Baseline Scan

[Vicky]

Hello,

I am planning to use the baseline scan as below:


1. Start Baseline scan on port say 8090

docker run -v C:/Users/abc/baseline:/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t http://example.com/ -r testreport.html -D 600 -P 8090

2. Start running the automated UI test cases proxied through ZAP on port 8090.

3. After 10 minutes baseline scan will start.

To test if this approach works, I started baseline scan with the command mentioned in #1. I also configured the port 8090 in Firefox in my machine as below



Then I started manually browsing the page http://example.com. However, I get the below error

I also tried to map the port and then run as below

docker run -v C:/Users/abc/baseline:/zap/wrk/:rw -p 8090:8090 -t owasp/zap2docker-stable zap-baseline.py -t http://example.com/ -r testreport.html -D 600 -P 8090

But, issue remains the same.

Can someone please help me to resolve this? What am I doing wrong here?

( Note: Instead of starting the zap container, If I start the ZAP desktop configured on port 8090 then http://example.com opens up properly.)

Thanks and Regards,

Vicky

[Vicky]

Hello,

any help is appreciated.

Thanks and Regards,

Vicky

[Simon Bennetts]

Hi Vicky,

ZAP does not allow remote connections by default, and that includes connections from outside of a docker container.

See this FAQ: https://www.zaproxy.org/faq/how-can-i-connect-to-zap-remotely/

You will also need to map the docker ports as you have done in your second email.

Cheers,

Simon

[Vicky]

Hi Simon,

Thanks for the direction. I tried with the below command

Step 1:

docker run -v C:/Users/abc/Downloads/zap-work:/zap/wrk/:rw -p 8090:8090 -t owasp/zap2docker-stable zap-baseline.py -t http://example.com/ -r testreport.html -D 1200 -P 8090 -z "-config api.addrs.addr.name=.* -config api.addrs.addr.regex=true"

Also, from the zap log made sure that ZAP container is listening to the port 8090

Step 2: Configured the port 8090 in Firefox in my machine as below

Step 3: Opened the Firefox browser in my machine and tried http://example.com

I got the below message.

How do I proceed further?

When I start the ZAP desktop and configure ZAP port on the Firefox browser and then open http://example.com, it works fine.

Why is it not working in case with ZAP docker container? Am I missing anything here?

Thanks and Regards,

Vicky

On Tuesday, August 3, 2021 at 9:34:43 AM UTC+1 psi...@gmail.com wrote:

Hi Vicky,

ZAP does not allow remote connections by default, and that includes connections from outside of a docker container.

See this FAQ: https://www.zaproxy.org/faq/how-can-i-connect-to-zap-remotely/

You will also need to map the docker ports as you have done in your second email.

Cheers,

Simon

On Tuesday, 3 August 2021 at 10:20:10 UTC+2 Vicky wrote:

Hello,

any help is appreciated.

Thanks and Regards,

Vicky

On Monday, August 2, 2021 at 11:42:49 AM UTC+1 Vicky wrote:

Hello,

I am planning to use the baseline scan as below:


1. Start Baseline scan on port say 8090

docker run -v C:/Users/abc/baseline:/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t http://example.com/ -r testreport.html -D 600 -P 8090

2. Start running the automated UI test cases proxied through ZAP on port 8090.

3. After 10 minutes baseline scan will start.

To test if this approach works, I started baseline scan with the command mentioned in #1. I also configured the port 8090 in Firefox in my machine as below



Then I started manually browsing the page http://example.com. However, I get the below error

 

[Simon Bennetts]

When ZAP launches browsers then it configures them to proxy via ZAP _and_ ignore certificate warnings.

ZAP creates a unique root CA certificate so that it can intercept HTTPS connections, but obviously its not going to be trusted by default by any browser :)

So you need to export that cert and import it into your browser as a trusted CA one.

Thats described on https://www.zaproxy.org/docs/docker/webswing/#proxying-through-zap even though it actually applies to the ZAP daemon running in docker as well.

In daemon mode ZAP will not automatically create the certs mentioned in that section but you can control that via the command line 'cert' options https://www.zaproxy.org/docs/desktop/cmdline/

Details for importing certs into browsers are given on https://www.zaproxy.org/docs/desktop/ui/dialogs/options/dynsslcert/

Cheers,

Simon

[Vicky]

Hi Simon,

Thanks for the direction. Based on the links provided, I tried the below steps

1. docker run -v C:/Users/abc/Downloads/zaptest:/zap/wrk/:rw -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh

Accessing web swing created the certificates  in local mapped drive as described in https://www.zaproxy.org/docs/docker/webswing/#proxying-through-zap

2.  Configured the local Firefox browser to proxy via zap and also imported the public ZAP root CA certificate to the browser

 

3. Stopped ZAP swing started in step 1

4. Started baseline scan as below

docker run -v C:/Users/abc/Downloads/zap-demo:/zap/wrk/:rw -p 8091:8091 -t owasp/zap2docker-stable zap-baseline.py -t http://example.com/ -r testreport.html -D 1200 -P 8091 -z "-config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -newsession test"

5. Started the local Firefox browser and tried accessing http://example.com/

   However, I am getting below error

What I have tried is:  start the ZAP in docker container at port 8091. Import ZAP root CA certificate to local Firefox browser. Configure ZAP port (8091) to local Firefox browser. Try accessing the web pages from this local Firefox browser

What am I missing here?

Thanks ,

Vicky