Creating Context Files En Masse/With Template

[Charles Williams]

Hello,

I'm using Docker ZAP to run baseline and full scans on the web applications in my environment. I'm noticing that for each app, I have to load it fully in the GUI interface and configure the context manually before I am able to export it and use it for my scans. It would be easier if there was some sort of plug-and-play template or something that could be used to create these contexts quicker and without using the ZAP interface. I know many of the portions of the file could be easily copied over from context to context, but the main problem comes from the users and params (for authenticated scans) being encrypted when stored in the context file.

My ideal goal would be to create some template where users could input their parameter and user fields, and then have a context file produced on the other end with the other equivalent data. Is there any way to produce context files like this, or does everything have to go through the ZAP UI?

Thank you!

[Simon Bennetts]

Thats a very good usecase for the Automation Framework (AF) :D

https://www.zaproxy.org/docs/automate/automation-framework/

We are in the process of migrating the packaged scans to use the AF - the baseline scan already uses it for the most common options.

This is definitely the direction I would recommend that you go.

Cheers,

Simon

[Charles Williams]

Perfect, that looks great! Regarding the packaged scan migration, is there any sort of timeline/expectation as for when the full scan would be supported by AF? I would ideally like to be running baseline scans daily and full scans weekly. And if the full scan is still a largely in-progress feature for AF, are there any other workarounds for creating the context files for the packaged full scan?

Thank you!

[Simon Bennetts]

What aspects of the full scan do you need support for?

The AF will support most of the functionality right now, but there are some things that may be a way off.

Cheers,

Simon

[Charles Williams]

I essentially need to support the process of setting up and running a Script-based Authenticated Active Scan and saving an XML report of the results, similarly to how it is done in the ZAP GUI. If there is any documentation or guidelines for integrating the ZAP AF in a Jenkins job, that would be great as well.

Thank you,

Charles

[Simon Bennetts]

If its just script-based authentication you need then you are in luck as that is supported :)

If you are happy using the ZAP desktop to set things up then thats the best option:

• Run the ZAP desktop
• Set up your context with authentication
• Check it works ;)
• Create a new AF Plan via the "Automation" tab
  • Select your context
  • Choose the Full Scan profile
• Save the plan
• Try running it in the desktop to make sure it works

If that all goes ok then you will be able to run the plan from the command line using the -autorun option.

Note that you will need to make sure any files you use (eg for script authentication) are available when you do that and have the same paths specified in the plan.

We plan to support relative paths and have the option to copy those files to a subdirectory, but thats not implemented yet.

As for running in Jenkins - you can either have ZAP installed whereever the jenkins job is run or use one of the ZAP docker images.

Cheers,

Simon

[Charles Williams]

Hi Simon,

I'm running through those steps now to confirm I can get this working - it'll be a big help! I'm having some difficulty on the script running in the plan however for authentication. My context is fully configured with the script and user information, and testing the active scan directly in desktop appears to be working (I have debug messages in my script printing to Script Console to show me it is running/authenticating successfully). However, it doesn't look like the script is running in the plan. I separately added a "script" job to the plan and configured it as an authentication script, but I'm not seeing anything running in the Script Console log, so I'm worried that my script isn't running.

I've attached the YAML for the current design of my plan (with certain information removed for confidentiality, but nothing that takes away from understanding the structure of the plan - how should I be modifying the plan so that my script runs and authenticates before the full scan?

Thank you!

Charles

[Charles Williams]

I've tried setting up the run task in the framework, but that won't work since this is an authentication script rather than a standalone one. I also confirmed my suspicions (besides the fact that my console log would not update) by adding a test looking at stats.auth.success on the homepage, and that failed.

I can run the active scan and get the authentication just fine when I run it manually in the Desktop GUI by right-clicking the context and doing the Active Scan from there, but how can I get this to work in the AF?

Sorry for the series of questions, I'm just trying to get this piece done before the week is out, thank you for any and all help!

[Simon Bennetts]

Authentication scripts _are_ supported: https://www.zaproxy.org/docs/desktop/addons/automation-framework/authentication/

You can test the plan with the help of the desktop

• Start the ZAP desktop with a new session
  
• Open the AF plan
• Remove the spider and activeScan jobs
• Run the plan - this will create the context
• Turn on Forced User Mode
• Make a manual request to your tartget app

You should see ZAP authenticate.

In not then let us know what you do see.

Cheers,

Simon

[Charles Williams]

Hi Simon,

I followed your steps, and ZAP did authenticate (and I saw my debug messages in the Script Console telling me the authentication was successful as well). Of course, now that I re-add the spider and active scan stages, things appear to be working as intended :) I would have to assume that I must have had some configuration option not properly set up in my original ZAP environment, and this clean slate appears to have helped significantly.

Thank you for all of your help!

Charles

[Simon Bennetts]

Hi Charles,

Thats good to hear :)

Note that the AF supports 'statistic' job outcome tests: https://www.zaproxy.org/docs/desktop/addons/automation-framework/tests/

We recommend that you use these to check that the authentication stats are within the expected levels.

To find suitable stats go to https://www.zaproxy.org/docs/internal-statistics/ and search for a key of "auth".

Cheers,

Simon