java - OWASP ZAP: Active Scanner in Continuos Integration -

-

trying use zap (2.4.3) in continuos integration (ci) setting. can run zap daemon, run selenium tests (in java) using zap proxy, , being able use rest api calling htmlreport final report of passive scanner. works fine, use active scanner.

using active scanner in ci mentioned several times in zap's documentation, haven't found working example or tutorial it... exist?

what achieve like: run active scanner on pages visited selenium regression suite, once finished run.

trying @ zap's rest api, undocumented:

https://github.com/zaproxy/zaproxy/wiki/apigen_index

ideally, great have like:

  • start active scan asynchronously on visited urls
  • poll check if active scan run completed

in rest api seems there related, but:

  • ascan/scan needs url input. call core/urls see selenium tests have visited, how set right authentication (logging credential)? if order in urls visited important? if page accessable specific credential?
  • there ascan/scanasuser, unclear how contextid , userid can retrieved zap. cumbersome workaround modify selenium tests write on disk urls visit , logging/password credentials using, , then, once tests finished, read disk such info call zap. there simpler way?

ok, theres lot of questions here:)

zap typically scans hierarchies of urls, eg under https://www.example.com/app top level url of application. kind of assume know ;)

authentication non trivial handle, see https://github.com/zaproxy/zaproxy/wiki/faqformauth

the ascan/status call returns completed %

you may find zap user group http://groups.google.com/group/zaproxy-users better these sort of questions. yes, need improve api documentation :/

cheers,

simon (zap project lead)


Comments

Post a Comment

Popular posts from this blog

ruby - Trying to change last to "x"s to 23 -

-
i have been playing around irb , have string looks this: irb(main):072:0> puts ["[\"4354 5432 5432 xxxxx\", \"6547 6547 8543 xxxxx\", \"2344 6543 6674 xxxxx\", \"2346 6236 7543 xxxxx\", \"1273 5585 5587 xxxxx\"]"] => nil irb(main):073:0> what want gsub last 2 "x" s of each 17 digit combination, 23 . what i've tried far (i've been using rubular): a.gsub(/\d[x]/,"23") <= grabs "x" s i'm close a.gsub(/\w[x{2}]/,"23") <= grabs "x" s grabs two digits each combination. is there easier way i'm not understanding? a.gsub(/\d{4} \d{4} \d{4} xxx\kxx/, '23') \d{4} = 4 digits what \k drop matched far. can use don't replace entire number, still able validate have in desired format.
Read more

jquery - Clone last and append item to closest class -

-
this bare-bones code on page: <div class="list-container"> <div class="single-list-item"> <button>remove</button> </div> <div class="single-list-item"> <button>remove</button> </div> <div class="single-list-item"> <button>remove</button> </div> </div> <p><button class="add-list-item">add</button></p> <div class="list-container"> <div class="single-list-item"> <button>remove</button> </div> <div class="single-list-item"> <button>remove</button> </div> <div class="single-list-item"> <button>remove</button> </div> </div> <p><button class="add-list-item">add</button></p> <di...
Read more

css - Can I use the :after pseudo-element on an input field? -

-
i trying use :after css pseudo-element on input field, not work. if use span , works ok. <style type="text/css"> .mystyle:after {content:url(smiley.gif);} .mystyle {color:red;} </style> this works (puts smiley after "buu!" , before "some more") <span class="mystyle">buuu!</span>a more this not work - colors somevalue in red, there no smiley. <input class="mystyle" type="text" value="somevalue"> what doing wrong? should use pseudo-selector? note: cannot add span around input , because being generated third-party control. :after , :before not supported in internet explorer 7 , under, on elements. it's not meant used on replaced elements such form elements (inputs) , image elements . in other words it's impossible pure css. however if using jquery can use $(".mystyle").after("add smiley here"); api docs on .after to ...
Read more