Skip to content
Playing around with OWASP ZAP API's and Automation
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
reports
.gitignore
Gopkg.lock
Gopkg.toml
LICENSE
README.md
docker-compose-run.yml
docker-compose.yml
docker-run.sh
main.go
run-zapbaseline.sh

README.md

poc-go-zap

Playing around with OWASP ZAP automation using zaproxy/zap-api-go.

Usage

docker-compose up -d
go run *.go

The ZAP proxy is available at:

ZAP Baseline Scan

This will run the baseline scan as configured in docker-compose-run.yml:

./run-zapbaseline.sh http://example.com/

The results are written out to ./reports/. You can use jq to extract various information from the json output:

jq '.site.alerts[] | "\(.name) \t[\(.riskdesc)]"' ./reports/zap-baseline-example.com.json

Web UI

If you want to use the ZAP WebSwing UI, you will have to:

  • Change the zaproxy service in the ``docker-compose.ymlfile to use theowasp/zap2docker-stable` image
  • Change the zaproxy command to call zap-webswing.sh

Once everything is started up, you can then access the UI at:

Note: It seems that enabling this will break any 'normal' port/proxy capability, including the API. It also seems as though the run script for this doesn't allow command line arguments to be passed to the proxy itself.

Hackables

Potential Issues

  • You can scan the hackables using their 'docker-compose service name' and 'internal port' (as this is from the perspective of the ZAP container), eg.
    • http://bodgeit:8080/bodgeit/
    • http://juiceshop:3000
  • zaproxy container logs show error 'URL Not Found in the Scan Tree'
    • You need to access/spider a URL before you can scan it.
    • You may have tried to scan a 127.0.0.1 URL, which is going to reference the ZAP container.. not the local machine.
  • main.go produces an error such as spider error: invalid character '<' looking for beginning of value
    • You're probably running the WebUI version, which seems incompatible with the API..
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.