override .yaml automation configuration
673 views
Skip to first unread message
Emad Youssef
Feb 14, 2022, 7:44:06 AM2/14/22
to OWASP ZAP User Group
Hi,
First of all i would like thank you personally for your contributions.
my case is i have successfully running zap in both desktop & cli using automation yaml config file.
BUT my Question is it possible to override yaml certain config (url, report path) in terminal (cli) ?
because i need to run zap automation against list of urls in text file, so i need to define the url to scan and path for report as bash arguments.
something like
for url in $(cat sites.txt); do
zap.sh -url $url -cmd -autorun `pwd`/zap-automation.yaml -report $HOME/path-to-report
done
Thanks
Simon Bennetts
Feb 14, 2022, 7:56:28 AM2/14/22
to OWASP ZAP User Group
Hiya,
Thats why we support variables: https://www.zaproxy.org/docs/desktop/addons/automation-framework/environment/ :)
Just use something like "${ENV_VAR}" in your config file.
Heres an example where the username and password are defined via env vars https://github.com/zaproxy/zaproxy/blob/main/docker/integration_tests/configs/plans/jigsaw-basic-user.yaml
Cheers,
Simon
Emad Youssef
Feb 14, 2022, 8:39:10 AM2/14/22
to OWASP ZAP User Group
Great to have it but still i didn't understand how to pass env var to zap.sh command
for example i have defined the variable in zap automation yaml (Default Context)
urls:
- "${URL}/"
okay
now in terminal !
for site in $(cat list); do zap.sh -cmd -autorun `pwd`/zap-automation.yaml URL=$site; done
BR
Simon Bennetts
Feb 14, 2022, 9:03:33 AM2/14/22
to OWASP ZAP User Group
You dont have to pass it to ZAP, you just have to set it as an OS environmental variable: https://en.wikipedia.org/wiki/Environment_variable
In bash you can do something like this (not actually tested ;)
- for site in $(cat list); do export URL=$site; zap.sh -cmd -autorun `pwd`/zap-automation.yaml; done
Cheers,
Simon
Emad Youssef
Feb 14, 2022, 10:03:24 AM2/14/22
to OWASP ZAP User Group
Thanks Simon for your HELP.
i have a strange case have been tree days trying to define it
i'm running java 11 which is the most friendly support to zap as i guess.
running Linux pop-os 5.15.15-76051515-generic
the issue is when i install zap as fresh installation works well spidering target and discover bugs (xss, sqli, etc...)
and after about testing with zap for bout 2 hours suddenly it doesn't spider the whole target as it was doing before
it just fetch first host url and of course doesn't discover any bugs because it didn't spider in the first place .
is that make any sense ?
i was like going insane, it was just working fine and nothing change !!!
any way to debug this to discover what is the issue
BTW : i catch this message in cli
"736377 [ZAP-ProxyThread-704] WARN org.parosproxy.paros.core.proxy.ProxyThread - Failed to write/forward the HTTP response to the client: java.net.SocketException: Broken pipe (Write failed)"
dose message has any thing related to my problem ?
Thank you really
Simon Bennetts
Feb 14, 2022, 10:47:46 AM2/14/22
to OWASP ZAP User Group
Can you explain what you are doing in a bit more detail?
Are you performing repeated scans?
At this stage I dont think the warning you mentioned is relevant.
Cheers,
Simon
Emad Youssef
Feb 14, 2022, 11:17:47 AM2/14/22
to OWASP ZAP User Group
YES, i'm trying to make repeated scan to same vulnerable app mutillidea
i have tee the output of terminal log in this pastebin
Thanks
Simon Bennetts
Feb 14, 2022, 11:31:52 AM2/14/22
to OWASP ZAP User Group
Strange.
Have you confirmed if the app is accessible when this happens?
Cheers,
Simon
Emad Youssef
Feb 14, 2022, 11:38:48 AM2/14/22
to OWASP ZAP User Group
YES, it's accessible from browser
BTW , i just catch this error when i trying to figure out the cause
491563 [ZAP-Automation] ERROR org.zaproxy.addon.automation.jobs.JobUtils - Automation Framework failed to find method setUser on org.zaproxy.zap.spider.SpiderParam
491563 [ZAP-Automation] INFO org.parosproxy.paros.CommandLine - Job spider started
491564 [ZAP-Automation] INFO org.parosproxy.paros.CommandLine - Job spider requesting URL http://172.16.20.128/mutillidea/
491658 [ZAP-SpiderInitThread-2] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: Default Context at 2022-02-14T18:33:13.815+0200
491658 [ZAP-SpiderInitThread-2] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
491659 [ZAP-SpiderInitThread-2] INFO org.zaproxy.zap.spider.Spider - Starting spider...
