How to do Bulk Baseline/Full Scan

68 views
Skip to first unread message

Chaitanya CSE

unread,
Jun 28, 2022, 7:18:30 AMJun 28
to OWASP ZAP User Group
Team,

How can I perform a baseline/full scan by passing the list of domains via file? please assist. thanks.

EX: docker run -t owasp/zap2docker-stable zap-baseline.py -t domains.txt

domains.txt contains:

Regards,
Chaitanya D

Simon Bennetts

unread,
Jun 28, 2022, 7:29:08 AMJun 28
to OWASP ZAP User Group
You would need to write a wrapper around the calls to the packaged scans - they are designed to just scan one site/domain at a time.
Have a look at https://github.com/zaproxy/community-scripts/tree/main/api/mass-baseline - this is no longer maintained but could be a good starting point.

Cheers,

Simon

Chaitanya CSE

unread,
Jun 30, 2022, 9:26:58 AMJun 30
to zaprox...@googlegroups.com
Thanks Simon and can you please assist me with the below error?

I'm running ZAP baseline scan on a particular URL where I need to save the scan results in HTML format. thanks.

image.png

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/26aedc03-6705-4577-a08a-0135bfb30a8cn%40googlegroups.com.

Simon Bennetts

unread,
Jun 30, 2022, 9:54:33 AMJun 30
to OWASP ZAP User Group
See the error message :)
With the options you have chosen you need to mount a /zap/wrk directory.
  • If you use ‘file’ params then you need to mount the directory those file are in or will be generated in, eg
  • docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t https://www.example.com -g gen.conf -r testreport.html
Cheers,

Simon

Chaitanya CSE

unread,
Jul 4, 2022, 6:30:31 AMJul 4
to zaprox...@googlegroups.com
the err still persists, but by adding the --user root the error is resolved now.

Is there any possibility of eliminating False Positives in the following scan using CLI (I meant the above way)?

You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/axv3g9rcgZs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/aa18d521-d4c9-4d75-a886-3210585a8c6dn%40googlegroups.com.

Simon Bennetts

unread,
Jul 6, 2022, 4:56:09 AMJul 6
to OWASP ZAP User Group
Er, so is that all ok now?


Cheers,

Simon

Chaitanya CSE

unread,
Jul 11, 2022, 8:26:29 AMJul 11
to zaprox...@googlegroups.com
Yeah, kind of. but I'm unable to see the reports on the filesystem after running this command but the scan was successful. any ideas?

docker run -v $(pwd):/zap/wrk/:rw --user root -t owasp/zap2docker-stable zap-baseline.py -t $(cat domains.txt) -r scan.html

domains.txt


Simon Bennetts

unread,
Jul 13, 2022, 9:01:55 AMJul 13
to OWASP ZAP User Group
The "-t" parameter only accepts one target - supplying multiple ones will not work.

Cheers,

Simon

Chaitanya CSE

unread,
Jul 25, 2022, 9:00:32 AMJul 25
to OWASP ZAP User Group
Thanks, Simon, got it, can we track all the scans/status/vulnerabilities on the dashboard? I mean do these scans reflect on any dashboard/URL?

Simon Bennetts

unread,
Jul 25, 2022, 9:04:34 AMJul 25
to OWASP ZAP User Group
ZAP currently only persists things to the session db.
If you want to implement a dashboard you'll need to persist them somewhere else and create the dashboard - thats out of ZAP's scope :)

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages