ZAP Docker : Getting Additional MetaData (Request and Response) for Each URL Similar to ZAP UI

[Andy]

Hi Team,

I am using ZAP docker for running Baseline scan and ActiveScan. When you run scan from ZAP Desktop, you are able to grab Request and Response Data for ZAP for each URL. However, I am not able to find request and Response for Docker file. Just wondering how can I get additional metadata (Request/Response) for each URL.

Thanks

[Simon Bennetts]

Hiya,

The packaged scans use the ZAP API, they drive ZAP in a way that should work for most use cases.

However you can customize them with scan hooks: https://www.zaproxy.org/docs/docker/scan-hooks/

Scan hooks are written in python and can use the ZAP python API to communicate with ZAP.

The ZAP API is very comprehensive - it covers nearly everything you can do via the desktop :) https://www.zaproxy.org/docs/api/

Cheers,

Simon

[Andy]

Thanks Simon. I appreciate it. Follow up questions:

1) When you say "packaged scan", I am assuming you meant "Zap Docker". Is my assumption correct?

2) I reviewed the API and we are extensively using it. However, in this API I am not able to find the "request and response" for each URL. I can print the list of URLs easily. Would you be able to point me in the right direction? If this works, then we would like to update ZAP documentation for follow-up users and create a custom hook.

I reviewed "ACTIVE SCAN" and "ALERT" APIs for printing requests and responses along with few other areas. We don't want to use Desktop version. We want to achieve the same thing with the script.

Thanks in advance. I appreciate it. Have a good one.

Cheers

Andy

[Andy]

Bumping up. Would appreciate if someone can guide us. This question came up when we did comparison run for Acutenix. if ZAP Docker can be also enabled in printing "Request/Response", would be great. Happy to make the change but not sure where to look for this change.

[Simon Bennetts]

Replies inline

On Saturday, 24 July 2021 at 08:41:47 UTC+2 Andy wrote:

Bumping up. Would appreciate if someone can guide us. This question came up when we did comparison run for Acutenix. if ZAP Docker can be also enabled in printing "Request/Response", would be great. Happy to make the change but not sure where to look for this change.

On Thursday, July 22, 2021 at 9:57:55 AM UTC-7 Andy wrote:

Thanks Simon. I appreciate it. Follow up questions:

1) When you say "packaged scan", I am assuming you meant "Zap Docker". Is my assumption correct?

Not quite. We have the baseline, API and full packaged scans. They are defined in the ZAP Docker images. But you can also run ZAP in daemin mode in the Docker images.

 

2) I reviewed the API and we are extensively using it. However, in this API I am not able to find the "request and response" for each URL. I can print the list of URLs easily. Would you be able to point me in the right direction? If this works, then we would like to update ZAP documentation for follow-up users and create a custom hook.

Any of these endpoints:

• https://www.zaproxy.org/docs/api/#coreviewmessage
• https://www.zaproxy.org/docs/api/#coreviewmessages
• https://www.zaproxy.org/docs/api/#coreviewmessagesbyid

 

I reviewed "ACTIVE SCAN" and "ALERT" APIs for printing requests and responses along with few other areas. We don't want to use Desktop version. We want to achieve the same thing with the script.

Yes, I guessed that you didnt want to use the ZAP Desktop, I was just letting you know that the API is very thorough and covers nearly everything that the Desktop can do.

Cheers,

Simon

[Andy]

Thanks Simon. I will play with this and if I am successful will send the code as well.

[Andy]

Team,

Here is how we were able to achieve this. Looks hacky solution since after printing we need to tie the message IDs back to original alerts' JSON. So we had to do extra processing of data which introduces little bit of latency but that's okay.

def zap_pre_shutdown(zap):

    print(">>capturing alerts<<")

    subprocess.call(['curl', '-k', '-s', 'http://localhost:8070/JSON/core/view/alerts', '--output', '/zap/wrk/scanreport.json'])

    print(">>capturing messages<<")

    subprocess.call(['curl', '-k', '-s', 'http://localhost:8070/JSON/core/view/messages', '--output', '/zap/wrk/scanreport_v3.json'])

 return zap

if anyone has better ideas then please let us know and we will try and improve the logic.

Thanks to Simon for help.