Playing around with OWASP ZAP automation using zaproxy/zap-api-go.
docker-compose up -d
go run *.go
The ZAP proxy is available at:
This will run the baseline scan as configured in docker-compose-run.yml
:
./run-zapbaseline.sh http://example.com/
The results are written out to ./reports/
. You can use jq to extract various information from the json
output:
jq '.site.alerts[] | "\(.name) \t[\(.riskdesc)]"' ./reports/zap-baseline-example.com.json
If you want to use the ZAP WebSwing UI, you will have to:
- Change the
zaproxy
service in the ``docker-compose.ymlfile to use the
owasp/zap2docker-stable` image - Change the
zaproxy
command to callzap-webswing.sh
Once everything is started up, you can then access the UI at:
Note: It seems that enabling this will break any 'normal' port/proxy capability, including the API. It also seems as though the run script for this doesn't allow command line arguments to be passed to the proxy itself.
- BodgeIt Store: http://127.0.0.1:8081/bodgeit/
- OWASP Juice Shop: http://127.0.0.1:8082/
- You can scan the hackables using their 'docker-compose service name' and 'internal port' (as this is from the perspective of the ZAP container), eg.
http://bodgeit:8080/bodgeit/
http://juiceshop:3000
zaproxy
container logs show error 'URL Not Found in the Scan Tree'- You need to access/spider a URL before you can scan it.
- You may have tried to scan a
127.0.0.1
URL, which is going to reference the ZAP container.. not the local machine.
main.go
produces an error such asspider error: invalid character '<' looking for beginning of value
- You're probably running the WebUI version, which seems incompatible with the API..