zap.sh api scan config
327 views
Skip to first unread message
Ruskó Szilveszter
Apr 14, 2023, 9:01:32 AM4/14/23
to OWASP ZAP User Group
Dear all,
I would like to use zap.sh or zap.jar for to scan openapi api, but I do not have to much luck yet. (Docker is not an option)
So I have a problem with api scan with jar (but it also a problem with zap.sh) so I have already installed required add-ons but it seams to me, it does not work at all.
# java --version
openjdk 11.0.18
#java -jar zap-D-2023-04-10.jar -h | grep "openapi"
-openapifile <path> Imports an OpenAPI definition from the specified file name
-openapiurl <url> Imports an OpenAPI definition from the specified URL
-openapitargeturl <url> The Target URL, to override the server URL present in the OpenAPI definition. Refer to the help for supported format.
# java -jar zap-D-2023-04-10.jar -cmd -addonlist | grep "OpenAPI"
Levo.ai levoai v0.2.0 alpha Build OpenAPI Specs with ZAP traffic using Levo.ai.
OpenAPI Support openapi v34.0.0 beta Imports and spiders OpenAPI definitions.
# java -jar zap-D-2023-04-10.jar \
-cmd \
-addonupdate \
-config api.disablekey=true \
-openapitargeturl https://foo.com/swagger/v1/swagger.json
and it gives back nothing just a blank line, i have also stared in damon mood, but I got the same result:
20615 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on update check complete
20639 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on localhost:8080
(end of the log)
# java --version
openjdk 11.0.18
#java -jar zap-D-2023-04-10.jar -h | grep "openapi"
-openapifile <path> Imports an OpenAPI definition from the specified file name
-openapiurl <url> Imports an OpenAPI definition from the specified URL
-openapitargeturl <url> The Target URL, to override the server URL present in the OpenAPI definition. Refer to the help for supported format.
# java -jar zap-D-2023-04-10.jar -cmd -addonlist | grep "OpenAPI"
Levo.ai levoai v0.2.0 alpha Build OpenAPI Specs with ZAP traffic using Levo.ai.
OpenAPI Support openapi v34.0.0 beta Imports and spiders OpenAPI definitions.
# java -jar zap-D-2023-04-10.jar \
-cmd \
-addonupdate \
-config api.disablekey=true \
-openapitargeturl https://foo.com/swagger/v1/swagger.json
and it gives back nothing just a blank line, i have also stared in damon mood, but I got the same result:
20615 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on update check complete
20639 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on localhost:8080
(end of the log)
Anyone have a working config for openapi api scanning with zap.sh or .jar? Do you have any suggestion for this config?
Simon Bennetts
Apr 14, 2023, 9:06:16 AM4/14/23
to OWASP ZAP User Group
If you cant use docker then I'd recommend using the Automation Framework (AF): https://www.zaproxy.org/docs/automate/automation-framework/
You can try it out in the ZAP desktop to start with if you like and then export the AF plan to use from the command line.
Cheers,
Simon
Ruskó Szilveszter
Apr 14, 2023, 9:16:24 AM4/14/23
to OWASP ZAP User Group
Thanks, but I have to implement this into a cicd without docker, so I should use it from "source" somehow.
Could u give me an example for that becase I already generated a yaml for that pupose but when I added the apiUrl it has been overwritten to null
Could u give me an example for that becase I already generated a yaml for that pupose but when I added the apiUrl it has been overwritten to null
Simon Bennetts
Apr 18, 2023, 11:00:44 AM4/18/23
to OWASP ZAP User Group
Can you share the yaml you tried to use?
You can obfuscate any sensitive information.
