0

I am trying to automate zap tasks into my build process. Here is what I do:

  • run zap
  • run selenium tests
  • run zap spider
  • run zap activeScan
  • save zap session
  • run zap alert check and report it
  • end zap

And here is the target of my ant build.xml :

    <SpiderURL zapAddress="${zapaddr}" zapPort="${zapport}" url="${targetHost}" debug="true"/>
    <sleep seconds="5"/>        
    <ActiveScanSite zapAddress="${zapaddr}" zapPort="${zapport}" url="${targetHost}" debug="true"/>
    <sleep seconds="5"/>        

    <tstamp>
        <format property="timestamp" pattern="MM-dd-yyyy HH-mm-ss"/>
    </tstamp>

    <SaveZAPSession zapAddress="${zapaddr}" zapPort="${zapport}" name="${user.dir}/test ${timestamp}" debug="true"/>    

    <record name="Report.txt" action="start" append="true" />
    <alertCheckTask zapAddress="${zapaddr}" zapPort="${zapport}" debug="false">
        <ignoreAlert risk="Low" />
        <ignoreAlert risk="Medium" />
        <requirealert alert="Cross Site Scripting (Reflected)" />
    </alertCheckTask>
    <record name="Report.txt" action="stop" />

The problem is : The active scan is not finished and it get interrupted by the next task (save zap session), which means the reported alerts are also not covering all the active scan result.

amine al
  • 11
  • 1
  • 3

1 Answers1

0

Save the session first, before doing anything else. The ZAP session is a db, and once its saved (or rather 'persisted' as its now referred to in the UI) then any changes are also saved automatically. If you save/persist a ZAP session later on then you are actually just copying the temporary db into an new once, which is very inefficient. Thats why we prompt you to persist the session when you open the ZAP UI.

Having said all that, I'd actually recommend using the ZAP Java client lib directly, as it provides much more control over ZAP. The Ant tasks are quite limited. We havnt really been updating them, partly because we didnt know if anyone way using them! If you still plan to use them then let me know - I suspect they might need some tweaking :)

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26