堆栈内存溢出
  简体   繁体   English

OWASP ZAP 全扫描在 Gitlab CICD 上认证

[英]OWASP ZAP Full Scan Authenticated on Gitlab CICD

 原文  2022-05-19 19:35:15       gitlab-ci/ owasp/ zap

问题描述

I want to do a zap full scan on gitlab cicd with authentication to the website i want to run it (without the DAST module from gitlab)我想对 gitlab cicd 进行 zap 全面扫描,并对我要运行它的网站进行身份验证(没有来自 gitlab 的 DAST 模块)

i can run the zap-full-scan.py properly but dont know how to add authentication credentials for the site我可以正确运行 zap-full-scan.py 但不知道如何为站点添加身份验证凭据

stages:
  - scan
dast: 
  stage: scan
  image:
    name: owasp/zap2docker-weekly
  before_script:
    - mkdir -p /zap/wrk
  script:
    - pwd
    - ls
    - zap-full-scan.py -t "http://example.com" -m 1 -d -I -r testreport.html 
    - cp /zap/wrk/testreport.html testreport.html
  artifacts:
    when: always
    paths:
      - testreport.html

3 个解决方案

解决方案1
 0  2022-05-19 22:13:37

using this modified version https://github.com/ICTU/zap2docker-auth-weekly使用这个修改后的版本https://github.com/ICTU/zap2docker-auth-weekly

stages:
- scan
dast: 
  stage: scan
  image:
    name: ictu/zap2docker-weekly 
  before_script:
    - mkdir -p /zap/wrk
  script:
    - pwd
    - ls
    - zap-full-scan.py -t "http://testphp.vulnweb.com" -I -r testreport.html --hook=/zap/auth_hook.py -z "auth.loginurl=http://example.com/login.php auth.username_field="uname" auth.password_field="pass" auth.username="username" auth.password="pass""
    - cp /zap/wrk/testreport.html testreport.html
  artifacts:
    when: always
    paths:
      - testreport.html

解决方案2
 0  2022-05-20 08:17:04

Run ZAP locally and get authentication working as per https://www.zaproxy.org/docs/authentication/在本地运行 ZAP 并按照https://www.zaproxy.org/docs/authentication/进行身份验证

Then export your context file and specify that and the user you want to use as per https://www.zaproxy.org/docs/docker/full-scan/然后导出您的上下文文件并根据https://www.zaproxy.org/docs/docker/full-scan/指定该文件以及您要使用的用户

解决方案3
 0  2022-08-12 13:46:49

It's also possible to authenticate the user before performing DAST checks:也可以在执行 DAST 检查之前对用户进行身份验证:

dast:
  image: registry.gitlab.com/gitlab-org/security-products/zaproxy
  variables:
    website: "https://example.com"
    login_url: "https://example.com/sign-in"
  script:
    - mkdir /zap/wrk/
    - /zap/zap-baseline.py -J gl-dast-report.json -t $website \
        --auth-url $login_url \
        --auth-username "john.doe@example.com" \
        --auth-password "john-doe-password" || true
    - cp /zap/wrk/gl-dast-report.json .
  artifacts:
    paths: [gl-dast-report.json]

See zaproxy documentation to learn more about authentication settings.请参阅zaproxy 文档以了解有关身份验证设置的更多信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 OWASP ZAP 全面扫描在 CICD 管道中停止工作 - OWASP ZAP full scan stopped working in CICD pipeline 如何将 minIO(例如 Nmap、Nikto、Sslyze、Zap)的扫描输出上传到 OWASP DefectDojo - How to upload scan outputs from minIO (ex. Nmap, Nikto, Sslyze, Zap) to OWASP DefectDojo GitLab CICD 部署与 GitLab 环境分支流程 - GitLab CICD deployment with GitLab Environment branches flow OWASP ZAP - SSLHandshakeException:收到致命警报:handshake_failure - OWASP ZAP - SSLHandshakeException: Received fatal alert: handshake_failure 如何在 Gitlab CICD 中使用 Kaniko? - How to use Kaniko inside Gitlab CICD? 如何将 OWASP ZAP 集成到 GCP Cloud Build CI/CD - How to integrate OWASP ZAP into GCP Cloud Build CI/CD Gitlab cicd 计划作业检查是否已经完成 - Gitlab cicd schedule job check if this already done ng:权限被拒绝管道 cicd gitlab - ng: Permission denied pipeline cicd gitlab 在 gitlab cicd 中运行 inno 脚本编译器 - Run inno script compiler in gitlab cicd Azure 应用程序服务上的守护进程 OWASP ZAP 始终返回代码 400 - 错误请求 - Daemon OWASP ZAP on Azure App Service always returns code 400 - Bad Request
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM