Zapv2 Automation , plan_progress
327 views
Skip to first unread message
Diogo Silva
May 18, 2024, 1:01:41 PM5/18/24
to ZAP User Group
thc...@gmail.com
May 20, 2024, 11:14:59 AM5/20/24
to zaprox...@googlegroups.com
Hi,
Could you try with the latest version? It should now return the proper info.
Best regards.
Could you try with the latest version? It should now return the proper info.
Best regards.
Diogo Silva
May 22, 2024, 9:59:14 AM5/22/24
to ZAP User Group
Thanks a lot for the help. I updated it and it is now returning what it should.
However, something is not going well during the execution of my automation plan, I have a service running zap in daemon mode on my Linux system and then using the Python API I am running an automation plan. Attached are the logs of a simulation and the automation plan. My target is running on another VM, but I think the connection between them is fine.
Can someone help me?
kingthorin+zap
May 22, 2024, 11:04:36 AM5/22/24
to ZAP User Group
Well a few things standout to me.
Your plan seems to specify two different contexts throughout.
You seem to be DoSing DVWA at points.
You're trying to generate the report for a URL instead of a site.
Diogo Silva
May 24, 2024, 6:28:01 AM5/24/24
to ZAP User Group
How come there are two contexts?
I'm supposed to use only one context, which will have the same name as the base URL from where I will start exploring the application. What is the second context?
I didn't understand the second point.
Regarding the report, since the application is running on the localhost of another VM (10.0.2.4), am I supposed to make the report for the site: http://10.0.2.4? Won't it include things that don't belong to the application I want to analyze?
I have one more question: is it possible to perform Authentication Tester from the command line? And then use the context created in the Automation plan?
Thank you very much, I look forward to your response.
thc...@gmail.com
May 27, 2024, 3:00:57 AM5/27/24
to zaprox...@googlegroups.com
In some places you have:
context: http://10.0.2.4/DVWA
and others:
context: http://10.0.2.4:3000
In this case you don't really need to specify a site for the report
since the context will already filter for the URLs you want.
No, it only works with the GUI right now.
Best regards.
context: http://10.0.2.4/DVWA
and others:
context: http://10.0.2.4:3000
In this case you don't really need to specify a site for the report
since the context will already filter for the URLs you want.
No, it only works with the GUI right now.
Best regards.
Diogo Silva
May 31, 2024, 4:07:09 AM5/31/24
to ZAP User Group
Thank you very much for the responses. However, I still have some questions.
How many complete scans (spider, ajaxSpider, active scan) can be performed simultaneously with one instance of ZAP Proxy?
I am developing a system in Python where the objective is to have an .ini file with the information of each target (base URL, and if the target to be analyzed has login, username, password, and LoginUrl). Then, I have a function that reads this file and replaces only the necessary values in the automation plan (yaml). After replacing the values through the Python API, I execute the automation plan. What is happening is that the first target is analyzed correctly, but the second plan gets stuck in the ajaxSpider.
Considering my automation objective, what is your recommendation? Is it viable to continue using only one instance of ZAP Proxy?
Best regards.
Simon Bennetts
Jun 4, 2024, 4:07:53 AM6/4/24
to ZAP User Group
Hi Diogo,
How long is a peice of string? :)
It all depends on what you are doing.
If you are repeatedly scanning a simple one page app then ZAP will probably cope for a long time.
Repeatedly scanning a massive app, less so.
ZAP is not designed to be a long running service.
Scans typically take a non trivial amount of time, so I think that the time to start ZAP is generally less significant.
As a result I recommend starting a new ZAP instance each time.
Cheers,
Simon
Diogo Silva
Jun 6, 2024, 1:32:15 PM6/6/24
to ZAP User Group
Good afternoon, thank you once again for your response.
Now I am trying to run different instances of ZAP simultaneously, but I am having difficulties running the automation plan. I am testing running just one ZAP instance and executing the automation plan, and I am getting the error shown in the attached image. I have already executed the automation plan on the same port and in the same directory that I am trying to use with the Python code, one of them in the GUI and the other through the command line with the following code:
" ./zap.sh -port 8091 -dir /home/vboxuser/zaproxy/instance1 -cmd -autorun /home/vboxuser/siaas-agent/NewPlan1.yaml"
" ./zap.sh -port 8091 -dir /home/vboxuser/zaproxy/instance1 -cmd -autorun /home/vboxuser/siaas-agent/NewPlan1.yaml"
Both ran well and I obtained similar results.
However, when I try to run the same automation plan via the Python API, it doesn't work. Some variables are static because I am trying to solve this issue.
Here are variables that do not appear in the picture:
ini_file = os.path.join('conf', 'siaas_zap_agent.ini')
template_yaml_file = '/home/vboxuser/siaas-agent/NewPlan1.yaml'
zap_path = '/home/vboxuser/zaproxy/zap.sh'
I really need help.
Thank you very much.
Simon Bennetts
Jun 10, 2024, 6:35:06 AM6/10/24
to ZAP User Group
Hi Diogo,
ZAP appears to be having problems launching Firefox for authentication.
Why you are just getting this when you use the API I cannot say, apart from it implies that the environments are different in some way.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages