap.ascan.enable_scanners("6, 40012", name)
zap.ascan.set_scanner_alert_threshold("6", "LOW", name)
zap.ascan.set_scanner_attack_strength("40012", "HIGH", name)
To find out the IDs of the scanners it can be used the following script:
https://github.com/zaproxy/community-scripts/blob/master/standalone/Active%20scan%20rule%20list.js
The scan policies can also be created/exported with GUI, and then
imported into new ZAP instances:
zap.ascan.import_scan_policy("/path/to/MyScanPolicy.policy")
Best regards.
The scan policies can be created with the following API calls:
name = "MyScanPolicy"
zap.ascan.add_scan_policy(name)
# Configure which scanners are enabled and its properties:
zap.ascan.disable_all_scanners (name)
zap.ascan.enable_scanners("6, 40012", name)
zap.ascan.set_scanner_alert_threshold("6", "LOW", name)
zap.ascan.set_scanner_attack_strength("40012", "HIGH", name)
To find out the IDs of the scanners it can be used the following script:
https://github.com/zaproxy/community-scripts/blob/master/standalone/Active%20scan%20rule%20list.js
The scan policies can also be created/exported with GUI, and then
imported into new ZAP instances:
zap.ascan.import_scan_policy("/path/to/MyScanPolicy.policy")
Best regards.
Amit Kulkarni
Mar 10, 2018, 12:31:06 AM3/10/18
to OWASP ZAP Scripts
Hi thc202,
Awesome !!!Thanks a lot.
Can you also confirm that when I import the policy and start ascan like below, it will attack with that policy ?
zap.ascan.import_scan_policy("/path/to/MyScanPolicy.policy")
zap.ascan.scan(url, apikey)
regards,
Amit
gmaran23
Mar 14, 2018, 6:05:56 AM3/14/18
to OWASP ZAP Scripts
The zap.ascan.scan takes a fifth parameter called scanPolicyName that takes the scan policy name to be used for the scan instance. So in your case you need to pass in "MyScanPolicy" as an argument for the scanPolicyName parameter.
Here's what I do to create and specifiy scan policies for automated scans.
1. Via the ZAP GUI, create a policy using the Scan Policy Manager, give it a name and save it. (I do it in the UI, because it is easy do it and avoids api calls for a one time activity like creating a scan policy)
2. Specify the scan policy name in the ascan.scan method
Message has been deleted
thc...@gmail.com
Mar 18, 2018, 6:40:41 AM3/18/18
to zaproxy...@googlegroups.com
Hi.
Does the name of the policy has the extension? Did you try just with
"High Policy"?
Best regards.
On 18/03/18 10:30, Amit Kulkarni wrote:
> Hi,
>
> I created new policy name (High Policy.policy) in GUI and saved it. Then I
> am passing it as an argument in python API to scanpolicyname but I get
> below error:
>
> My ascan code:
> ascan_id = zap.ascan.scan(url=target,apikey=apikey,scanpolicyname='High
> Policy.policy')
> time.sleep(5)
> while (int(zap.ascan.status(ascan_id)) < 100):
>
> Error:
> ValueError: invalid literal for int() with base 10: 'Does not Exist'
>
>
> Thanks & regards,
> Amit
Does the name of the policy has the extension? Did you try just with
"High Policy"?
Best regards.
On 18/03/18 10:30, Amit Kulkarni wrote:
> Hi,
>
> I created new policy name (High Policy.policy) in GUI and saved it. Then I
> am passing it as an argument in python API to scanpolicyname but I get
> below error:
>
> My ascan code:
> ascan_id = zap.ascan.scan(url=target,apikey=apikey,scanpolicyname='High
> Policy.policy')
> time.sleep(5)
> while (int(zap.ascan.status(ascan_id)) < 100):
>
> Error:
> ValueError: invalid literal for int() with base 10: 'Does not Exist'
>
>
> Thanks & regards,
> Amit
Amit Kulkarni
Mar 18, 2018, 11:30:17 AM3/18/18
to OWASP ZAP Scripts
Hi
Yes it had an extension .policy and passing it as High Policy.policy.
It worked only by passing name High Policy.
Thank you 😊
Regards,
Amit
Yes it had an extension .policy and passing it as High Policy.policy.
It worked only by passing name High Policy.
Thank you 😊
Regards,
Amit
Reply all
Reply to author
Forward
0 new messages