3

I know one method is with "https://dzone.com/articles/automate-zap-security-tests-with-selenium-webdrive-1"

But are there direct commands that can scan our selenium application execution by OWASP ZAP?.

  1. Run proxied OWASP ZAP on the background.
  2. execute our independent selenium script for execution.(especially covering login ).
  3. Spidering if possible else collect the report.

I think it should be possible then a full project. Very few sites are available openly or without login.

a learner
  • 321
  • 1
  • 11

2 Answers2

5

You can user docker.

  1. Install or pull docker image -

    " docker pull owasp/zap2docker-stable "

  2. You can start the ZAP in headless mode with following command -

    " docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true "

  3. Run your Selenium tests independently but within selenium tests configure the proxy to hit port 8080 (or whichever you are using).

  4. The following command will generate report in the container -

    " docker exec $container_Id zap-cli report -o vulnerability.html -f HTML "

you can copy this report anywhere. Then stop the container and remove it.

Roop Kaur
  • 66
  • 2
0

@roop karu answer https://stackoverflow.com/a/63588382/1266040 goes good till step 3 and 4

So after installing Docker, downloading image and running ZAP:

docker pull owasp/zap2docker-stable

docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.disablekey=true

Proxy
Then proxy can be added to Selenium or Playwright tests. Sometimes you need to run tested app on your local i.p. address like 192.168.0.125 (you will find it running ifconfig or ipconfig for Windows) to allow proxy to work.

Report.
That can be achieved by preceding to ZAP GUI reports section.
http://127.0.0.1:8080/UI/reports/.
You can check templates and choose your desired one.
http://127.0.0.1:8080/HTML/reports/view/templates/?
And finally generate report from UI or just use this address (name of report is my-report)

http://127.0.0.1:8080/JSON/reports/action/generate/?title=My%2C+Report%2CName%29&template=traditional-html&theme=&description=&contexts=&sites=&sections=&includedConfidences=&includedRisks=&reportFileName=my-report&reportFileNamePattern=&reportDir=&display=

Copy this file to local machine by running

docker cp your_docker_image_number:/home/zap/my-report.html ./my-report.html

Open report file and enjoy :D

pbaranski
  • 22,778
  • 19
  • 100
  • 117