owasp_zap 0.0.95 → 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +27 -3
  3. data/lib/owasp_zap.rb +31 -9
  4. data/lib/owasp_zap/auth.rb +7 -0
  5. data/lib/owasp_zap/spider.rb +12 -1
  6. data/lib/owasp_zap/version.rb +1 -1
  7. data/spec/spider_spec.rb +34 -0
  8. metadata +23 -21
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 782c553bfa5aee80dc9987f306cff31a3cfe6b7e
4
- data.tar.gz: 653a520ff07c6a14156cd84e43f33d6e814e81a0
3
+ metadata.gz: 6d6c84bf8558d7cf7a662388b75ddc327695dc9b
4
+ data.tar.gz: 8964c0d91f9b4d61c3a32d1c617e14602c0d6591
5
5
  SHA512:
6
- metadata.gz: 73ff7b887bce019164c72b040c7b3549d1fb523b88390c9c1dc35b9976a4d5d9fa1d64aa2fe6f131f5e578acc31fe54d1ec8910f98ef083fd61d27c0b02f76f1
7
- data.tar.gz: dc49d7f3e8e8f95408a722524b96a9c4e61159937f687ec0d0b0231a2c2dbfc66a7ee74b366ffc7156ffc0a961a5dc928a4ec0ae82684ef13cbebaeb6230bc09
6
+ metadata.gz: 7483f96f1e57554ffd017310af50bcf16f9fadaa8f638e1ac757462a0a05a1f4dbeb0e4618ea6a7c88b2a8d2a91cfc173afd2e8eb02767bca111a3379f660d54
7
+ data.tar.gz: 6612cade30f57e7dbf9d3b4c2d14600f36889109adc4ed132626ced4eb8836c9505f4cde75aa203539062a828aabe07bf0176cc30d46742cb8fe1dcdc7b7fe91
data/README.md CHANGED
@@ -8,6 +8,8 @@ if you need a rpm, check it here: https://build.opensuse.org/package/show/home:v
8
8
  [![Build Status](https://travis-ci.org/vpereira/owasp_zap.png?branch=master)](https://travis-ci.org/vpereira/owasp_zap)
9
9
  [![Code Climate](https://codeclimate.com/github/vpereira/owasp_zap.png)](https://codeclimate.com/github/vpereira/owasp_zap)
10
10
 
11
+ ## Status: Maintained
12
+
11
13
  ## Installation
12
14
 
13
15
  Add this line to your application's Gemfile:
@@ -25,18 +27,40 @@ Or install it yourself as:
25
27
  ## Usage
26
28
 
27
29
  require 'owasp_zap'
28
-
29
- include OwaspZap
30
+
31
+ include OwaspZap
30
32
 
31
33
  z = Zap.new :target=>'http://xxx.xxx.xxx' # create new Zap instance with default params
32
34
  z = Zap.new :target=>'http://yyy.yyy.yyy', :zap=>"/usr/share/owasp-zap/zap.sh" # if you got my obs package
33
35
  z = Zap.new :output=>'logfile.txt' # it will log the stdout log from Zap Proxy to a file
34
36
  z.start # start interactive
35
37
  # TODO
36
- # document it further :)
38
+ # document it further :)
37
39
  z.start :daemon=>true # start in daemon mode
40
+ z.scan # to run active scan
41
+ z.alerts.view # you can specify one format JSON, XML or HTML.. default JSON.
38
42
  z.shutdown # stop the proxy
39
43
 
44
+ # to disable a specific test
45
+ to_be_disabled = JSON.load(z.policy.all)["policies"].select { |p| p["name"] == "Information gathering" }.first
46
+
47
+ unless to_be_disabled.nil?
48
+ z.scanner.disable([to_be_disabled["id"]])
49
+ end
50
+
51
+ # to print the XML report
52
+ z.xml_report
53
+
54
+ ## Important
55
+
56
+ Starting from version 2.4.1 ZAP creates an API key. Applications that call the
57
+ API wont be able to set anything without the API KEY. We must implement it.
58
+ Therefore to keep it working, as default we are disabling the api key.
59
+
60
+ Please check https://github.com/zaproxy/zaproxy/wiki/FAQapikey
61
+
62
+ and https://github.com/vpereira/owasp_zap/blob/master/lib/owasp_zap.rb#L88
63
+
40
64
  ## Contributing
41
65
 
