Setup ZAP

Some configuration of OWASP ZAP

Setup proxy

set the zap proxy

Setup certification

Generate the ZAP certification from Tools->Options->Dynamic SSL Certification
Import the certification file into browser

Browser setup the proxy

The proxy should be the same as ZAP proxy

Other ZAP common setting

  • Download community script from : https://github.com/zaproxy/zap-extensions/releases, then we could use Python/Javascript to write our own rules (the details will be talked later)
  • pip install python-owasp-zap-v2.4 to download the OWASP ZAP API (ZAPv2 library)
  • Copy the API Key from Tools->Options->API, it will be used in ZAPv2 script API KEY

Use ZAPv2 API

Init ZAPv2 object and set the scan target:

from zapv2 import ZAPv2

target = 'http://127.0.0.1' # your scan target
apikey = 'apikey' # the api key from ZAP->Tools->Options-API 

zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})

zap.urlopen(target)

Use selenium to launch firefox,

make the ZAP to listen the firefox traffic and scan the vlun issue: In this way, we could automate the login/auth scan

capabilities = webdriver.DesiredCapabilities.FIREFOX
capabilities['proxy'] = {
    'proxyType': "manual",
    'httpProxy': "127.0.0.1:8080",
    'ftpProxy': "127.0.0.1:8080",
    'sslProxy': "127.0.0.1:8080"
    }
capabilities['acceptInsecureCerts'] = True

capabilities['acceptSslCerts'] = False

self.driver = webdriver.Firefox(capabilities=capabilities)
self.driver.maximize_window()

User ZAP Docker Container