Hello everyone,
I'm a newbie on zap and I would like to create a CI/CD pipeline and I want to use it with a docker container.
To try it I'm using the image of GoatWeb and my local image of zap: I have a M1 Mac and in order to run zap in docker I had to re-build the image from the Dockerfile on github (from:
https://groups.google.com/g/zaproxy-users/c/meg0Lkvl03s ). I want to run zap-full-scan.py against the goatweb target.
I'm having problems with the authenticated scan, I'll write the steps I took and then attach the context file in txt extension.
1) Open ZAP GUI, create the context file and export it (as webgoat.context) on my current directory
context to include:
http://goatandwolf:8080/.* create the user for the context
authentication: form-based
Login Form Target url:
http://goatandwolf:8080/WebGoat/login URL to get Login Page:
http://goatandwolf:8080/WebGoat/login2) Run goatweb container
docker run --rm --name goatandwolf -p 8090:8080 -p 9090:9090 -d --net zapnet --hostname goatandwolf webgoat/goatandwolf
2b) Access GoatWeb and create a newuser with the same credentials stored on the context
3) Run zap container
docker run --rm -dt --name zap --net zapnet -v $(pwd):/zap/wrk/:rw localzap /bin/bash
In this way the zap container can see the context file
4) Access the zap container
docker exec -it zap /bin/bash
4a) check if zap can see GoatWeb
curl
http://goatandwolf:8080/WebGoat/login 4b) start full-scan
./zap-full-scan.py -t
http://goatandwolf:8080/WebGoat/login -d -r report.html -n wrk/webgoat.context -U <username>
The full scan does not return error, it produces the report but it's the same exact report of the un-authenticated scan.
Instead I was expecting it to discover more urls.
I have read the log and it did not seem to me to contain any WARNs.
Maybe it's worth to notice that even with zap gui I cannot succeed to start an authenticated scan. I had a curious situation for which it does not matter which user I chose or if the "Force User" was enabled or not, but in the payload for the login I had "username=zap&password=zap".
Can I ask you what I'm missing or what I'm doing wrong?
Thanks in advance