42
66
  1. Fork it
data/lib/owasp_zap.rb CHANGED
@@ -19,12 +19,13 @@ module OwaspZap
19
19
 
20
20
  class Zap
21
21
  attr_accessor :target,:base, :zap_bin
22
-
22
+ attr_reader :api_key
23
23
  def initialize(params = {})
24
24
  #TODO
25
25
  # handle params
26
26
  @base = params[:base] || "http://127.0.0.1:8080"
27
27
  @target = params[:target]
28
+ @api_key = params[:api_key]
28
29
  @zap_bin = params [:zap] || "#{ENV['HOME']}/ZAP/zap.sh"
29
30
  @output = params[:output] || $stdout #default we log everything to the stdout
30
31
  end
@@ -62,7 +63,7 @@ module OwaspZap
62
63
  def alerts
63
64
  Zap::Alert.new(:base=>@base,:target=>@target)
64
65
  end
65
-
66
+
66
67
  def scanner
67
68
  Zap::Scanner.new(:base=>@base)
68
69
  end
@@ -77,25 +78,42 @@ module OwaspZap
77
78
  end
78
79
 
79
80
  def auth
80
- Zap::Auth.new(:base=>@base)
81
+ Zap::Auth.new(:base=>@base)
81
82
  end
82
83
 
83
84
  # TODO
84
85
  # DOCUMENT the step necessary: install ZAP under $home/ZAP or should be passed to new as :zap parameter
85
86
  def start(params = {})
86
- cmd_line = if params.key? :daemon
87
- "#{@zap_bin} -daemon"
88
- else
89
- @zap_bin
87
+ # default we are disabling api key
88
+ params = {api_key:false}.merge(params)
89
+ cmd_line = "#{@zap_bin}"
90
+ case
91
+ when params.key?(:daemon)
92
+ cmd_line += " -daemon"
93
+ when params.key?(:api_key)
94
+ cmd_line += if params[:api_key] == true
95
+ " -config api.key=#{@api_key}"
96
+ else
97
+ " -config api.disablekey=true"
98
+ end
99
+ end
100
+ if params.key?(:host)
101
+ cmd_line += " -host #{params[:host]}"
102
+ end
103
+ if params.key?(:port)
104
+ cmd_line += " -port #{params[:port]}"
90
105
  end
91
106
  fork do
92
107
  # if you passed :output=>"file.txt" to the constructor, then it will send the forked process output
93
108
  # to this file (that means, ZAP stdout)
94
109
  unless @output == $stdout
95
110
  STDOUT.reopen(File.open(@output, 'w+'))
96
- STDOUT.sync = true
111
+ STDOUT.sync = true
97
112
  end
113
+ print "Running the following command: #{cmd_line} \n"
114
+
98
115
  exec cmd_line
116
+
99
117
  end
100
118
  end
101
119
 