491758 [ZAP-SpiderThreadPool-2-thread-1] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
491759 [ZAP-SpiderShutdownThread-2] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true on Context: Default Context at 2022-02-14T18:33:13.917+0200
492158 [ZAP-Automation] INFO org.parosproxy.paros.CommandLine - Job spider found 1 URLs
492158 [ZAP-Automation] INFO org.parosproxy.paros.CommandLine - Job spider test of type stats failed: At least 100 URLs found [3 < 100]
492158 [ZAP-Automation] INFO org.parosproxy.paros.CommandLine - Job spider finished
491563 [ZAP-Automation] INFO org.parosproxy.paros.CommandLine - Job spider started
491564 [ZAP-Automation] INFO org.parosproxy.paros.CommandLine - Job spider requesting URL http://172.16.20.128/mutillidea/
491658 [ZAP-SpiderInitThread-2] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on Context: Default Context at 2022-02-14T18:33:13.815+0200
491658 [ZAP-SpiderInitThread-2] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
491659 [ZAP-SpiderInitThread-2] INFO org.zaproxy.zap.spider.Spider - Starting spider...
491758 [ZAP-SpiderThreadPool-2-thread-1] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
491759 [ZAP-SpiderShutdownThread-2] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true on Context: Default Context at 2022-02-14T18:33:13.917+0200
492158 [ZAP-Automation] INFO org.parosproxy.paros.CommandLine - Job spider found 1 URLs
492158 [ZAP-Automation] INFO org.parosproxy.paros.CommandLine - Job spider test of type stats failed: At least 100 URLs found [3 < 100]
492158 [ZAP-Automation] INFO org.parosproxy.paros.CommandLine - Job spider finished
i just have env and spider selected in automation framework tab only
did you notice this line
( 491563 [ZAP-Automation] ERROR org.zaproxy.addon.automation.jobs.JobUtils - Automation Framework failed to find method setUser on org.zaproxy.zap.spider.SpiderParam )
BR
Oleg Rybchenko
Mar 1, 2023, 1:38:18 PM3/1/23
to OWASP ZAP User Group
Hi Simon! I have the similar issue.
After setting OS variable in my bash script:
#!/bin/bash
export TEST_HOST=https://example.com
docker run -v $(pwd):/zap/wrk/:rw --rm -t owasp/zap2docker-stable zap.sh $1 -cmd -autorun wrk/$2
$1 is for -addounupdate
$2 is for .yaml config file
I've tried to set an ENV variable in my .yaml config file:
---
env:
contexts:
- name: "TestContext"
urls:
- "${TEST_HOST}"
But I receive:
Variable TEST_STAND_HOST used but not specified
Invalid URL: ${TEST_STAND_HOST}
Automation plan failures:
Invalid URL: ${TEST_STAND_HOST}
Automation plan warnings:
Variable TEST_STAND_HOST used but not specified
If there any way to set a variable used inside "quotes"?
P.S.
Tried also to use vars as a part of env:
env:
contexts:
- name: "TestContext"
urls:
After setting OS variable in my bash script:
#!/bin/bash
export TEST_HOST=https://example.com
docker run -v $(pwd):/zap/wrk/:rw --rm -t owasp/zap2docker-stable zap.sh $1 -cmd -autorun wrk/$2
$1 is for -addounupdate
$2 is for .yaml config file
I've tried to set an ENV variable in my .yaml config file:
---
env:
contexts:
- name: "TestContext"
urls:
- "${TEST_HOST}"
But I receive:
Variable TEST_STAND_HOST used but not specified
Invalid URL: ${TEST_STAND_HOST}
Automation plan failures:
Invalid URL: ${TEST_STAND_HOST}
Automation plan warnings:
Variable TEST_STAND_HOST used but not specified
If there any way to set a variable used inside "quotes"?
P.S.
Tried also to use vars as a part of env:
env:
contexts:
- name: "TestContext"
urls:
- "${myVar}"
vars:
myVar: "https://example.com"
but it has the same effect.
but it has the same effect.
понедельник, 14 февраля 2022 г. в 17:03:33 UTC+3, psi...@gmail.com:
Simon Bennetts
Mar 2, 2023, 5:44:00 AM3/2/23
to OWASP ZAP User Group
See below :)
On Wednesday, 1 March 2023 at 18:38:18 UTC ory...@gmail.com wrote:
Hi Simon! I have the similar issue.
After setting OS variable in my bash script:
#!/bin/bash
The next statement will set TEST_OST in your current environment.
export TEST_HOST=https://example.com
The next statement will run ZAP in docker, which is a different environment.
TEST_HOST will not be set in docker.
docker run -v $(pwd):/zap/wrk/:rw --rm -t owasp/zap2docker-stable zap.sh $1 -cmd -autorun wrk/$2
You need to set the TEST_HOST in docker rather than in your current environment.
You can doing that by including the following in your docker run command: " --env TEST_HOST=$TEST_HOST"
ie
docker run -v $(pwd):/zap/wrk/:rw --rm --env TEST_HOST=$TEST_HOST -t owasp/zap2docker-stable zap.sh $1 -cmd -autorun wrk/$2
Cheers,
Simon
Oleg Rybchenko
Mar 6, 2023, 1:08:01 AM3/6/23
to OWASP ZAP User Group
Simon Bennetts
Mar 6, 2023, 4:25:17 AM3/6/23
to OWASP ZAP User Group
Thanks for letting us know!
Reply all
Reply to author
Forward
0 new messages