Automated headless (AJAX) spidering and scanning from commandline with Python and PhantomJS
812 views
Skip to first unread message
Bert Jan Schrijver
Aug 19, 2015, 5:12:02 PM8/19/15
to OWASP ZAP User Group
Hi all,
I've been looking into automated headless spidering and scanning with OWASP ZAP to integrate automated scans in our development process using Jenkins CI.
My goal is to launch ZAP from a Jenkins build, automatically spider and scan a (single page) webapp and display the results in the Jenkins build.
I've put together a small Python script that does this in a few steps:
1. Install PhantomJS using npm
2. Start ZAP, set the AJAX spider browserId to phantomjs and pass the path to the PhantomJS binary.
3. Wait until ZAP is launched.
4. Start spidering, wait until complete.
5. Start AJAX spidering, wait until complete.
6. Start active scan, wailt until complete.
7. Write JSON results to disk.
I've written a small web page that uses JavaScript to parse the JSON report and shows it in a human-readable format.
This report is published in Jenkins using the HTML publisher plugin.
The source code for the script above is on https://github.com/bertjan/zap-cmdline.
It's still a bit basic and can definitely use more documentation, but it should still be useful when you know a bit of Python (and I'm a Python novice..).
Just wanted to share my findings. I've only worked with ZAP (and with Python) for a couple of hours now any I'm probably missing a few pieces of the puzzle, so feedback is highly appreciated!
regards,
Bert Jan
I've been looking into automated headless spidering and scanning with OWASP ZAP to integrate automated scans in our development process using Jenkins CI.
My goal is to launch ZAP from a Jenkins build, automatically spider and scan a (single page) webapp and display the results in the Jenkins build.
I've put together a small Python script that does this in a few steps:
1. Install PhantomJS using npm
2. Start ZAP, set the AJAX spider browserId to phantomjs and pass the path to the PhantomJS binary.
3. Wait until ZAP is launched.
4. Start spidering, wait until complete.
5. Start AJAX spidering, wait until complete.
6. Start active scan, wailt until complete.
7. Write JSON results to disk.
I've written a small web page that uses JavaScript to parse the JSON report and shows it in a human-readable format.
This report is published in Jenkins using the HTML publisher plugin.
The source code for the script above is on https://github.com/bertjan/zap-cmdline.
It's still a bit basic and can definitely use more documentation, but it should still be useful when you know a bit of Python (and I'm a Python novice..).
Just wanted to share my findings. I've only worked with ZAP (and with Python) for a couple of hours now any I'm probably missing a few pieces of the puzzle, so feedback is highly appreciated!
regards,
Bert Jan
Michael Courcy
Aug 19, 2015, 6:27:35 PM8/19/15
to OWASP ZAP User Group
There's no "I like" button around but I like ; -)
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages