Facing issue with ZAP integration in Node JS

Question

I am new to ZAP and node.js
My Aim is to Scan for vulnerabilities in for any webapp and generate a report (JSON).

I tried with below code, it gives me error

const ZapClient = require('zaproxy');
 
const zapOptions = {
  apiKey: 'myAPIKEY'
  proxy: 'http://localhost:8095',
};
 
const zaproxy = new ZapClient(zapOptions);

let target = 'http://localhost:3000/#/app/my-app'

let promiseObj = zaproxy.ascan.scan(target);
    promiseObj
        .then(resp => {
            console.log(JSON.stringify(resp))
        })
        .catch(error =>{
            console.log(error)
        })

 let promiseObj = zaproxy.core.alerts(target);
     promiseObj
         .then(resp => {
             console.log(JSON.stringify(resp))
         })
         .catch(error =>{
             console.log(error)
         })

The error I am facing :

StatusCodeError: 404 - "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>
Error</title>\n</head>\n<body>\n<pre>
Cannot GET /JSON/ascan/action/scan/</pre>\n</body>\n</html>\n"

Also, I would be very grateful for :

can someone share any examples related to Zap with node.js
Is it necessary to keep ZAP tool open & running whenever I run above example.

score 1 · Accepted Answer · answered Jul 23 '21 at 13:15

1

Yes, you need ZAP running in order to communicate with it using the API. It doesnt look like you are doing that :(

answered Jul 23 '21 at 13:15

Simon Bennetts

5,479
1
14
26

Thank you for answering. Is it also mandatory to run ZAP when I integrate ZAP with Jenkins ? – Sunils Jul 26 '21 at 06:22
I must admit I'm confused by this line of questions :/ Yes, you do need to run programs (including ZAP) to use them :) There are various ways to automated ZAP which we have documented here: https://www.zaproxy.org/docs/automate/ – Simon Bennetts Jul 26 '21 at 07:33
Sorry for the confusion @Simon , So, let me give an eg: When working on any node js app, if we require a bootstrap dependency, we NPM install it and use it's libraries for our purpose, similarly for ZAP, we NPM install it but, it seems that we also need to run the desktop ZAP app. I am expecting a bootstrap like dependency. I hope that was clear :) – Sunils Jul 26 '21 at 10:20
1

Ah ok :) No, the ZAP library on NPM is just for the ZAP API - that can only work if it can connect to a running instance of ZAP. ZAP is implemented in Java and is a pretty big project. We will not be attempting to rewrite it in Java Script or any other language for that matter :) – Simon Bennetts Jul 26 '21 at 18:23

Facing issue with ZAP integration in Node JS

1 Answers1