Skip to content

Soup to Nuts: Using Glue to Run ZAP

Jump to bottom Edit New page
Matt Konda edited this page Dec 4, 2019 · 1 revision

Introduction

This page explains how to get Glue to run ZAP Proxy and report results.

Setup

Docker

We recommend using the standard docker installer for your platform. They can be found here: Docker Installer

Confirm with:

docker version

Then, make sure your docker container is running. On a Mac:

docker-machine start default

Setup environment. On a Mac:

eval $(docker-machine env default)

Confirm that docker itself is working and connecting to the container. On a Mac:

docker ps

ZAP

We recommend using the ZAP docker image. Pull that this way:

docker pull owasp/zap2docker-stable

You can run ZAP from docker this way:

docker run -i owasp/zap2docker-stable zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://target

$ docker run -i owasp/zap2docker-stable zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://jemurai.com
[INFO]            Starting ZAP daemon
[INFO]            Running a quick scan for http://jemurai.com
[INFO]            Issues found: 0
[INFO]            Shutting down ZAP daemon

For more detail, see this page: ZAP Docker Documentation

Glue

To run Glue in Docker, pull it this way:

docker pull owasp/glue

Then run it:

docker run -—rm owasp/glue -v

$ docker run --rm owasp/glue -v
Glue 0.8.1

For more detail, see this page: Glue Docker Setup

Putting it Together

When we want to run ZAP from Glue, we're calling the ZAP API from Glue.

Step 1

So Step 1 is to get ZAP running in API mode.

docker run -u zap -p 8090:8090 --name=zap -d owasp/zap2docker-stable zap-x.sh -config api.key=makeyourown -daemon -port 8090 -host 0.0.0.0

To find the ip by hand, do the following:

docker ps

Grab the container id for the correct image name (zap) and run:

docker inspect <CONTAINER ID> | grep IPAddress

Verify that ZAP is accessible on the IPAddress and port 8090 above. For example: https://172.17.0.2:8090/

Note: on Mac, you will need to use the container IP:

docker-machine ip default
192.168.99.100

Then you'll want to visit: http://192.168.99.100:8090/

Step 2

Then Step 2 is to run Glue to run ZAP against your target via the API:

docker run --name=glue --rm owasp/glue -t zap --zap-host=192.168.99.100 --zap-port=8090 --zap-api-token=makeyourown -d http://www.jemurai.com

TODO

To make this more useful, there are a couple of outstanding items:

  • A filter to reduce ZAP output to one alert per finding. (X-Frame-Options once, instead of for every page)
  • Revisit whether we should clear existing findings for a domain before running the next scan.
Add a custom footer
Add a custom sidebar
Clone this wiki locally