ZAP report generation when running in daemon mode

[Hariprasad kavyashree]

Hi All,

I am running the ZAP using command line daemon mode:

Command is: "zap.bat -daemon -port 8500 -host localhost -quickout D:\SampleZAPReport.html "

Bckground:

I have set of automated set of test cases using selenium so i did set the proxy as shown below:

Proxy proxy = new Proxy();

proxy.setHttpProxy("localhost:8500");

proxy.setFtpProxy("localhost:8500");

proxy.setSslProxy("localhost:8500");

proxy.setAutodetect(false);

proxy.setProxyType(ProxyType.MANUAL);

capability = DesiredCapabilities.firefox();

capability.setCapability(CapabilityType.PROXY, proxy);

capability.setCapability("unexpectedAlertBehaviour", "ignore");

capability.setCapability(FirefoxDriver.PROFILE, profile);

I started running the selenium script and all the test cases got passed with out having any issue. But the report generated(D:\SampleZAPReport.html ) have blank info.

Could you please let me know how to generate the zap report when we run zap using daemon mode?

System info:

Windows 7.

Thanks,

-Hariprasad

[Simon Bennetts]

I'm afraid ZAP doesnt work like that.
The '-quick*' command line options all run inline, so the report gets generated before your tests finish.

Have a look at the zap-full-scan.py script thats included in the docker images.
That has a -D option which allows you to specify the number of seconds before the active scanning will start - this should be greater than the length of time your selenium scripts take to run - ZAP has no other way of knowing when they have finished.

Cheers,

Simon

[Hariprasad kavyashree]

Hello Simon,

Thanks for your quick reply. I did "zap.bat -h" to know all commands but couldn't find any way to wait for specified time to complete action(selenium tests completion), I agree that zap don't know time taken by selenium to finish actions.

Here My intention is I need a command to stat zap, That I got (what I am doing right now such as zap.bat -daemon ...so on)

As a second step I will run my selenium scripts to complete its execution(I have scripts ready for that)

As the final step I want some command to to generate the ZAP report and stop the zap that I started before the selenium scripts to run, please help me out on this.

Note: If any script to solve this issue please provide code using  java 

Thanks,

-Hariprasad

[Simon Bennetts]

You will need to control ZAP via the API.
The packaged script I linked to will do that, but it only supported the delay rather than allowing you to control ZAP exactly when you want.
You can drive the ZAP API using Java, some examples are here: https://github.com/zaproxy/zap-api-java/tree/develop/subprojects/zap-clientapi/src/examples/java/org/zaproxy/clientapi/examples

Hopefully you'll be able to work out what you need to do based on these examples and the python script - the ZAP API works in the same way however its driven.

Cheers,

Simon

[Hariprasad kavyashree]

Hello Simon,

Step1:  Actually I have started the zap in daemon mode

command is:  zap.bat -daemon -port 8500 -host localhost

Step2: I have executed the selenium script from my eclipse and successfully run, (my selenium script had the configuration as I mentioned in the first post.)

Step3: Now to see the ZAP vulnarability report I have opened UI mode "http://localhost:8500/UI/core/other/htmlreport/" then entered api-key="change-me-9203935709" then clicked on html report button, could able to see the zap report.



Problem:

Every time we can not access "http://localhost:8500/OTHER/core/" URL to see the report, because the selenium script will run overnight and we want to generate the ZAP report also on every build. Is there any way we can call something/ code snippet to call at the end of the selenium suite execution to get the zap report(basically want to do Step3 operation with out accessing the URL).

Thanks,
-Hariprasad

[kingthorin+owaspzap]

You run a command to launch ZAP why can't you run a command (wget, curl, powershell, whatever) to get the report from the API and save it to disk?

The whole point of the API is to be able to interact with ZAP programmatically.

[Hariprasad kavyashree]

Hello Kingthorin,

Thanks for providing information, I could able to generate the report via client API.

Here is the sample code:

clientApi = new ClientApi("localhost", 8500);

core = new Core(clientApi); 

FileOutputStream fos = new FileOutputStream("File path+ File name"+".html");

fos.write(core.htmlreport("change-me-9203935709"));

fos.close();

Called this sample code at the end of the suite execution.

Thanks,

-Hariprasad

[kingthorin+owaspzap]

Thanks for letting us know

[thc...@gmail.com]

Hi.

Regarding API calls, its recommended to specify the API key in ClientApi
constructor:
clientApi = new ClientApi("localhost", 8500, "change-me-9203935709");

as it ensures the API key is sent always (views might also require the
key), also, you no longer need to specify the key when calling the
endpoints:
clientApi.core.htmlreport()


Best regards.