============= Simple command line interface for automated headless security scanning with OWASP ZAP and PhantomJS.
This script performs the following steps:
- Install PhantomJS using npm.
- Start ZAP, tell it to use PhantomJS for AJAX spidering.
- Wait until ZAP is launched.
- Start spidering, wait until complete.
- Start AJAX spidering, wait until complete.
- Start active scan, wailt until complete.
- Write JSON results to disk.
This script has been tested on OSX 10.10.4 and on Amazon Linux 2015.03. Running on Windows should work with a few minor adjustments.
- Python must be installed (at least version 2.7)
- OWASP ZAP must be installed (tested with ZAP 2.4.1)
- zap.sh must be in the PATH for the current user.
- npm must be installed and in the PATH (used to install PhantomJS)
Syntax:
python zapcmd.py <url-of-site-to-scan> [username] [password]
Example:
python zapcmd.py https://www.example-site-to-scan.com myUsername myPassword
You can integrate this script in a Jenkins job with the following steps:
- Make sure that Python and npm are available on your Jenkins node(s).
- (optional) Define a String parameter called TARGET_HOST to be able to choose the target host when starting the job.
- Use the Custom Tools Plugin to download and install ZAP at build time. See here for instructions.
- Create a build step 'Execute shell' that executes the script:
python ./zapcmd.py ${TARGET_HOST}
- Create a post-build action using the HTML Publisher Plugin that publishes report.html.
This repository contains two folders with packaged dependencies for ease of use.
The 'lib' folder contains the OWASP ZAP Python API. In order to support spidering sites with self signed SSL and HTTP Basic auth, a patch in the ZAP Python API is necessary.
You can re-generate the folder and apply the patch with the following commands:
rm -rf lib && wget https://bootstrap.pypa.io/get-pip.py && mkdir lib && python get-pip.py python-owasp-zap-v2.4 -t lib && python get-pip.py urllib3 -t lib && rm get-pip.py
cat lib/zapv2/__init__.py | sed 's@import urllib@import urllib\nimport ssl@g' > lib/zapv2/__init__.py.tmp
mv lib/zapv2/__init__.py.tmp lib/zapv2/__init__.py
cat << EOF >> lib/zapv2/__init__.py
def urlopenWithPassword(self, target, username, password):
context = ssl._create_unverified_context()
urlopener = myURLOpener(proxies=self.__proxies, context=context)
if username:
print "Setting username/password: " + username + " " + password
urlopener.setpasswd(username, password)
return urlopener.open(target).read()
class myURLOpener(urllib.FancyURLopener):
def setpasswd(self, user, passwd):
self.__user = user
self.__passwd = passwd
def prompt_user_passwd(self, host, realm):
return self.__user, self.__passwd
EOF
TODO: replace this with a proper patching mechanism.
The 'web' folder contains a local copy of the jQuery, Bootstrap and the jPut JSON rendering jQuery plugin.