Automating the ZAP Scanner
I normally use BurpSuite when doing web app penetration tests, but recently I've been trying out the Zed Attack Proxy and quite like it. Using some fancy python, I ran run a scan of an application using ZAP
without putting traffic through it and opening up the application trough the proxy. Note: An application penetration is not just running tools and writing up the report, our tools help us see the lay of the land, but it takes a human to go in and poke around.
Setup
Daemon
First we need to launch ZAP
, if on a unix system you can run a headless server like so.
/path/to/zaproxy/installation/zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.key=123456789 -config api.addrs.addr.name=".*" -config api.addrs.addr.regex=true
Any option could be reconfigured to meet your needs, in this example ZAP
will accept any connection.
Client
Using the following python
script, a scan of the application will take place, and you'll receive a .xml
and .html
report of the findings.
import sys import time import urllib3 from pprint import pprint from zapv2 import ZAPv2 urllib3.disable_warnings() apikey= '123456789' app = 'http://scanme.nmap.org/' proxylocation = 'http://127.0.0.1:8080' zap = ZAPv2(apikey=apikey, proxies={'http': proxylocation, 'https': proxylocation}) print '[+] Accessing app %s' % app zap.urlopen(app) time.sleep(2) print '[+] Spidering app %s' % app scanid = zap.spider.scan(app) time.sleep(2) while (int(zap.spider.status(scanid)) < 100): sys.stdout.write('[+] Spider progress: '+zap.spider.status(scanid)+'%\r') sys.stdout.flush() time.sleep(2) print '\n[+] Spider completed' time.sleep(5) print '[+] Scanning app %s' % app scanid = zap.ascan.scan(app) while (int(zap.ascan.status(scanid)) < 100): sys.stdout.write('[+] Scan progress: '+ zap.ascan.status(scanid)+'%\r') sys.stdout.flush() time.sleep(5) print '\n[+] Scan completed' f = open(zap.core.hosts[0]+'-xmlreport.xml','w') f2 = open(zap.core.hosts[0]+'-htmlreport.html','w') f.write(zap.core.xmlreport(apikey=apikey)) f2.write(zap.core.htmlreport(apikey=apikey)) f.close() f2.close() print '[+] wrote resutls to '+zap.core.hosts[0]+'-xmlreport.xml' print '[+] wrote results to '+zap.core.hosts[0]+'-htmlreport.html' zap.core.delete_all_alerts(apikey=apikey) zap.core.delete_site_node(app,apikey=apikey)
[+] Accessing app http://scanme.nmap.org/ [+] Spidering app http://scanme.nmap.org/ [+] Scanning app http://scanme.nmap.org/ [+] Scan progress: 0% [+] Scan completed [+] Scan progress: 3% [+] Scan completed [+] Scan progress: 5% [+] Scan completed [+] Scan progress: 9% [+] Scan completed [+] Scan progress: 15% [+] Scan completed [+] Scan progress: 26% [+] Scan completed [+] Scan progress: 42% [+] Scan completed [+] Scan progress: 45% [+] Scan completed [+] Scan progress: 46% [+] Scan completed [+] Scan progress: 52% [+] Scan completed [+] Scan progress: 55% [+] Scan completed [+] Scan progress: 57% [+] Scan completed [+] Scan progress: 58% [+] Scan completed [+] Scan progress: 68% [+] Scan completed [+] Scan progress: 79% [+] Scan completed [+] Scan progress: 87% [+] Scan completed [+] Scan progress: 93% [+] Scan completed [+] wrote resutls to scanme.nmap.org-xmlreport.xml [+] wrote results to scanme.nmap.org-htmlreport.html
Results
The results output to a .xml
and a .html
file that you can parse or view.
file ./scanme.nmap.org*
./scanme.nmap.org-htmlreport.html: HTML document, ASCII text, with very long lines ./scanme.nmap.org-xmlreport.xml: XML 1.0 document, ASCII text, with very long lines, with CRLF, LF line terminators