Light

vpereira / owasp_zap Goto Github PK

View Code? Open in Web Editor NEW

12.0 3.0 10.0 50 KB

access zap proxy api using ruby

License: MIT License

Ruby 100.00%

owasp_zap's Introduction

OwaspZap

A ruby client to access the HTTP API from Zap Proxy (http://code.google.com/p/zaproxy)

if you need a rpm, check it here: https://build.opensuse.org/package/show/home:vpereirabr/owasp-zap

Status: Maintained

Installation

Add this line to your application's Gemfile:

gem 'owasp_zap'

And then execute:

$ bundle

Or install it yourself as:

$ gem install owasp_zap

Usage

require 'owasp_zap'

include OwaspZap

z = Zap.new :target=>'http://xxx.xxx.xxx' # create new Zap instance with default params
z = Zap.new :target=>'http://yyy.yyy.yyy', :zap=>"/usr/share/owasp-zap/zap.sh" # if you got my obs package
z = Zap.new :output=>'logfile.txt' # it will log the stdout log from Zap Proxy to a file
z.start # start interactive
# TODO
# document it further :)
z.start :daemon=>true # start in daemon mode
z.scan # to run active scan
z.alerts.view # you can specify one format JSON, XML or HTML.. default JSON.
z.shutdown # stop the proxy

# to disable a specific test
to_be_disabled = JSON.load(z.policy.all)["policies"].select { |p| p["name"] == "Information gathering" }.first

unless to_be_disabled.nil?
    z.scanner.disable([to_be_disabled["id"]])
end

# to print the XML report
z.xml_report

Important

Starting from version 2.4.1 ZAP creates an API key. Applications that call the API wont be able to set anything without the API KEY. We must implement it. Therefore to keep it working, as default we are disabling the api key.

Please check https://github.com/zaproxy/zaproxy/wiki/FAQapikey

and https://github.com/vpereira/owasp_zap/blob/master/lib/owasp_zap.rb#L88

Contributing

Fork it
Create your feature branch (git checkout -b my-new-feature)
Commit your changes (git commit -am 'Add some feature')
Push to the branch (git push origin my-new-feature)
Create new Pull Request

owasp_zap's People

Contributors

Stargazers

Watchers

Forkers

logancarmody ebadiere andersondadario ninoseki fonzi optionalg ashleywhite84 christyanz

owasp_zap's Issues

implement API KEY

starting on version 2.4.1 api comes automatically configured.

We should support it in all write/destructive actions. For now I'm disabling it and supporting it in the zap initialization. However It's not implemented in any method.. please check https://github.com/vpereira/owasp_zap/blob/master/lib/owasp_zap.rb#L88

Confusion in depth function of spider.rb

The below code

def depth
     JSON.parse(RestClient::get("#{@base}/JSON/spider/view/status/?zapapiformat=JSON"))
 end

This is to view the status of spider rather than the depth right?
Incase we want to view the set depth shouldnt we be using

JSON.parse(RestClient::get("#{@base}/JSON/spider/view/optionMaxDepth/?zapapiformat=JSON"))

add possibility to disable tests

as described here https://groups.google.com/forum/#!topic/zaproxy-users/p1aXvO6oWu4

support to jruby?

does we really need it? one thing that should be changed is the fork call that isnt supported as suggested here: #8

Disable API Key not sent

When I start owasp zap through this client, I noticed the flag to disable api key isn't sent.

logger redirect to file

it would be cool also if your gem would add support to configure the logger to go to a file, right now I see the testsuite output mixed with zapproxy messages and some exceptions

Scan class isnt defined

There is no implementation for the code called here:
https://github.com/vpereira/owasp_zap/blob/master/lib/owasp_zap.rb#L39

Controlling maximum depth to crawl using ruby gem owasp_zap

Hello,
I wanted to know if we could control the depth to crawl in spidering using owasp_zap gem in ruby or could we pass parameters while calling the spider

spider = zap.spider

Also can we limit the number of urls visted during active scan in ruby?

scan status not working?

quite often the scan status doesnt move towards 100.. it hangs on 0.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs