Is there a syntax to scan using just the .bat file

[Raghavendra Rao PV]

I am trying to scan an web application by just accepting the URL from users and then trigger a batch process to execute the scans. In ZAP user guide I saw a mention of '-daemon' keyword but it doesn't give an example of its usage.

I am looking for something like this, without showing up the UI.

The scanRequest.bat contains something like:

java -Xmx512m -XX:PermSize=256M -jar zap.jar org.zaproxy.zap.ZAP http://mysite.com/subFolder <username> <password> <output folder name and type>

Upon calling the scanRequest.bat from my JAVA program, the batch should execute and store the results in the path specified folder and with specified file type.

Is this possible.

Kindly assist, how to go about creating the .bat file and running the same from my program.

--

Regards,

Raghavendra Rao PV

[Simon Bennetts]

The '-daemon' parameter starts ZAP without the UI, you then need to control it via the API.

If you just want to scan a URL from the command line then have a look at https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsQuickstartCmdline

However you have very limited options when you run ZAP like that. To have full control of all of ZAP's functionality then you'll need to go down the daemon / API route.

Cheers,

Simon

[Raghavendra Rao PV]

I use the following method but this just opens up the ZAP UI. Is there a way I can run ZAP without the UI? What should I modify from the below code to achieve this?

        strBatFile = "C:\\Program Files (x86)\\OWASP\\Zed Attack Proxy";

        Runtime rt = Runtime.getRuntime();

        Process p = null;

        int intReturnValue = 1;

        try{

            p = rt.exec("cmd /c start " + strBatFile);

            intReturnValue = p.waitFor();

            System.out.println ("Execution complete");

        }catch (IOException | InterruptedException e){

            System.out.println ("Error in generateSAST. " + e.getMessage());

[kingthorin+owaspzap]

https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline

Use -daemon

[Raghavendra Rao PV]

Thanks for the link. I tried this:

C:\RRPV\VMSInstalledTools\OWASP\Zed Attack Proxy>java -jar zap.jar -newsession sessionOne -scan http://localhost:8080/VMS/ -daemon

and get the following. 

     0 [main] INFO org.zaproxy.zap.ZAP  - OWASP ZAP 1.4.1 started.

     548 [Thread-2] INFO org.parosproxy.paros.core.scanner.PluginFactory  - Plugin Password Autocomplete in browser depricated

     548 [Thread-2] INFO org.parosproxy.paros.core.scanner.PluginFactory  - loaded plugin Secure page browser cache

..and it continues.....

How do we initiate the scan. As per the help, the above syntax should have worked.

C:\RRPV\VMSInstalledTools\OWASP\Zed Attack Proxy>java -Xmx512m -jar zap.jar -h

Command line usage:

java -jar zap.jar {-h|-help} {-newsession session_file_path} {options} (-daemon)

options:

-scan : Run vulnerability scan depending on previously saved policy.

-last_scan_report [file_path]: Generate 'Last Scan Report' into the file_path provided.

On Saturday, September 17, 2016 at 4:25:55 PM UTC+5:30, kingthorin+owaspzap wrote:

https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline

Use -daemon

[Simon Bennetts]

Version 1.4.1 ???
Thats ancient!
Please download and use the latest version of ZAP, currently 2.5.0: https://github.com/zaproxy/zaproxy/wiki/Downloads

Cheers,

Simon

[Raghavendra Rao PV]

Excellent. Issue was with the older version of ZAP.

Now ZAP runs fine from command prompt. I created a bat file with the following syntax, try executing the .bat file from my java program:

     @echo on "results stored at: C:\Program Files (x86)\OWASP\Zed Attack Proxy

     java -jar zap-2.5.0.jar -quickurl http://localhost:8080/VMS/ -quickprogress -quickout report.xml

     exit

and its stuck at "INFO: Initializing ExtensionHistory". What should be done to get the scan running?

However, when I doubleclick the .bat file the above command scans only getLogin.java and Login.jsp. Is there a way where I can supply the default user credentials in the command?

And the -quickout report.xml displays an error 'The directory of given '-quickout' file is not writable: C:\RRPV\VMSInstalledTools\OWASPNew\Zed Attack Proxy\'

--

Thanks,

Raghavendra Rao PV

[Simon Bennetts]

Replies below:

On Monday, 19 September 2016 15:50:35 UTC+1, Raghavendra Rao PV wrote:

Excellent. Issue was with the older version of ZAP.

Now ZAP runs fine from command prompt. I created a bat file with the following syntax, try executing the .bat file from my java program:

     @echo on "results stored at: C:\Program Files (x86)\OWASP\Zed Attack Proxy

     java -jar zap-2.5.0.jar -quickurl http://localhost:8080/VMS/ -quickprogress -quickout report.xml

     exit

and its stuck at "INFO: Initializing ExtensionHistory". What should be done to get the scan running?

Thats strange. Have a look at this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQhelp
 

However, when I doubleclick the .bat file the above command scans only getLogin.java and Login.jsp. Is there a way where I can supply the default user credentials in the command?

And the -quickout report.xml displays an error 'The directory of given '-quickout' file is not writable: C:\RRPV\VMSInstalledTools\OWASPNew\Zed Attack Proxy\'

The Quick scan is just that, a quick scan.
If you need to supply credentials then you'll need to set up a context - have a look at this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQformauth

Cheers,

Simon