Using ZAP with other vulnerability scanners
113 views
Skip to first unread message
d4nd!
Oct 4, 2023, 6:26:20 AM10/4/23
to ZAP User Group
Hi everyone,
ZAP is perfect when it comes to scanning web applications, but it is limited only to that.
What I would need is to integrate it with other vulnerability scanning software on the network and hosts, for example OpenVAS.
I therefore ask you if it is possible to combine it with this, if anyone has used OpenVAS with ZAP.
I would like to know if ZAP participates in the OSP (Open Scanner Protocol) and if it is therefore possible, I don't know, from another system (such as OpenVAS) to use it to scan Web Applications.
Thank you all.
ZAP is perfect when it comes to scanning web applications, but it is limited only to that.
What I would need is to integrate it with other vulnerability scanning software on the network and hosts, for example OpenVAS.
I therefore ask you if it is possible to combine it with this, if anyone has used OpenVAS with ZAP.
I would like to know if ZAP participates in the OSP (Open Scanner Protocol) and if it is therefore possible, I don't know, from another system (such as OpenVAS) to use it to scan Web Applications.
Thank you all.
Simon Bennetts
Oct 4, 2023, 7:49:08 AM10/4/23
to ZAP User Group
Hiya,
I must admit I hadnt heard of Open Scanner Protocol until you mentioned it :)
So no, ZAP does not currently participate in OSP.
Do any scanners other than OpenVAS support OSP?
What benefits would OSP support bring?
It looks like its related to https://github.com/greenbone/ospd which has been archived :/
Cheers,
Simon
d4nd!
Oct 4, 2023, 8:09:56 AM10/4/23
to ZAP User Group
OSP has now been merged and should be referenced here: https://github.com/greenbone/ospd-openvas
Are you aware of anything else though? Any other methodology that allows you to combine and use different scanners and therefore obtain, through the use of a single tool, all the results?
This is because my goal is to automate everything, therefore automate scans both at the network level up to the application level. Currently, if there are many hosts to scan, the job becomes a bit cumbersome.
As for the benefits of OSP,
The Open Scanner Protocol is designed to allow controlling various vulnerability scanners. These scanners must either offer the OSP protocol on their own or be connected via an adapter (“OSP wrapper”).
The Greenbone UI allows to configure OSP scanners via Configuration/Scanner section.
OSP scanners can also be controlled via GVM-Tools.
Taking a look, however, I was unable to understand if ZAP can be used in this way and therefore integrate it with OpenVAS.
If anyone else knows of some other tool or methodology that eludes me now to be able to do this, that would be great!
This is because my goal is to automate everything, therefore automate scans both at the network level up to the application level. Currently, if there are many hosts to scan, the job becomes a bit cumbersome.
As for the benefits of OSP,
The Open Scanner Protocol is designed to allow controlling various vulnerability scanners. These scanners must either offer the OSP protocol on their own or be connected via an adapter (“OSP wrapper”).
The Greenbone UI allows to configure OSP scanners via Configuration/Scanner section.
OSP scanners can also be controlled via GVM-Tools.
Taking a look, however, I was unable to understand if ZAP can be used in this way and therefore integrate it with OpenVAS.
If anyone else knows of some other tool or methodology that eludes me now to be able to do this, that would be great!
Simon Bennetts
Oct 4, 2023, 10:47:51 AM10/4/23
to ZAP User Group
So which scanners can currently be controlled by OSP, and which tools can be used to control those scanners?
Cheers,
Simon
d4nd!
Oct 4, 2023, 11:14:44 AM10/4/23
to ZAP User Group
Oh well, idk ahhah
I asked also for this
cheers
Simon Bennetts
Oct 4, 2023, 11:31:08 AM10/4/23
to ZAP User Group
I'm certainly not against adding OSP support .. but we have very limited resources, so I'm trying to find out what the benefits to people will be.
I dont expect you to know them :)
However this is the first time someones asked for this (that I can remember) so its not going to be high priority.
Feel free to raise an issue so that it doesnt get lost: https://github.com/zaproxy/zaproxy/issues/new?assignees=&labels=enhancement&projects=&template=feature-request.yml
If a load of other people start asking for this then theres more chance we will look into it..
Cheers,
Simon
d4nd!
Oct 6, 2023, 4:21:44 AM10/6/23
to ZAP User Group
I would like to ask you some information: one of my goals is to create digital twins of a scanned network.
The precise objective would be this:
perform vulnerability scans with ZAP and other network level scanner (like OpenVAS) and obtain the reports in xml/json etc..
From this output I would like to create a digital twin of the network just scanned, and then subsequently carry out a penetration test in this digital twin without stressing the real, original network
I would like to ask you if you have any advice, I know that I have to use artificial intelligence models etc... but I would like to know if you already have any knowledge in this area, if you have any references and advice!
Thank you for your availability and I hope you can help me!
The precise objective would be this:
perform vulnerability scans with ZAP and other network level scanner (like OpenVAS) and obtain the reports in xml/json etc..
From this output I would like to create a digital twin of the network just scanned, and then subsequently carry out a penetration test in this digital twin without stressing the real, original network
I would like to ask you if you have any advice, I know that I have to use artificial intelligence models etc... but I would like to know if you already have any knowledge in this area, if you have any references and advice!
Thank you for your availability and I hope you can help me!
Reply all
Reply to author
Forward
0 new messages