scan multiple urls using command zap.bat inside windows server

165 views
Skip to first unread message

Sohail Ahmed

unread,
Oct 22, 2019, 11:26:34 AM10/22/19
to OWASP ZAP User Group
I am trying to execute a command to scan multiple urls generating a single report having alerts for all the urls.
I can achieve this using the UI mode, by importing the urls from file and then scan.
But would like to understand how to do the same using the command prompt.
Currently I an executing this command to execute single url: -

zap.bat -quickurl myurl -quickout C:\temp\zap_report.xml -quickprogress -cmd -silent

Thank you.

Simon Bennetts

unread,
Oct 22, 2019, 11:35:05 AM10/22/19
to OWASP ZAP User Group
I dont think you'll be able to do that I'm afraid.
ZAP is extremely flexible but the command line options are limited.
However you can have complete control over ZAP via the API.
You could start with the full packaged scan (zap-full-scan.py) and change it to read in a file with a list of URLs and then look through those spidering and then active scanning them.
That script uses docker, but you can change it to run ZAP locally (ie not in a container) if you like.

Cheers,

Simon
Message has been deleted
Message has been deleted

Sohail Ahmed

unread,
Oct 22, 2019, 1:11:02 PM10/22/19
to OWASP ZAP User Group
Thank you Simon,
Ultimately I have to execute the command via Jenkins. I have integrated Jenkins with OWASP plugin as well. But there as well I am not able to achieve this.
Do you know any way using Jenkins we can achieve this multi site scan, having a single report.
Also as you said "change it to read in a file with a list of URLs", how can we achieve this in command.

Peter Hauschulz

unread,
Oct 23, 2019, 2:22:05 AM10/23/19
to OWASP ZAP User Group
Good questions!

You're right, the Jenkins plugin isn't really designed for customizable use cases, though I think you could create a session/context in the UI, save it, and then use the plugin to import that as a starting point.

Anyway, since Jenkins can run shell/batch commands, it can do anything we can. 

One option would be to make sure the Jenkins server/node has python installed, and then you can use one of the premade python scan scripts, and adjust the script itself to your taste (or whatever fits easiest). 

Another option is using Jenkins itself as a 'task handler', where you can have Jenkins start up ZAP in one job, while also starting a second job that is nothing but curl requests to the waiting ZAP API. (openurl, scan, report, shutdown, etc)

Hope that helps!
Reply all
Reply to author
Forward
0 new messages