Notes from Simon Bennetts' talk and slides.

Starting a headless scan in ZAP

docker pull owasp/zap2docker-weekly
docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://xxx.xxx.xxx.xxx

Using the ZAP API

From a browser

Point the browser at the proxy i.e. http://localhost:8081

From python

pip install python-owasp-zap-v2.4

from zapv2 import ZAPv2

zap = ZAPv2()

zap = ZAPv2(proxies={
    'http': 'http://localhost:8081',
    'https': 'http://localhost:8081'
})

zap.urlopen(target)

Exploring

  • Use the Selenium unit tests as these will be a comprehensive map of the application.
  • Use the spider
  • Use the Ajax spider to click on things

Spidering from python

import time

from zapv2 import ZAPv2

API_KEY = ''

zap = ZAPv2()

zap = ZAPv2(proxies={
    'http': 'http://localhost:8081',
    'https': 'http://localhost:8081'
})

zap.spider.scan('http://localhost:8080/bodgeit/', apikey=API_KEY)

time.sleep(1)

while int(zap.spider.status()) < 100:
    print("Spider progress = {}%".format(zap.spider.status()))
    time.sleep(1)

print("Spider completed")

for url in zap.core.urls:
    print(url)

Running an active scan

print("*** Performing active scan ***")

zap.ascan.scan('http://localhost:8080/bodgeit/', apikey="f2r6jilkg08q2muek36btfgkcc")

while int(zap.ascan.status()) < 100:
    print("Active scan progress = {}%".format(zap.ascan.status()))
    time.sleep(5)

print("Active scan completed\n")

Reporting

# HTML

with open('report.html', 'w') as f:
    f.write(zap.core.htmlreport())

# XML

with open('report.xml', 'w') as f:
    f.write(zap.core.xmlreport())

ZAP shutdown

zap.core.shutdown()

Authentication

  • Login to app (proxied via ZAP)
  • Right-click web app in sites --> Include in context --> new context --> ok
  • Right-click logon transaction in history --> Flag as context (may need to properly map fields and then set the correct user ID and password fields in the "Users" page)
  • In login reponse, find something that indicates logon was successful (e.g. User: test@test.com --> Right-click --> flag as context --> Logged-in indicator
  • Logout of webapp
  • In toolbar, click "Forced user mode"
  • In spider and scan, can specify the context and the user

Using authentication in automation

  • Export context (button at top of site list)
zap.context.import_context('bodgeit.context', apikey=API_KEY)