ZAP - automated testing notes
Notes from Simon Bennetts' talk and slides.
Starting a headless scan in ZAP
docker pull owasp/zap2docker-weekly
docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://xxx.xxx.xxx.xxx
Using the ZAP API
From a browser
Point the browser at the proxy i.e. http://localhost:8081
From python
pip install python-owasp-zap-v2.4
from zapv2 import ZAPv2
zap = ZAPv2()
zap = ZAPv2(proxies={
'http': 'http://localhost:8081',
'https': 'http://localhost:8081'
})
zap.urlopen(target)
Exploring
- Use the Selenium unit tests as these will be a comprehensive map of the application.
- Use the spider
- Use the Ajax spider to click on things
Spidering from python
import time
from zapv2 import ZAPv2
API_KEY = ''
zap = ZAPv2()
zap = ZAPv2(proxies={
'http': 'http://localhost:8081',
'https': 'http://localhost:8081'
})
zap.spider.scan('http://localhost:8080/bodgeit/', apikey=API_KEY)
time.sleep(1)
while int(zap.spider.status()) < 100:
print("Spider progress = {}%".format(zap.spider.status()))
time.sleep(1)
print("Spider completed")
for url in zap.core.urls:
print(url)
Running an active scan
print("*** Performing active scan ***")
zap.ascan.scan('http://localhost:8080/bodgeit/', apikey="f2r6jilkg08q2muek36btfgkcc")
while int(zap.ascan.status()) < 100:
print("Active scan progress = {}%".format(zap.ascan.status()))
time.sleep(5)
print("Active scan completed\n")
Reporting
# HTML
with open('report.html', 'w') as f:
f.write(zap.core.htmlreport())
# XML
with open('report.xml', 'w') as f:
f.write(zap.core.xmlreport())
ZAP shutdown
zap.core.shutdown()
Authentication
- Login to app (proxied via ZAP)
- Right-click web app in sites --> Include in context --> new context --> ok
- Right-click logon transaction in history --> Flag as context (may need to properly map fields and then set the correct user ID and password fields in the "Users" page)
- In login reponse, find something that indicates logon was successful (e.g. User: test@test.com --> Right-click --> flag as context --> Logged-in indicator
- Logout of webapp
- In toolbar, click "Forced user mode"
- In spider and scan, can specify the context and the user
Using authentication in automation
- Export context (button at top of site list)
zap.context.import_context('bodgeit.context', apikey=API_KEY)