使用API进行身份验证扫描的有效OWASP Zap脚本示例
[英]Example of a working OWASP Zap script with authenticated scan using API
问题描述
Can someone please show a script that is capable of doing the above? 
有人可以显示能够执行上述操作的脚本吗? I have found a good amount of instruction on the web and tried a lot of different things but still can't get Zap to login to the page to perform a full scan. 我在网络上找到了很多说明,并尝试了很多不同的方法,但仍然无法让Zap登录到页面以进行全面扫描。
The best I get is something like this: 我得到的最好的是这样的:
'http://XXX',
'http://XXX/robots.txt',
'http://XXX/sitemap.xml',
'http://XXX/webui',
'http://XXX/webui/index.html',
'http://XXX/webui/index.html?Password=ZAP&Username=ZAP',
'http://XXX/webui/login',
'http://XXX/webui/login/assets',
'http://XXX/webui/login/assets/images',
'http://XXX/webui/login/assets/images/companylogo.png',
'http://XXX/webui/login/assets/styles',
'http://XXX/webui/login/assets/styles/login.css',
'http://XXX/webui/login/login.js',
'http://XXX/webui/login/redirect.js',
'http://XXX/webui?Password=ZAP&Username=ZAP'
Many thanks 非常感谢
from zapv2 import ZAPv2
from random import randint
import socket
zap_ip = 'zap' #name of a Docker container running Zap
target = 'http://example.com'
auth_url = target + "webui/index.html"
scanners = ['90020', '90029']
# authorized Web UI user
username = test
password = test
auth_data = 'password={%password%}&username={%username#%}'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
zap = ZAPv2(proxies={'http': 'http://' + zap_ip + ':' + str(port),
'https': 'http://' + zap_ip + ':' + str(port)})
new_context = randint(1, 100000000000)
session = zap.core.session_location
session_name = 'session_1.session' if zap.core.session_location == \
'session_0.session' else 'session_0.session'
zap.core.new_session(name=session_name)
zap.core.load_session(session_name)
context_id = zap.context.new_context(new_context)
zap.context.include_in_context(new_context, '.*')
zap.ascan.disable_all_scanners()
for scanner in scanners:
zap.ascan.enable_scanners(scanner)
all_rules = [scanner for scanner in \
zap.ascan.scanners() if scanner['enabled'] == 'true']
start_url = auth_url if auth_url else target
zap.urlopen(start_url)
auth_method_name = 'formBasedAuthentication'
authmethod_configparams = 'loginUrl=%s&loginRequestData=%s' % (auth_url, auth_data)
authcred_configparams = 'username=%s&password=%s' % (username, password)
zap.authentication.set_authentication_method(contextid=context_id,
authmethodname=auth_method_name,
authmethodconfigparams=authmethod_configparams)
user_id = zap.users.new_user(contextid=context_id, name=username)
zap.users.set_authentication_credentials(contextid=context_id,
userid=user_id,
authcredentialsconfigparams=authcred_configparams)
zap.users.set_user_enabled(contextid=context_id, userid=user_id, enabled=True zap.forcedUser.set_forced_user(context_id, user_id)
zap.forcedUser.set_forced_user_mode_enabled('true')
spider = zap.spider.scan_as_user(url=target, contextid=context_id,
userid=user_id, recurse='false')
while (int(zap.spider.status()) < 100):
time.sleep(2)
zap.ascan.scan(target)
zap.ascan.remove_all_scans()
zap.core.delete_all_alerts()
zap.context.remove_context(new_context)
1 个解决方案
解决方案1
0 2018-12-10 09:14:11
Authentication is, in general, a pain. 认证通常很麻烦。 There are so many different ways authentication can be implemented its really difficult to provide anything other than very generic advice. 身份验证的实现方式有很多种,除了提供非常通用的建议外,很难提供其他任何东西。
However the fact that you've got a URL like ' http://XXX/webui?Password=ZAP&Username=ZAP ' implies you have not configured something correctly as these are the default values supplied by the ZAP spider. 但是,您拥有类似“ http:// XXX / webui?Password = ZAP&Username = ZAP ”的URL的事实表明您没有正确配置某些内容,因为这些是ZAP Spider提供的默认值。
If you can supply more details about what your application appears to expect and what you are doing then we should be able to help some more. 如果您可以提供有关您的应用程序期望什么以及您正在做什么的更多详细信息,那么我们应该能够提供更多帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.