Custom CASA runs

[Jon Erdman]

I am trying to run ZAP against my application to prove CASA compliance. My application requires a custom authentication script as well as some other custom HTTP Sender scripts. I am looking for instructions on either:

1. Can I manually load the CASA configuration (available at https://appdefensealliance.dev/static/casa/tier-2/files/zap-casa-config.zip) into the GUI and perform a run with those rules? The provided policy file seems to only work for the Docker version and is not the standard XML policy file that is used in the rest of ZAP.

OR

2. Are there instructions on loading and running a custom context & scripts in the docker container version?

Thank you,

Jon

[Simon Bennetts]

Hi Jon,

For details on authenrtication see https://www.zaproxy.org/docs/authentication/

The CASA config file will only work with the ZAP packaged scans.

It would be possible to write a script to convert it into a standard policy file.

You can include ZAP scripts on the command line: https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/

But also have a look at the Automation Framework which makes it easier to include scripts: https://www.zaproxy.org/docs/automate/automation-framework/

Cheers,

Simon