Add OWASP ZAP adapter to gauntlt about gauntlt HOT 8 CLOSED

Hi! Was ZAP integration in Gauntlt done? Thanks!

from gauntlt.

I've created a basic ZAP plugin for Minion which shows the sort of things you can do with ZAP: https://github.com/ygjb/minion/blob/master/plugins/zap_plugin/minion/plugins/zap_plugin.py
In this case it accepts a target URL, spiders it, then runs the active scanner against it and reports any issues found.
Its written in Python, but we can use any language to drive the REST API.

from gauntlt.

Thanks for the input Simon. I think it would be fairly straightforward to use the REST API for ZAP within gauntlt. The attack file would specify the URL of a running ZAP server and then send requests to it.

One other interesting option is to use JRuby. Since we last discussed ZAP integration, we have added full JRuby support to Gauntlt, which allows us to require and call Java code natively. We are doing a little of this direct Java integration already in scapegoat, one of the support tools we use for testing gauntlt itself:

• https://github.com/gauntlt/scapegoat/blob/master/lib/scapegoat.rb#L9

Look forward to working with you to add ZAP support in the coming weeks!

from gauntlt.

I've been struggling to find an time to look at this :(
But I've raised an issue for it: http://code.google.com/p/zaproxy/issues/detail?id=439 and I'll see if I can get someone else to look at this asap.

from gauntlt.

Awesome! Thanks, @psiinon

Sent from my iPhone

On Dec 17, 2012, at 4:00 AM, psiinon [email protected] wrote:

I've been struggling to find an time to look at this :(
But I've raised an issue for it: http://code.google.com/p/zaproxy/issues/detail?id=439 and I'll see if I can get someone else to look at this asap.

—
Reply to this email directly or view it on GitHub.

from gauntlt.

@psiinon I have the goal of adding 15 new tools into gauntlt by Oct 1. Would love to get ZAP in. You still have someone interested in working on the integration. I dont mind stubbing in the first rev of the attack adapter and a couple default attack aliases, but would love to get some ZAP experts to customize the integration. You game?

from gauntlt.

I'll double check with them.
If not then I'll help as much as I can. The only trouble is time - too much to do, too little time :(
The most effective way to integrate with ZAP is via the REST API - how easy is that to do from Gauntlt?
We can integrate via the command line, but I'd probably need to enhance that to make it effective enough, which will take time.

from gauntlt.

We need to revisit this, closing for now and we may prioritize ZAP. What is the interest here?

from gauntlt.