Running ZAP in cmd or daemon mode

4,606 views
Skip to first unread message

Wendell Fry

unread,
Dec 13, 2016, 12:32:09 PM12/13/16
to OWASP ZAP User Group
I'm looking at sending our code to our client and then giving them a simple way to use ZAP to scan the code for themselves, besides them just using Fortify.
ZAP in medium attack mode takes over 3 days and in Low mode takes under 2 days to scan the code locally on my machine, so we want to possibly use command line or daemon mode.

I'm thinking we need to tell command or daemon where to attack, and where to save the results to (newsession).  I suppose it will want the proper permissions and context (which is in the context file).

I'm having a problem, I use the command :  zap -cmd -newsession E:\OWASP_ZAP\sessions\20161213-01-1106am.session -quickurl http://localhost -quickprogress
and I get "Failed to attack the URL: Received a 401 response code."

If I use "localhost:8090" I first get "spidering" and then get "Failed to attack the URL: Scans are not allowed on targets not in scope when in Protected mode: http://localhost:8090."

I presume that it's pulling the mode from my config file, so it would need a context file scope to go by, which should be http://localhost (which it used when I was scanning in Protected mode in the GUI).  So localhost must
be in scope (not sure), but it is not giving a proper response giving out the 401 response code.

Am I on the right track?  Any suggestions?  In the GUI, spidering localhost gave us the full url list, and then "active scan" gave us the necessary results.  Want to do that with the cmd prompt.  Thanks!  - Wendell

Wendell Fry

unread,
Dec 13, 2016, 1:28:56 PM12/13/16
to OWASP ZAP User Group
I've been reading and reading as much as possible in the help files, forums and links.  Thanks, still need help.

Simon Bennetts

unread,
Dec 16, 2016, 5:01:32 AM12/16/16
to OWASP ZAP User Group
Hi Wendell,

Replies inline:


On Tuesday, 13 December 2016 18:28:56 UTC, Wendell Fry wrote:
I've been reading and reading as much as possible in the help files, forums and links.  Thanks, still need help.

On Tuesday, December 13, 2016 at 11:32:09 AM UTC-6, Wendell Fry wrote:
I'm looking at sending our code to our client and then giving them a simple way to use ZAP to scan the code for themselves, besides them just using Fortify.
ZAP in medium attack mode takes over 3 days and in Low mode takes under 2 days to scan the code locally on my machine, so we want to possibly use command line or daemon mode.

Urg, thats not great :/
Have you had a look at my blog post on this: https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/
 

I'm thinking we need to tell command or daemon where to attack, and where to save the results to (newsession).  I suppose it will want the proper permissions and context (which is in the context file).

I'm having a problem, I use the command :  zap -cmd -newsession E:\OWASP_ZAP\sessions\20161213-01-1106am.session -quickurl http://localhost -quickprogress
and I get "Failed to attack the URL: Received a 401 response code."

If I use "localhost:8090" I first get "spidering" and then get "Failed to attack the URL: Scans are not allowed on targets not in scope when in Protected mode: http://localhost:8090."

I presume that it's pulling the mode from my config file, so it would need a context file scope to go by, which should be http://localhost (which it used when I was scanning in Protected mode in the GUI).  So localhost must
be in scope (not sure), but it is not giving a proper response giving out the 401 response code.

Yes, ZAP uses the same configs for UI, daemon and cmd mode.
However you probably want to explicitly set all of the configs so that your client will get the same ones.
There are 2 easy ways to get a 'clean' config:
  1. Use the '-dir <dir>' parameter specifying an empty (or non existent) directory
  2. Use one of the ZAP docker images - that might make it even easier for your client to set up

While Protected mode is a very good option for the UI I wouldnt recommend it for automation. Just leave ZAP in Standard mode and you wont have to worry about setting up contexts.

However if you really do want to use it then we can talk you around the problems you're seeing.

 

Am I on the right track?  Any suggestions?  In the GUI, spidering localhost gave us the full url list, and then "active scan" gave us the necessary results.  Want to do that with the cmd prompt.  Thanks!  - Wendell

I must admit I dont use the -cmd option very much, I find it too restrictive ;)
Instead I start ZAP in daemon mode and drive it via the API (using using pyhon).
See if the cmd option works for you (if so great;) but if you need more control then we can help you driving ZAP via the API - once you've got it set up it should work well.

