3

We are trying to integrate OWASP ZAP scans to our Build Cycle. When a new build reaches the QA team, they run an automation tool similar to Selenium, which opens a Firefox web-browser in a Windows machine and runs their test cases. Being completely new to ZAP, this is what I have setup now to get the scan results from those tests regularly.

  1. Installed the ZAP tool in a Linux machine and it is running in daemon mode with an api-key on port 8080

  2. Made changes in Firefox settings in the Automation Test machine so that each new Firefox profiles opened by Selenium will have the proxy pointed to <IP_of_ZAP_Machine:8080>.

  3. A cronjob will run every midnight that does the following in this order:

    • Collects the URLs scanned by calling the URL http://IP_of_ZAP_Machine:8080/XML/core/view/sites/?zapapiformat=XML

    • Generates a list of URLs which shows alerts for each 'sites' obtained from the previous step.

      Example: http://IP_of_ZAP_Machine:8080/HTML/core/view/alerts/?zapapiformat=HTML&baseurl=https%3A%2F%2Fwww.example.com&start=&count= for the results of scan on https://www.example.com

    • Downloads the scan results in HTML format by calling all the URLs from the above step and putting all the HTMLs in a ZIP file.

    • Emails the ZIP file to my team.

    • Loads a new session so that the results e-mailed next midnight will contain results only from the previous midnight. The new session is loaded using the URL http://IP_of_ZAP_Machine:8080/JSON/core/action/newSession/?zapapiformat=JSON&apikey=<my_api_key>&name=${newsessionname}&overwrite=

While I am getting the scan results as expected everyday, the questions is: Am I doing it right? Is there a more correct or established way of doing this?

Note: Results from all the steps are logged into a log file for future verification.

Sreeraj
  • 1,297
  • 1
  • 13
  • 21
  • Why not bypass Selenium/Firefox and use Zap from cmdline or via python? https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline / https://www.morethanseven.net/2014/06/23/using-owasp-zap-from-the-command-line/ / https://pypi.python.org/pypi/zapcli – Ed Daniel Apr 10 '17 at 11:45
  • Thanks @EdDaniel, the links are definitely helpful. I will look into them and see if we can use them. – Sreeraj Apr 10 '17 at 12:25

2 Answers2

4

Is it working for you? If so then yes, you are probably doing it right ;) ZAP is a very flexible tool and many people use it in different ways. One question - are you restarting the ZAP instance, eg for each scan or after a period of time? If not you may run into issues as ZAP is not really designed to be run as a long running process. We are working to change that, but we're not there yet.

Simon Bennetts
  • 1,390
  • 7
  • 10
  • Glad to hear from your @Simon Bennetts:) We are not restarting ZAP as of now. The current ZAP instance has been up for 4 days now. What is the recommended frequency of restarts? – Sreeraj Apr 10 '17 at 12:27
  • 1
    I've just had a chat with one of the other core team and they have done more testing on this than I have :) As long as you are starting a new ZAP session before each scan you may well be ok. Personally I'd like you to _not_ restart it at all and then see how long it stay up for :D And let me know of course ;) It would be worth checking the size of the ZAP process every so often, at least to start with. Or you could just restart it once a week (for example) if you want to play it safe. – Simon Bennetts Apr 10 '17 at 13:12
1

There is also a ZAP plugin for Jenkins that works nicely for the kind of automated testing you are trying to do.

Aidan Grimshaw
  • 46
  • 3