简体繁体 English

OWASP ZAP：持续集成中的活动扫描仪

[英]OWASP ZAP: Active Scanner in Continuos Integration

原文 2016-01-07 14:12:06 7 1 java/ rest/ security/ owasp/ zap

Trying to use ZAP (2.4.3) in a continuos integration (CI) setting. 尝试在持续集成（CI）设置中使用ZAP（2.4.3）。 I can run ZAP as a daemon, run all my Selenium tests (in Java) by using ZAP as a proxy, and then being able to use the REST api calling htmlreport to get a final report of the Passive Scanner. 我可以将ZAP作为守护程序运行，通过使用ZAP作为代理来运行我的所有Selenium测试（在Java中），然后能够使用REST API调用htmlreport以获得被动扫描程序的最终报告。 This works fine, but I would like to also use the Active Scanner. 这工作正常，但我也想使用活动扫描仪。

Using the Active Scanner in CI is mentioned several times in ZAP's documentation, but haven't found any working example or tutorial about it... does any exist? ZAP的文档中多次提到在CI中使用Active Scanner，但尚未找到任何可行的示例或相关教程...是否存在？

What I would like to achieve is something like: Run Active Scanner on all the pages visited by the Selenium regression suite, once it is finished to run. 我要实现的目标是： 完成Selenium回归套件访问的所有页面上运行Active Scanner。

Trying to look at ZAP's REST api, but is mostly undocumented: 试图看一下ZAP的REST api，但是大部分没有记载：

https://github.com/zaproxy/zaproxy/wiki/ApiGen_Index https://github.com/zaproxy/zaproxy/wiki/ApiGen_Index

Ideally, it would be great to have something like: 理想情况下，具有以下内容将是很棒的：

Start Active Scan asynchronously on all visited urls 在所有访问的URL上异步启动Active Scan
Poll to check if Active Scan run is completed 轮询以检查Active Scan运行是否完成

In the REST api it seems there is something related, but: 在REST API中，似乎有一些相关的内容，但是：

ascan/scan needs an url as input. ascan/scan需要一个URL作为输入。 Could call core/urls to see what the Selenium tests have visited, but then how to set the right authentication (logging credential)? 可以调用core/urls来查看Selenium测试访问了什么，但是然后如何设置正确的身份验证（记录凭据）？ What if the order in which the urls are visited is important? 如果访问网址的顺序很重要怎么办？ What if a page is only accessable with a specific credential? 如果只能使用特定的凭证访问页面怎么办？
there is an ascan/scanAsUser , but it is unclear how contextId and userId can be retrieved from ZAP. 这里有一个ascan/scanAsUser ，但是还不清楚如何从ZAP检索contextId和userId 。 A cumbersome workaround would be to modify the Selenium tests to write on disk the urls they visit and which logging/password credentials they are using, and then, once all tests are finished, to read from disk such info to call ZAP. 一个麻烦的解决方法是修改Selenium测试以在磁盘上写入他们访问的url以及他们正在使用的日志记录/密码凭据，然后在所有测试完成后从磁盘读取此类信息以调用ZAP。 Is there any simpler way? 有没有更简单的方法？

1 个解决方案

OK, so theres a lot of questions here:) 好，所以这里有很多问题：）

ZAP typically scans hierarchies of URLs, eg everything under https://www.example.com/app the top level url of your application. ZAP通常会扫描URL的层次结构，例如https://www.example.com/app下的所有内容都是应用程序的顶级URL。 We kind of assume you know what that will be ;) 我们有点假设您知道那会是什么;）

Authentication is non trivial to handle, see https://github.com/zaproxy/zaproxy/wiki/FAQformauth 身份验证不容易处理，请参阅https://github.com/zaproxy/zaproxy/wiki/FAQformauth

The ascan/status call returns the completed % ascan / status调用返回已完成的％

You may find the ZAP User Group http://groups.google.com/group/zaproxy-users better for these sort of questions. 对于此类问题，您可能会发现ZAP用户组http://groups.google.com/group/zaproxy-users更好。 But yes, we do need to improve the API documentation :/ 但是，是的，我们确实需要改进API文档：/

Cheers, 干杯，

Simon (ZAP Project Lead) Simon（ZAP项目负责人）