How to open zap headless using automation framework/docker?

[Aakash Gupta]

Hi,

Problem statement: I have a bunch of selenium tests written with Javascript. I want to run the tests with zap listening to a proxy headless. Once the tests are complete, I would like to start active scan against the application url

What I have tried so far: is to run ZAP headless using /Applications/OWASP\ ZAP.app/Contents/Java/zap.sh -daemon. This does allow ZAP to listen but once the tests are run, I would like to send command to ZAP to start active scan. In order to do this, I'll have to open another terminal tab/window and send such command.

I want to avoid above situation. What is the best way to utilise my selenium tests?

[Simon Bennetts]

The Automation Framework will handle this, but only if you use a weekly or live release (as the stable release doesnt start the proxy when running in command line mode).

The delay job is explicitly designed for this case: https://www.zaproxy.org/docs/desktop/addons/automation-framework/job-delay/

As you'll see you have various options for ending the delay including specifying a timeout and monitoring a local file.

Theres also an API endpoint you can use: /action/endDelayJob/

Will any of these options work?

If not can you suggest any other options we could support?

Cheers,

Simon

[Aakash Gupta]

Hi Simon, 

I have downloaded zap weekly version. Could you please elaborate on how Automation Framework will start the zap headless?

Output of selenium tests generates multiple Junit XML files, so we can't use file monitoring. We could go for hard coded timeout.

[Simon Bennetts]

The Automation Framework is best run using the ZAP command line option.

For details of how to run it in Docker see https://www.zaproxy.org/docs/docker/about/#automation-framework

Cheers,

Simon

[Aakash Gupta]

I have somewhat achieved this on local machine, how to do it via Jenkins is still a WIP. Here are the steps on how to do it local.

1. Create a context in UI
2. Create an automation plan in UI where:
   1. I added a delay job of 5 minutes.
   2. Active scan job
   3. report
3. Start the plan, while the delay job is running, start one selenium test that does everything like create read and delete. ZAP will listen to your selenium test and record all requests done in that test.
   1. Once delay job is done, then ZAP test which is active scan will begin and produce a report at the end of the plan.
   2. Command to start the plan with headess zap: ./zap.sh -cmd -autorun /<path to automation plan>/<automation_plan_name>.yaml

[AppSec LN]

Hi Aakash and Simon, 

Could you please add more details on Step 3 to create and run selenium test through automation framework.

I want to do the same in AzureDevOps pipeline.

Thanks 

[Simon Bennetts]

What sort of details are you after?

Specific questions are easier to answer :)

Cheers,

Simon

[AppSec LN]

Hi Simon, 

I want to run a few selenium tests for better coverage. Could you please share any examples to create the scripts and include in automation framework. 

Thanks,

[Simon Bennetts]

These would not be ZAP scripts.

You could still invoke them from ZAP, but I would create and test them first independently.

I have no examples for selenium tests but hopefully you'll be able to find suitable ones online.

Cheers,

Simon

[AppSec LN]

Could you please suggest any solution for more coverage. Currently the automation is not covering all pages. I've added all URLs in requester, but still don't see much results. The post requests not following redirects.

any suggestions to add better coverage ? like 

1. zap scripts

2. external scripts

3. running java based test cases etc.