Can not access ZAP API from Docker

[Phùng Quang Trường]

Hi guys, I'm trying to run OWASP ZAP in Docker to run multiple scan on targets. I run ZAP using python code without port forwarding (-p param) because I want to mange each ZAP instance separately by their Docker IP (Ex: curl http://172.17.0.2:8080/JSON/alert/view/alert/?id=0). But when I start ZAP Docker, I got it Docker IP (172.17.0.2) but I can not connect to port 8080 to access API. Here is my python code:

import docker

client = docker.from_env()

default_port = 8080 # do not change

zap_image = 'softwaresecurityproject/zap-stable:latest' # can move to config file

host_data_directory = '/home/zap-integration/data' # do not change

container_data_directory = '/zap/wrk/' # do not change

command = [

    'zap.sh',

    '-daemon',

    '-host', '0.0.0.0',

    '-port', '8080',

    '-config', 'api.addrs.addr.name=.*',

    '-config', 'api.addrs.addr.regex=true',

    '-config', 'api.disablekey=true'

]

def run_container(image_id, file_name):

    container = client.containers.run(

        image=image_id,

        command=command,

        detach=True,

        network_mode='bridge',

        user='zap',

        volumes={host_data_directory: {'bind': container_data_directory, 'mode': 'rw'}}

    )

    container_info = client.api.inspect_container(container.id)

    container_ip = container_info['NetworkSettings']['IPAddress']

    result = {}

    result['agent_id'] = container.id[0:12]

    result['agent_ip'] = container_ip

    result['agent_port'] = default_port

    return result

[Phùng Quang Trường]

Just found that this is an issue of Docker on Windows/Mac OS but not on Linux

[Simon Bennetts]

The recommended way to access ZAP in Docker remotely is documented on https://www.zaproxy.org/docs/docker/about/#accessing-the-api-from-outside-of-the-docker-container

As far as I'm aware you will need to use port forwarding, but if you find another solution then let us know and we can document that option as well.

Note that you can easily run multiple ZAP instances on different ports if you need to.

Cheers,

Simon

[Phùng Quang Trường]

Thankyou, I got ZAP run on multiple instance. Everything work fine now. But I have a question that I can not find answer anywhere. Our company has many API, some authenticate with API-Key (which I have write HTTP Sender and simple Authentication Script with POST), but some API use Cookies which got from successful SSO login with multiple complex steps. I found that I can use Selenium to record my login steps. My question is: Is there a way that I can run or define Selenium script to authenticate the API, something like authentication script but integrate with Selenium and select item, button click,...?

[Simon Bennetts]

It is best to start a new thread for a new question or issue :)

FYI authentication is hard - see https://www.zaproxy.org/docs/authentication/

Cheers,

Simon

[Phùng Quang Trường]

ok i got it