Cheers,

Simon

Wendell Fry

unread,
Feb 2, 2017, 4:20:33 PM2/2/17
to OWASP ZAP User Group
Simon,

My main problems are speed and authentication, so we are looking again at -cmd, but now we don't have to scan our whole repository

I have a more clear direction from my boss on what we want to do with our code scanning.

  • We will do a "before" and "after" scan of our changed files (and dependencies) only, for each change (maybe mostly spidering)
  • We will do it in-house
  • Speed is key, and the least amount of user interaction possible. (I will study our ZAP-GUI scans in light of your "How To Speed Up OWASP ZAP scans" blog)
  • Authentication and Context are musts.
  • We are looking at the -cmd line for this
I found params in the config file inside the connection param with username and password, 
I tried:
             >zap -cmd -newsession E:\OWASP_ZAP\sessions\2017-02-02-03-0300pm.session -configfile "C:\Users\wfry\OWASP ZAP\config.xml" -quickurl http://localhost:8090 -quickprogress

and I get "[Fatal Error] config.xml:1:1:1: Premature end of file." (I get 3 lines of that), then "Failed to attack the URL: Connection refused: connect"

I tried to modify the connection portion of the config file setting <userName/>  changed to <userName>MyUserName</userName>, and the same for password (and enable it all, below), but still get the connection error.

Simon Bennetts

unread,
Feb 13, 2017, 4:47:15 AM2/13/17
to OWASP ZAP User Group
Hi Wendell,

"Connection refused" implies that ZAP is not able to contact your application on http://localhost:8090
Thats probably a networking issue rather than a ZAP configuration issue.
Can you access that URL from the OS command line using a tool like curl?

Cheers,

Simon

Wendell Fry

unread,
Feb 13, 2017, 3:40:07 PM2/13/17
to OWASP ZAP User Group
Thanks, Simon, I've figured that the failure to connect is because of the mandatory need for authentication, which is not possible with cmd, yet without context switch available.

Wendell Fry

unread,
Feb 14, 2017, 2:41:03 PM2/14/17
to OWASP ZAP User Group
Simon,  the "script" switch for using the command line, if we create and reference a login script (hard coding  crymdentials), will the -cmd -quickurl will use it?  I know I've requested a context switch, but just trying to produce results as soon as possible.  I've had success with -daemon and the API, but they are looking for an even more streamlined process if possible

Simon Bennetts

unread,
Feb 15, 2017, 4:27:16 AM2/15/17
to OWASP ZAP User Group
Try it any see? :)
It _might_ do, but if so it would only run once and obviously wouldnt detect if you were no longer logged in.
I'm afraid the commandline quick scan is quite limited - I'm happy for us to extend it but I cant really see it coming close to matching the flexibility you get with the API.
Using the API can take a while to set up, but once you get it going it can all be done with a couple of scripts.
We have some examples we use in the zapbot repo, eg: https://github.com/zapbot/zap-mgmt-scripts/tree/master/wavsep

Cheers,

Simon

Wendell Fry

unread,
Feb 15, 2017, 4:30:38 PM2/15/17
to OWASP ZAP User Group
Thanks, Simon, I've been working with the API, lately.  I finally found the Alerts in the "Core" section.  A full scan of our code took 17 hours as opposed to 81 with the GUI, much better, but we will be only doing targeted scans.  So I'm practicing.  As to using scripts, I'm a novice, learned a little bit of python and starting javascript, but do we write them and put them in the scripts folder?  Is that how we use them, by referencing them?  I'll look at the link you sent, thanks!  You're awesome.  So glad you are so accessible!

ashikali maner

unread,
Jan 23, 2018, 7:14:56 AM1/23/18
to OWASP ZAP User Group
How did you run ZAP as daemon  thread using windows ..please let me know

Simon Bennetts

unread,
Jan 23, 2018, 7:34:14 AM1/23/18
to OWASP ZAP User Group
Run ZAP using the zap.bat script with the '-daemon' flag
The zap.bat file will typically be in \Program Files\OWASP\Zed Attack Proxy\
Reply all
Reply to author
Forward
0 new messages