Best practice running ZAP OWASP API
338 views
Skip to first unread message
Asaf Sahar
Jul 13, 2021, 3:54:11 AM7/13/21
to OWASP ZAP User Group
Hi,
I would like to know what is the best practice in running ZAP OWASP as API.
My purpose is to run tests in Python to different URLs from the same website (can be on production or staging) and perform active scan for them, in parallel.
The question is if I can have 1 ZAP OWASP instance on docker and send the URLs to do 2 active scans in parallel?
Or I need to create zap instance on docker for each endpoint?
I tried sending 2 different URLs to 1 instance (once in docker, once while zap opens on my local pc) and I had an issues such:
1. Creating policy (tried to create the same policy)
2. Each active scan contained the 2 endpoints though I created a context for each endpoint. The URLs to include in the context was the same for both contexts.
Simon Bennetts
Jul 13, 2021, 6:57:59 AM7/13/21
to OWASP ZAP User Group
Whats your actual goal here? Is it to speed up ZAP scans or ??
You can create multiple contexts and scan them in parallel, but if the contexts include the same URLs then they will overlap.
ZAP is not designed as a multiuser application, if you want complete separation between the scans then you will need to run multiple ZAP instances.
Cheers,
Simon
Asaf Sahar
Jul 14, 2021, 4:00:29 AM7/14/21
to OWASP ZAP User Group
Thank you Simon,
My purpose is to run tests in Python to different URLs from the same website and perform active scan for them, in parallel.
The goal is to have 1 zap instance that each test (that represent 1 URL from the same website, different URLs can run on the same time) can run using this 1 instance.
I am trying to use context and Exclude URLs in context to reach that only the specific URL of the test is scanned.
I am using this to exclude (taken from https://github.com/zaproxy/zap-api-python/blob/master/src/examples/zap_example_api_script.py):
# The following example excludes every single URL except http://localhost:8081
globalExcludeUrl = ['^(?:(?!http:\/\/localhost:8081).*).$']
Instead of http:\/\/localhost:8081 I will place the URL that I want to scan
regarding context, I saw that when I am setting the URL that I want to scan as 'Include in Context' the scan doesn't work and only if setting the root of the website it's working.
I am loading the scope by opeapi file.
Reply all
Reply to author
Forward
0 new messages