@@ -105,9 +123,13 @@ module OwaspZap
105
123
  end
106
124
 
107
125
  #xml report
108
- #maybe it should be refactored to alert.
126
+ #maybe it should be refactored to alert.
109
127
  def xml_report
110
128
  RestClient::get "#{@base}/OTHER/core/other/xmlreport/"
111
129
  end
130
+
131
+ def html_report
132
+ RestClient::get "#{@base}/OTHER/core/other/htmlreport/"
133
+ end
112
134
  end
113
135
  end
data/lib/owasp_zap/auth.rb CHANGED
@@ -2,6 +2,7 @@ module OwaspZap
2
2
  class Auth
3
3
  attr_accessor :ctx,:base
4
4
  def initialize(params = {})
5
+ import_context(params[:context_name]) if !params[:context_name].nil?
5
6
  @ctx = params[:context] || 1 #default context is the1
6
7
  @base = params[:base] || "http://127.0.0.1:8080/JSON"
7
8
  end
@@ -31,6 +32,12 @@ module OwaspZap
31
32
  # url: url including http://
32
33
  # post_data: an already encoded string like "email%3Dfoo%2540example.org%26passwd%3Dfoobar"
33
34
  # TODO: offer a way to encode it, giving a hash?
35
+ def import_context(context)
36
+ set_query "{@base}/context/action/importContext/",postData: context
37
+ contexts = RestClient::get "{@base}/context/view/contextList"
38
+ puts contexts
39
+ end
40
+
34
41
  def set_login_url(args)
35
42
  set_query "#{@base}/auth/action/setLoginUrl/",:postData=>args[:post_data]
36
43
  end
data/lib/owasp_zap/spider.rb CHANGED
@@ -24,10 +24,21 @@ module OwaspZap
24
24
  if ret.has_key? "status"
25
25
  ret["status"].to_i
26
26
  else
27
- 100 # it means no running
27
+ 100 # it means not running
28
28
  end
29
29
  end
30
30
 
