Configuration OWASP ZAP on Ubuntu Server
626 views
Skip to first unread message
Batiste Blactot
Feb 3, 2022, 9:09:04 AM2/3/22
to OWASP ZAP User Group
Well great, I managed to install OWASP ZAP on my Ubuntu server.
Last question and then I can finally start the internal configuration of the application. I would like to know how to set up the application? (without visual interface) For example I would like to specify the Attack mode and not the Standard mode. Then if I want to disable for example the sql error scan (this is an example I will not do ^^).
Sincerely
Batiste
Last question and then I can finally start the internal configuration of the application. I would like to know how to set up the application? (without visual interface) For example I would like to specify the Attack mode and not the Standard mode. Then if I want to disable for example the sql error scan (this is an example I will not do ^^).
Sincerely
Batiste
Simon Bennetts
Feb 3, 2022, 10:53:56 AM2/3/22
to OWASP ZAP User Group
And the answer is ... "it depends" :)
We have various ways to automate ZAP: https://www.zaproxy.org/docs/automate/
Which one will work for you you depend on various things, if you can explain what you're trying to do at high level then we can suggest your best options.
I still recommend starting with the UI and then automating once you've got that working ;)
Cheers,
Simon
Batiste Blactot
Feb 3, 2022, 11:02:24 AM2/3/22
to OWASP ZAP User Group
Here are my explanations:
I'm on an Ubuntu server with no GUI so I don't have access to the visual application.
I want to configure the attack mode with : ATTACK.
Then I would like to switch the analysis options which are in Beta or Alpha to : OFF
Here is what I want to do for the moment, and all in command line because I don't have docker I really want to be able to configure the files in the configuration files for example if there is a line called "Choose the attack word" I would like to add in the configuration file to the line "Attack mode" the configuration "attack or standard or protected".
Is my information clear enough now? :)
Thanks in advance
Translated with www.DeepL.com/Translator (free version)
I'm on an Ubuntu server with no GUI so I don't have access to the visual application.
I want to configure the attack mode with : ATTACK.
Then I would like to switch the analysis options which are in Beta or Alpha to : OFF
Here is what I want to do for the moment, and all in command line because I don't have docker I really want to be able to configure the files in the configuration files for example if there is a line called "Choose the attack word" I would like to add in the configuration file to the line "Attack mode" the configuration "attack or standard or protected".
Is my information clear enough now? :)
Thanks in advance
Translated with www.DeepL.com/Translator (free version)
Simon Bennetts
Feb 3, 2022, 12:32:01 PM2/3/22
to OWASP ZAP User Group
It actually raises more questions :)
I'm always wary when people say they want to use attack mode in automation - you _can_ do it but it was always intended as a manual tool, and using it in automation will actually make your set up a bit harder.
How are you planning on exploring your app?
Using one ot both of the spiders?
Importing API definitions?
Proxying traffic?
Batiste Blactot
Feb 4, 2022, 9:50:33 AM2/4/22
to OWASP ZAP User Group
Hello,
Actually most of my company's websites are made with WordPress.
So I installed Java on the server direction and there I added the folder Cross Plateform OWASP ZAP in my file wp-content/theme/montheme.
I created a form (I enter my url in the url field) that will launch a terminal in the background that will scan the site.
So for the attack mode I would just like the traditional spider and not the ajax spider?
I would like the scan to go like this:
1) Scan all URLS
2) Advanced scan (attack mode) to find the errors (with the default options even if for example I would like to put in OFF or LOW the SQL injections (example not to do but it is to know how to configure))
3) Generate an HTML report at the end of the analysis !
Here is the configuration I would like
Actually most of my company's websites are made with WordPress.
So I installed Java on the server direction and there I added the folder Cross Plateform OWASP ZAP in my file wp-content/theme/montheme.
I created a form (I enter my url in the url field) that will launch a terminal in the background that will scan the site.
So for the attack mode I would just like the traditional spider and not the ajax spider?
I would like the scan to go like this:
1) Scan all URLS
2) Advanced scan (attack mode) to find the errors (with the default options even if for example I would like to put in OFF or LOW the SQL injections (example not to do but it is to know how to configure))
3) Generate an HTML report at the end of the analysis !
Here is the configuration I would like
Simon Bennetts
Feb 4, 2022, 12:58:15 PM2/4/22
to OWASP ZAP User Group
I think it would help if you looked at the ZAP Getting started guide: https://www.zaproxy.org/getting-started/
ZAP cannot just "Scan all URLs".
You need to explore your app somehow - the traditional and ajax spiders are good options.
I'm still not sure why you need attack mode - it soulds like an active scan is more appropriate for your use case.
Have a look at the Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/
I think that should do everything you need.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages