Install Updates and then start ZAP

436 views
Skip to first unread message

sonawan...@gmail.com

unread,
Jul 15, 2022, 6:19:05 AM7/15/22
to OWASP ZAP User Group
Hello,

I am running ZAP from docker and i am running ZAP addon update command (zap.sh -cmd -addonupdate) 

But i observed, when zap starts picking up API instructions (such as set context, enable scripts, starts spider etc.) all of sudden console shows - ZAP found new updates and installing it

Then my process continues ahead and in between zap updates in background

So i have two queries on this - 
  1. Can zap still work 100% accurate because sometime scanning gets finished (for smaller test packages) where as updates are still going on in background?
  2. Cant we stop ZAP from executing commands till it updates itself completely?

Simon Bennetts

unread,
Jul 15, 2022, 8:53:37 AM7/15/22
to OWASP ZAP User Group
Hiya,

This is something we are looking at.
In the meantime the recommended approach is to run a command like:

docker run -t owasp/zap2docker-stable bash -c "zap.sh -cmd -addonupdate; zap.sh <any other options you need>"

Cheers,

Simon

sonawan...@gmail.com

unread,
Jul 15, 2022, 12:09:28 PM7/15/22
to OWASP ZAP User Group
Hello Simon

Thank you for response, i am doing same as of now but still its not helping :(
May be can we add one flag to addonupdate that No further updates are found and then based on this response we can execute the ZAP code?
(I guess as of now addonupdate command is not returning anything like this even in UI mode or in daemon mode )

sonawan...@gmail.com

unread,
Jul 15, 2022, 12:16:27 PM7/15/22
to OWASP ZAP User Group
Hello Simon

I guess i can try playing around - API for updatedAddons & installAddon in loop sequence and then based on output i can execute further next API calls 

lets give a try :)

Simon Bennetts

unread,
Jul 18, 2022, 3:47:12 AM7/18/22
to OWASP ZAP User Group
Can you explain why the suggested approach does not work for you?
I think it should work, and if it doesnt then we'll need to update our advice :)

Cheers,

Simon

sonawan...@gmail.com

unread,
Jul 19, 2022, 11:54:00 AM7/19/22
to OWASP ZAP User Group
Hello Simon

My approach was -  
  1. inside docker file i wrote  - RUN zap.sh -cmd -addonupdate
  2. I developed multiple functions such as - startOwaspZap, defineContext, addRegexIntoContext,  and so on
  3. code inside startOwaspZap is = 
  4. "/usr/local/zaproxy/zap.sh",
                    "-daemon",
                    "-host",
                    "0.0.0.0",
                    "-port",
                    "8090",
                    "-config",
                    "api.addrs.addr.name=.*",
                    "-config",
                    "api.addrs.addr.regex=true",
                    "-config",
                    "api.key=8uhfd4rrlmune7mveoedc7ckfm",
                    "-config",
                    "scanner.attackOnStart=true",
                    "-config",
                    "view.mode=attack",
                    "-Xmx1024m",
  5. Then from code, first i run Docker to get it spinning, then i execute startOwaspZap function
  6. So technically after #1 i am running #4  same like you mentioned ( zap.sh -cmd -addonupdate; zap.sh <any other options you need>"  )
  7. But this is not helping me

Please accept my apology if i did not understood your response correctly

Anyway - i tried "updatedAddons " api and ran it in while loop till it gets empty and then executed defineContext, addRegexIntoContext and such other functions ---> it worked :)
Reply all
Reply to author
Forward
0 new messages