Example how to record zest auth script and use it to by python api
2,807 views
Skip to first unread message
Kaspars
May 8, 2017, 11:32:12 AM5/8/17
to OWASP ZAP User Group
Can you point to some example how to record zest auth script and use it for automated scan by zap python api? For example how to scan dvwa. I tried to search Google or YouTube but without success.
From zap gui it is easy but I stuck how to authenticate and scan by specific user with api.
From zap gui it is easy but I stuck how to authenticate and scan by specific user with api.
Simon Bennetts
May 8, 2017, 11:37:52 AM5/8/17
to OWASP ZAP User Group
You wont be able to record a Zest script via the API, but you hopefully wont need to.
I always recommend making full use of the UI, even if you want to end up just using the API.
Record you Zest script via the GUI and check that it works. This FAQ may help with authentication in general: https://github.com/zaproxy/zaproxy/wiki/FAQformauth
Once you've got is working in the GUI then save the Context.
Then with a new session (still in the GUI) import the Context via the API and check authentication still works.
I strongly recommend testing the API with the GUI - its much easier to see what going on.
Once the API is working fine (testing via the GUI) you should be able to run ZAP in daemon mode and run the same API calls and it should still work in the same way.
If you need to run the script on another machine then you'll also need to copy the Zest script over and import it via the API as well.
Cheers,
Simon
I always recommend making full use of the UI, even if you want to end up just using the API.
Record you Zest script via the GUI and check that it works. This FAQ may help with authentication in general: https://github.com/zaproxy/zaproxy/wiki/FAQformauth
Once you've got is working in the GUI then save the Context.
Then with a new session (still in the GUI) import the Context via the API and check authentication still works.
I strongly recommend testing the API with the GUI - its much easier to see what going on.
Once the API is working fine (testing via the GUI) you should be able to run ZAP in daemon mode and run the same API calls and it should still work in the same way.
If you need to run the script on another machine then you'll also need to copy the Zest script over and import it via the API as well.
Cheers,
Simon
kingthorin+owaspzap
May 8, 2017, 12:03:24 PM5/8/17
to OWASP ZAP User Group
This blog might help you get started:
https://www.coveros.com/scripting-authenticated-login-within-zap-vulnerability-scanner/
I don't think it has everything you're looking for, but it's the basics.
https://www.coveros.com/scripting-authenticated-login-within-zap-vulnerability-scanner/
I don't think it has everything you're looking for, but it's the basics.
Kaspars
May 11, 2017, 2:43:26 AM5/11/17
to OWASP ZAP User Group
Thanks,
Learning by doing.
Alessandro Pezzè
Jan 11, 2018, 8:59:17 AM1/11/18
to OWASP ZAP User Group
Hi Simon,
suppose that I have a headless selenium script that tests my website (let's say to check if login works), and at the same time with ZAP I'm sniffing the traffic to find vulns. How can I replay the entire traffic sniffed from the selenium test, modifying part of it (maybe stripping out some Headers or tokens)?
Alessandro
Reply all
Reply to author
Forward
0 new messages