OWASP ZAP Automated Scan

I was try find vulnerabilities in tha DVWA with the tool OWASP ZAP, later any try I can develop a script in python what to use the API OWASP and identify vulnerabilities.


I did make the follows steps:

1. Enable the API OWASP to let connexions and It can make the scan automate.

2. I know the parameters received by the request; It's username, password and user token.

3. I undertand the process or flow what the tool OWASP do, for example; first define the context, second run a spider then execute a scan pasive and later execute active scan, finally generate the report.

Now what I know the basic functionality of that tool, I will write a script to automate scan. I did forget say what I use the library or package zap-proxy.

1. Import the libraries


2. Create a Construct of Class with parameters



3. I did create the function to login in the web application


4. Define the function to init the spider

5. I did create 2 functions, one to passive scan and other to active scan.



6. Finally I did define the functions to create the reports in format html and json.


7. Later when It script finish, I can see the attack to the web application.


In the window "Alertas" I can see all the vulnerabilities identify, all these haven't 100% success. I will check because it application web DVWA is behind a WAF AWS and Cloudflare.


8. In the terminal too I will see the output or step a step execute of the script in python.



The report in format html is:




It was complex, I don't actually a write in English. Chausito.

No hay comentarios:

Publicar un comentario