Automated headless scan

2,345 views
Skip to first unread message

Alex Leonhardt

unread,
Sep 16, 2015, 1:48:37 PM9/16/15
to zaprox...@googlegroups.com

Hi,

I'm working on running a automated full suite scan with zaproxy against e.g. a QA environment and was wondering what my options are when using zaproxy?

So far I wasn't able to find much what scans to run against a target (or simply enable them all) - is there a post somewhere on how to start?

I know one can run zaproxy as daemon and interact with the api, but wanted to keep it as simple as possible to start with and simply run it from the command line.

I do have the option to use the zaproxy docker image - but I'm still at a loss of hiw to make it run either selective scans or 'everything'.

Also, is it possible to install/ update plugins from the command line or by starting zaproxy with some special options?

Thanks!
Alex

Alex Leonhardt

unread,
Sep 17, 2015, 2:11:59 AM9/17/15
to zaprox...@googlegroups.com

In fact, i found the python api yesterday and tried to derive something from the example, however, the zap.spider.scan(target, threads) action doesn't seem to do anything?

Alex

kingthorin+owaspzap

unread,
Sep 17, 2015, 8:08:42 AM9/17/15
to OWASP ZAP User Group

Simon Bennetts

unread,
Sep 17, 2015, 8:16:06 AM9/17/15
to OWASP ZAP User Group
Hi Alex,

I'd suggest stating by playing with the ZAP UI first, even if you want to end up just using ZAP in headless (daemon) mode.
I think it will help you understand whats going on, especially as the API is heavily influenced by the way the UI works ;)
For that the Getting Started Guide is (not too surprisingly) a good place to start: https://github.com/zaproxy/zaproxy/releases/download/2.4.0/ZAPGettingStartedGuide-2.4.pdf

But back to your headless options, which are:
  • Run ZAP inline
  • Use a Jenkins (or similar) plugin
  • Run the ZAP daemon and use the API

Running ZAP inline is the simplest option, but gives you less control.

You can test a site using:

./zap.sh -cmd -quickurl http://example.com/ -quickout /path/to/report.xml

(or zap.bat of course;)

For more details of the quickstart command line options see: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsQuickstartCmdline


Using a Jenkins plugin is probably the next easiest option. There are various ones available, but I havnt tried any myself. There have been some discussions on the ZAP Developer list, so I can find out which ones are most popular if that would help.


Using the ZAP daemon and the API will give you the most flexibility,

We have API clients in a range of languages: https://github.com/zaproxy/zaproxy/wiki/ApiDetails

We also have a simple web interface into the API, which is useful for exploring it (ZAP Tools menu / Browse API...)


So thats a high level view of your options.

Feel free to ask any more detailed questions.


Re zap.spider.scan not doing anything - do you get any errors returned? Or written to the zap.log?

If you're using the latest version of ZAP (and if not, why no?) then you will need to use an API key: https://github.com/zaproxy/zaproxy/wiki/FAQapikey


Cheers,


Simon

Alex Leonhardt

unread,
Sep 17, 2015, 10:18:24 AM9/17/15
to zaprox...@googlegroups.com

Hi all,

Thanks for your messages and links!

Also, I got the api calls to work, turns out I didn't pass through the api-key (or didn't disable needing a key) ;)..

So far spidering and attack scan seem to be running OK.

Just need to figure out how to install plugins/modules w/o the UI but hope there is some info about that in the links you all sent.

I'll send out a link to github when I've got all I wanted running 'ok'.

Thanks!
Alex

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Simon Bennetts

unread,
Sep 17, 2015, 10:21:55 AM9/17/15
to OWASP ZAP User Group
Oh yeah, installing add-ons from the command line.
It so happens I started a related thread just before you posted here :)
https://groups.google.com/d/msg/zaproxy-develop/g_IpUEFEj5o/yk1Gu7bqAQAJ

I've nearly finished the multiple shared directories, and will then look at the command line before looking at the API.

Cheers,

Simon
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.

Alex Leonhardt

unread,
Sep 17, 2015, 10:30:55 AM9/17/15
to zaprox...@googlegroups.com

Ah perfect! :)

So for now, can I download them locally then pit them in place via cfg mgmt or so? Do they just have to be in a specific path to be usable or ...?

Alex

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

Simon Bennetts

unread,
Sep 17, 2015, 11:23:31 AM9/17/15
to OWASP ZAP User Group
Right now they are loaded from the install 'plugin' directory or the 'local' (https://github.com/zaproxy/zaproxy/wiki/FAQconfig) one (same name).
If you install add-ons into either of those directories they should be loaded on startup.

Cheers,

Simon
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages