Automation with policy and context
268 views
Skip to first unread message
jluc.ba...@free.fr
May 4, 2022, 6:01:23 AM5/4/22
to OWASP ZAP User Group
Hello
I used to automate ZAP in the following way :
1 - According to my project configuration file, I dynamically set up a dast.policy file under the zap/userhome/policies folder.
2 - Still according to my project configuration file, I dynamically set up a dast.context file that enables the proper DB technologies under the zap/userhome/contexts folder.
3- I then start ZAP as follows :
java -jar $zap_jar -daemon -installdir "$zap_path" -dir "$zap_user_home" \
-config connection.timeoutInSecs=120 \
-config api.disablekey=true \
-config pscans.scanOnlyInScope=true \
-config database.request.bodysize=20000000 \
-config database.response.bodysize=20000000 \
-config scanner.attackOnStart=true \
-config view.mode=attack \
-config scanner.attackPolicy='dast' \
-config api.addrs.addr.name=.* \
-config api.addrs.addr.regex=true \
-host $proxy_host -port $proxy_port &
4 - I then call a piece of Java code that loads the context :
ClientApi api = new ClientApi(getProxyHost(), Integer.parseInt(getProxyPort()), true);
api.context.importContext("dast.context");
5 - I play my selenium tests, then call another piece of Java code that waits for the scanners to terminate and generate the report
I used to automate ZAP in the following way :
1 - According to my project configuration file, I dynamically set up a dast.policy file under the zap/userhome/policies folder.
2 - Still according to my project configuration file, I dynamically set up a dast.context file that enables the proper DB technologies under the zap/userhome/contexts folder.
3- I then start ZAP as follows :
java -jar $zap_jar -daemon -installdir "$zap_path" -dir "$zap_user_home" \
-config connection.timeoutInSecs=120 \
-config api.disablekey=true \
-config pscans.scanOnlyInScope=true \
-config database.request.bodysize=20000000 \
-config database.response.bodysize=20000000 \
-config scanner.attackOnStart=true \
-config view.mode=attack \
-config scanner.attackPolicy='dast' \
-config api.addrs.addr.name=.* \
-config api.addrs.addr.regex=true \
-host $proxy_host -port $proxy_port &
4 - I then call a piece of Java code that loads the context :
ClientApi api = new ClientApi(getProxyHost(), Integer.parseInt(getProxyPort()), true);
api.context.importContext("dast.context");
5 - I play my selenium tests, then call another piece of Java code that waits for the scanners to terminate and generate the report
Now I want to use the docker stable image but I can't figure out how to set up the policy and context. Is it in the config.yaml, but then can I use both the yaml file and the -config options ?
Thanks for your help.
Simon Bennetts
May 4, 2022, 6:10:25 AM5/4/22
to OWASP ZAP User Group
Hiya,
The recommended ways to automated ZAP are detailed in https://www.zaproxy.org/docs/automate/
Re step 3 - we do not recommend starting ZAP via the jar file - we provide the zap.sh and zap.bat scripts which you should use instead.
The API importContext endpoint loads the context from the specified local file - you will need to copy the file into the docker image, or map a drive that its in when starting docker. You will then need to make sure that you refer to the file - using the full path name is probably best.
However I would recommend looking at the Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/
This is designed for this sort of task, you can test it locally and then run it in docker. It has a delay job which is explicitly intended for this kind of use case.
Cheers,
Simon
jluc.ba...@free.fr
May 6, 2022, 7:30:41 AM5/6/22
to OWASP ZAP User Group
Thanks for your answer Simon.
I looked at the automation framework but it's not yet clear whether I should still import the context explicitly or whether it is imported automatically as soon as the context name is mentioned in the yaml file. For the scan policies, what I understand is that I can either describe them fully within the yaml file or reference an externally defined policy through a policy name. But I may be misunderstanding the whole thing.
I looked at the automation framework but it's not yet clear whether I should still import the context explicitly or whether it is imported automatically as soon as the context name is mentioned in the yaml file. For the scan policies, what I understand is that I can either describe them fully within the yaml file or reference an externally defined policy through a policy name. But I may be misunderstanding the whole thing.
Reply all
Reply to author
Forward
0 new messages