The openapi AF job is defined here: https://www.zaproxy.org/docs/desktop/addons/openapi-support/automation/
Cheers,
Simon
Simon Bennetts
Apr 19, 2023, 9:54:37 AM4/19/23
to OWASP ZAP User Group
I've just remembered, we have an example openapi plan here: https://github.com/zaproxy/zaproxy/blob/main/docker/integration_tests/configs/plans/petstore-openapi.yaml
Ruskó Szilveszter
Apr 21, 2023, 4:55:13 AM4/21/23
to OWASP ZAP User Group
Thank you, mean while I have managed it succesfully :)
but I have a strange behaviour, so I have installed it like that and I got this error:
root@host:~$ mkdir -p /etc/zaproxy && mkdir -p /opt/data/zaproxy/configs && \
chmod +x /tmp/ZAP_2_12_0_unix.sh && \
/tmp/ZAP_2_12_0_unix.sh -q -dir /etc/zaproxy && \
zap.sh -cmd -addoninstallall
root@host:~$ exit
user@host:~$ zap.sh -h
Found Java version 11.0.18
Available memory: 6205 MB
Using JVM args: -Xmx1551m
595 [main] INFO org.parosproxy.paros.Constant - Copying default configuration to /home/user/.ZAP/config.xml
705 [main] INFO org.parosproxy.paros.Constant - Creating directory /home/user/.ZAP/session
709 [main] INFO org.parosproxy.paros.Constant - Creating directory /home/user/.ZAP/dirbuster
710 [main] INFO org.parosproxy.paros.Constant - Creating directory /home/user/.ZAP/fuzzers
711 [main] INFO org.parosproxy.paros.Constant - Creating directory /home/user/.ZAP/plugin
Failed to start ZAP. The mandatory add-on was not found: callhome
Refer to https://www.zaproxy.org/docs/developer/ if you are building ZAP from source.
chmod +x /tmp/ZAP_2_12_0_unix.sh && \
/tmp/ZAP_2_12_0_unix.sh -q -dir /etc/zaproxy && \
zap.sh -cmd -addoninstallall
root@host:~$ exit
user@host:~$ zap.sh -h
Found Java version 11.0.18
Available memory: 6205 MB
Using JVM args: -Xmx1551m
595 [main] INFO org.parosproxy.paros.Constant - Copying default configuration to /home/user/.ZAP/config.xml
705 [main] INFO org.parosproxy.paros.Constant - Creating directory /home/user/.ZAP/session
709 [main] INFO org.parosproxy.paros.Constant - Creating directory /home/user/.ZAP/dirbuster
710 [main] INFO org.parosproxy.paros.Constant - Creating directory /home/user/.ZAP/fuzzers
711 [main] INFO org.parosproxy.paros.Constant - Creating directory /home/user/.ZAP/plugin
Failed to start ZAP. The mandatory add-on was not found: callhome
Refer to https://www.zaproxy.org/docs/developer/ if you are building ZAP from source.
could u help pls?
Thank you,
thc...@gmail.com
Apr 21, 2023, 5:30:52 AM4/21/23
to zaprox...@googlegroups.com
Hi.
The step to install all add-ons run it as the normal user instead.
The problem is this:
https://github.com/zaproxy/zaproxy/issues/7703
Even without that issue you should install them using the normal user
because they are updated/installed to the ZAP home dir (which each user
has its own). Alternatively you can specify/use a common ZAP home dir
(i.e. `-dir` arg).
Best regards.
The step to install all add-ons run it as the normal user instead.
The problem is this:
https://github.com/zaproxy/zaproxy/issues/7703
Even without that issue you should install them using the normal user
because they are updated/installed to the ZAP home dir (which each user
has its own). Alternatively you can specify/use a common ZAP home dir
(i.e. `-dir` arg).
Best regards.
Ruskó Szilveszter
Apr 21, 2023, 5:40:04 AM4/21/23
to OWASP ZAP User Group
Hi,
Thank you, do you have an example how can I create this common dir with right permissions?
Best Regards,
thc...@gmail.com
Apr 21, 2023, 6:16:46 AM4/21/23
to zaprox...@googlegroups.com
If you want to go with that just run the current command with the -dir
and then change the permissions (`chmod`) of the resulting dir to allow
other users to read/write.
Best regards.
and then change the permissions (`chmod`) of the resulting dir to allow
other users to read/write.
Best regards.
Reply all
Reply to author
Forward
0 new messages