How can I add the community scripts into ZAP

[Albert]

How can I add a script from:

https://github.com/zaproxy/community-scripts

to ZAP so I can use it as well in daemon mode. 

Is it enough to add it into the /home/.ZAP/scripts/templates/passive? 

Or should it be /home/.ZAP/scripts/passive?

Or i need to have a  .zap file generated in the /plugin folder. I.e: pscanrules-release-15.zap. If that the case how do you generate .zap files.

Thanks

[Simon Bennetts]

The easiest option is to install the 'Community Scripts' add-on from the ZAP Marketplace :)

If you might want to contribute to the repo then clone it to a local directory and then add that to ZAP using the Options / Scripts screen.

We should probably document that on the repo!

Cheers,

Simon

[Simon Bennetts]

We should probably document that on the repo!

Now done ;)
 

[Albert]

I just want to add one script/rule. 

If open the Scripts tab. Under Scripting>Scripts>Passive Rules. I can right click and choose New Script..

I can then copy paste the script and save it and enable it. I guess that should work as well?

I see that saves the script in:

/home/.ZAP/scripts/scripts/passive/TestScript.js  >>> the double scripts folder is a bug? 

If that process is correct, and I want to use that script with a daemon ZAP running on jenkins. Is enough to copy 

/home/.ZAP/scripts/scripts/passive/TestScript.js

into 

/var/lib/jenkins/.ZAP/scripts/scripts/passive/TestScript.js

as by default the .ZAP folder only have var/lib/jenkins/.ZAP/scripts/ so I would need to create the other two levels. 

[thc...@gmail.com]

Hi.

It's not enough to just copy the script(s) to the "scripts" directory,
you also need to add it to ZAP, which can be done with command line
arguments. [1]
(also, the script(s) does not need to be located in that directory as
the referenced example shows)

But, if you already have a ZAP "home" directory prepared for your use
case you can just set ZAP to use it with command line argument "-dir". [2]
That should simplify the set up a bit.

> /home/.ZAP/scripts/scripts/passive/TestScript.js >>> the double scripts folder is a bug?

There's two "scripts" directories because the first is the main
"scripts" directory which has the "scripts" being used and the available
"templates".


[1] https://github.com/zaproxy/zaproxy/wiki/FAQscriptCmdLine
[2] https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[Albert]

Starting ZAP with:

./zap -dir /var/lib/jenkins/.ZAP will start zap with the configuration used for Jenkins. 

I can install in that instance the MarketPlace community scripts and enable the on I would like to try. I.e Find credit cards. 

If i now want to only run that script when passive scanning are these the steps to follow?

View> Show Tabs> Script Tab

Scripting > Scripts > Passive Rules

Enable Find Credit Cards.js and Save

Tools>Options>Passive Scan Rules

The to OFF all the Test Names

Set to High the Script passive Scan Rule >>> Is here where the rule lives? How can I know in which test category each script lives?

[Albert]

What I see is:

I start zap:

/zap -dir /var/lib/jenkins/.ZAP

View> Show Tabs> Script Tab

Scripting > Scripts > Passive Rules

Enable Find Credit Cards.js and Save

Restart ZAP: 

Exit

/zap -dir /var/lib/jenkins/.ZAP

View> Show Tabs> Script Tab

Scripting > Scripts > Passive Rules

Find Credit cards is disabled. 

Shouldn't the enable state be persisted?