Scan list of URLs using Dockerized ZAP

[Yuvraj Chauhan]

Hi All,

I am new to ZAP. I wish to scan a list of URLs using the Dockeried ZAP service. I understand how to get the Dockerized ZAP service running. When I set the target of the scan (I use owasp/zap2docker-stable image) to be -t http://localhost:3000/openapi.json (with -f openapi flag set too), it is able to scan the URL, but it is NOT able to spider through the subdomain definitions - aka other URLs like http://localhost:3000/book/{book_id}, http://localhost:3000/book even though these URLs are present in the openapi definition.

Does anyone know how to add URLs to the Dockerized ZAP service either through a file / flag / tool etc so that I can ensure ZAP scans and spiders throught the correct sitemap of my API? Thanks!

[Yuvraj Chauhan]

Essentially, I am trying to get a response to this post on Stackoverflow regarding scanning a list of URLs using the ZAP Dockerized service:

OWASP ZAP - Scan a list of url - Stack Overflow

[kingthorin+owaspzap]

You should start with ZAP desktop so that you can see what's going on.

Ensure that your openapi.json is importing properly.

[Yuvraj Chauhan]

I cannot use the Desktop version because of some restrictions. Could you share sample code of how scan hooks could be used to fix this? My openapi.json is fine.

[kingthorin+owaspzap]

Use a weekly build, you can just unzip it, no install required?

If your openapi is fine then it must be working..... <shrug>

As alternatives you could proxy functional tests through ZAP to build up the site tree. Or export/import HARs.