ZAP provides automated security tests in continuous integration pipelines

Always On

API Options

ZAP stores everything in a database, which doesn't suit automated integrations with a CI pipeline, so you should use the handy -config database.recoverylog=false option, which speeds things up significantly. If you want to update add-ons to make sure that ZAP tests against the very latest attacks, use the -addonupdate option.

Face Your Daemons

The impressive API can be presented to a number of clients for all your scripting needs, including PHP, Python, Java, Node.js, .NET, and Go. You can run the API in a Docker container in -daemon mode and then expose the host port as usual. The API even provides an HTTP version that you can check and make basic queries (GET requests) against. The developers called it RESTful-ish at one point. The basic command is along these lines:

$ docker run -p 9090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0

The last line of the container output should be similar to:

73280 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:9090

I had greater success from the command line by using curl on the server itself, as opposed to using a remote web browser with the following command:

$ docker run -p 9090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config 'api.disablekey=true' -config 'api.addrs.addr.name=.*' -config 'api.addrs.addr.regex=true'

which I found on the ZAP Issues page [10].

If you get not permitted messages in your container output, then within the VNC GUI you can try using Options | Tools | API options to alter which IP addresses can connect. The preceding example allows all clients to connect, so use it with care. Figure 5 shows Curl output connecting on TCP port 8090 and the host's HTML output. The documentation mentions that you probably have the best chance of connecting to the API locally by using the 172 IP address for your container. Use the following command:

Figure 5: Using curl to query the helpful HTTP user interface offered by the API.
docker inspect CONTAINER-HASH | grep Address

to see which IP address your container has been assigned by Docker.

If you struggle with external browser access to your container because of firewalling and container port exposure, remember that command-line web browsers such as ELinks [11] are available, and although not fully functional, they are still useful in a closed, non-DMZ environment. In Debian derivatives, the command

$ apt install elinks

installs the ELinks browser. Figure 6 shows ELinks' view of the ZAP API user interface.

Figure 6: A terminal-based web browser view of the API for ease of access on the local machine.

The Client Is Always Right

If you need to make any complex changes to your configuration files, you should consider making changes like adding credentials for a login in the fully blown GUI (over VNC or otherwise) and then exporting them to a file so you can use them in the API afterward.

To install the Python client, run the pip command:

$ pip install python-owasp-zap-v2.4

Don't be too put off if a search within your distribution's package manager (e.g., Apt or Yum) for the pip package offers unusual results. My results reported in the package description that v2.4 was version 2.6, which confused me about the possibility of API versus client version incompatibilities.

After you've started a set of tests, you can return to the browser user interface that's offered by the API and enter a scanID, which then returns JSON-style output giving a percentage of the scan under the key status. Take note that the AJAX spider is different and only reports a running status, as opposed to a percentage, until it's completed.

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus

SysAdmin Day 2017!

  • Happy SysAdmin Day 2017!

    Download a free gift to celebrate SysAdmin Day, a special day dedicated to system administrators around the world. The Linux Professional Institute (LPI) and Linux New Media are partnering to provide a free digital special edition for the tireless and dedicated professionals who keep the networks running: “10 Terrific Tools."

Special Edition

Newsletter

Subscribe to ADMIN Update for IT news and technical tips.

ADMIN Magazine on Twitter

Follow us on twitter