31
+ def set_depth(max_d)
32
+ #http://localhost:8084/JSON/spider/action/setOptionMaxDepth/?Integer=1
33
+ url = Addressable::URI.parse("#{@base}/JSON/spider/action/setOptionMaxDepth/")
34
+ url.query_values = {:integer=>max_d.to_i}
35
+ RestClient::get url.normalize.to_str
36
+ end
37
+
38
+ def depth
39
+ JSON.parse(RestClient::get("#{@base}/JSON/spider/view/optionMaxDepth/?zapapiformat=JSON"))
40
+ end
41
+
31
42
  def running?
32
43
  self.status != 100
33
44
  end
data/lib/owasp_zap/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module OwaspZap
2
- VERSION = "0.0.95"
2
+ VERSION = "0.1.0"
3
3
  end
data/spec/spider_spec.rb ADDED
@@ -0,0 +1,34 @@
1
+ describe OwaspZap::Spider do
2
+ before do
3
+ @spider = OwaspZap::Spider.new :base=>"http://127.0.0.1:8080",:target=>"http://example.org"
4
+ end
5
+ it "should not be_nil" do
6
+ refute @spider.nil?
7
+ end
8
+ it "should respond_to running?" do
9
+ @spider.must_respond_to :running?
10
+ end
11
+ it "should be running if status != 100" do
12
+ @spider.stub(:status,95) do
13
+ @spider.running?.must_equal true
14
+ end
15
+ end
16
+
17
+ it "should not be running if status == 100" do
18
+ @spider.stub(:status,100) do
19
+ @spider.running?.must_equal false
20
+ end
21
+ end
22
+
23
+ it "should set depth" do
24
+ stub_request(:get, "http://127.0.0.1:8080/JSON/spider/action/setOptionMaxDepth/?integer=1").
25
+ to_return(:status => 200, :body => "{\"Result\":\"OK\"}", :headers => {})
26
+ @spider.set_depth(1).wont_be_nil
27
+ end
28
+
29
+ it "should get depth" do
30
+ stub_request(:get, "http://127.0.0.1:8080/JSON/spider/view/optionMaxDepth/?zapapiformat=JSON").
31
+ to_return(:status => 200, :body => "{\"MaxDepth\":\"2\"}", :headers => {})
32
+ @spider.depth.wont_be_nil
33
+ end
34
+ end
metadata CHANGED
@@ -1,111 +1,111 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: owasp_zap
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.95
4
+ version: 0.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Victor Pereira
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-08-07 00:00:00.000000000 Z
11
+ date: 2018-03-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - ~>
17
+ - - "~>"
18
18
  - !ruby/object:Gem::Version
19
19
  version: '1.3'
20
20
  type: :development
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
- - - ~>
24
+ - - "~>"
25
25
  - !ruby/object:Gem::Version
26
26
  version: '1.3'
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rake
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - '>='
31
+ - - ">="
32
32
  - !ruby/object:Gem::Version
33
33
  version: '0'
34
34
  type: :development
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - '>='
38
+ - - ">="
39
39
  - !ruby/object:Gem::Version
40
40
  version: '0'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: minitest
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
- - - '>='
45
+ - - ">="
46
46
  - !ruby/object:Gem::Version
47
47
  version: '0'
48
48
  type: :development
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
- - - '>='
52
+ - - ">="
53
53
  - !ruby/object:Gem::Version
54
54
  version: '0'
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: simplecov
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
- - - '>='
59
+ - - ">="
60
60
  - !ruby/object:Gem::Version
61
61
  version: '0'
62
62
  type: :development
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
- - - '>='
66
+ - - ">="
67
67
  - !ruby/object:Gem::Version
68
68
  version: '0'
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: webmock
71
71
  requirement: !ruby/object:Gem::Requirement
72
72
  requirements:
73
- - - '>='
73
+ - - ">="
74
74
  - !ruby/object:Gem::Version
75
75
  version: '0'
76
76
  type: :development
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
- - - '>='
80
+ - - ">="
81
81
  - !ruby/object:Gem::Version
82
82
  version: '0'
83
83
  - !ruby/object:Gem::Dependency
84
84
  name: rest-client
85
85
  requirement: !ruby/object:Gem::Requirement
86
86
  requirements:
87
- - - '>='
87
+ - - ">="
88
88
  - !ruby/object:Gem::Version
89
89
  version: '0'
90
90
  type: :runtime
91
91
  prerelease: false
92
92
  version_requirements: !ruby/object:Gem::Requirement
93
93
  requirements:
94
- - - '>='
94
+ - - ">="
95
95
  - !ruby/object:Gem::Version
96
96
  version: '0'
97
97
  - !ruby/object:Gem::Dependency
98
98
  name: addressable
99
99
  requirement: !ruby/object:Gem::Requirement
100
100
  requirements:
101
- - - '>='
101
+ - - ">="
102
102
  - !ruby/object:Gem::Version
103
103
  version: '0'
104
104
  type: :runtime
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
- - - '>='
108
+ - - ">="
109
109
  - !ruby/object:Gem::Version
110
110
  version: '0'
111
111
  description: ruby wrapper for ZAP
@@ -115,8 +115,8 @@ executables: []
115
115
  extensions: []
116
116
  extra_rdoc_files: []
117
117
  files:
118
- - .gitignore
119
- - .travis.yml
118
+ - ".gitignore"
119
+ - ".travis.yml"
120
120
  - Gemfile
121
121
  - LICENSE.txt
122
122
  - README.md
@@ -136,6 +136,7 @@ files:
136
136
  - spec/auth_spec.rb
137
137
  - spec/helper.rb
138
138
  - spec/scanner_spec.rb
139
+ - spec/spider_spec.rb
139
140
  - spec/zap_spec.rb
140
141
  homepage: ''
141
142
  licenses:
@@ -147,17 +148,17 @@ require_paths:
147
148
  - lib
148
149
  required_ruby_version: !ruby/object:Gem::Requirement
149
150
  requirements:
150
- - - '>='
151
+ - - ">="
151
152
  - !ruby/object:Gem::Version
152
153
  version: '0'
153
154
  required_rubygems_version: !ruby/object:Gem::Requirement
154
155
  requirements:
155
- - - '>='
156
+ - - ">="
156
157
  - !ruby/object:Gem::Version
157
158
  version: '0'
158
159
  requirements: []
159
160
  rubyforge_project:
160
- rubygems_version: 2.0.14
161
+ rubygems_version: 2.6.14
161
162
  signing_key:
162
163
  specification_version: 4
163
164
  summary: ruby wrapper for the zed application proxy
@@ -166,4 +167,5 @@ test_files:
166
167
  - spec/auth_spec.rb
167
168
  - spec/helper.rb
168
169
  - spec/scanner_spec.rb
170
+ - spec/spider_spec.rb
169
171
  - spec/zap_spec.rb