Trying to embed ASVS python scripts into ZAP

117 views

Skip to first unread message

dy dx

unread,

Feb 3, 2022, 1:20:24 AM2/3/22

to OWASP ZAP User Group

Hi all,

I'm a student trying out ZAP and I chanced upon this really cool article:

https://www.zaproxy.org/blog/2021-02-10-automate-checking-asvs-controls-using-zap-scripts/

I have been trying to use docker to run the scan (as automation is the end goal) and use these ASVS scripts but I can't seem to get it to work. It displays the missing hook error. (The scripts aren't hooks)

These are my commands:

git clone https://github.com/BlazingWind/OWASP-ASVS-4.0-testing-guide/ && cd OWASP-ASVS-4.0-testing-guide/ZAP-scripts

docker run --rm -v $(pwd):/home/zap -w /home/zap owasp/zap2docker-stable:2.10.0 /bin/bash -c "cd ..; zap-baseline.py -t https://example.com -j zap-output.json -z \"--script /src/14-5-1-HTTP-methods.py\""

Please send help!!

Regards,

Ding Yang

Newbie ZAPPER

Simon Bennetts

unread,

Feb 3, 2022, 7:04:02 AM2/3/22

to OWASP ZAP User Group

Hiya,

Even though automation is the goal I'd suggest first trying to get the scripts to run in the ZAP Desktop - they will be much easier to debug that way.

I think the scripts in the repo are active scan rules.

The ZAP command line "-script" option is just for running standalone scripts so that wont be any good for them.

Have a look at this FAQ about adding ZAP scripts from the command line: https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/

Cheers,

Simon

Reply all

Reply to author

Forward

0 new messages