owasp_zap 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: a80255539473310bacf8733abfdc8f71b4abec7d
+  data.tar.gz: 508ea5d854379c64d306da68d08a577c90d207c9
+SHA512:
+  metadata.gz: 3b9147943357fdd6fee21cc68375f419c2cbc46ca8fe6ac3cae2400f5dbdd18f49f755dbabd8a4819be1a82de0e71a25b52e5818a11d254675755c820dd95f1d
+  data.tar.gz: 56f636883c71f7399bf8008e7bc16f44adbb16bb6fd9a8512a8b5b9bd16bc73cc00f18e1163dac6c9bf1badcdf5cfd5983941d47e35275b2d0c4be4b12e0b291

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+.*.swp

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm:
+    - "2.0.0-p353"
+branches:
+      only:
+              - master

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in zap.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 TODO: Write your name
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# OwaspZap
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'owasp_zap'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install owasp_zap
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,17 @@
+require "bundler/gem_tasks"
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+      t.libs.push ["lib/owasp_zap","spec"]
+      t.test_files = FileList['spec/*_spec.rb']
+      t.verbose = true
+end
+
+namespace :test do
+      desc "test coverage report"
+      task :coverage do
+        Rake::Task["test"].execute
+      end
+end
+
+task :default=> :test

data/lib/owasp_zap.rb

@@ -0,0 +1,87 @@
+require "json"
+require "rest_client"
+require "addressable/uri"
+require "cgi"
+
+require_relative "owasp_zap/version"
+require_relative "owasp_zap/string_extension"
+require_relative "owasp_zap/spider"
+require_relative "owasp_zap/attack"
+require_relative "owasp_zap/alert"
+require_relative "owasp_zap/auth"
+
+module OwaspZap
+    class ZapException < Exception;end
+
+    class Zap
+       attr_accessor :target,:base
+
+       def initialize(params = {})
+            #TODO
+            # handle params
+            @base = params[:base] || "http://127.0.0.1:8080/JSON"
+            @target = params[:target]
+            @zap_bin = params [:zap] || "#{ENV['HOME']}/ZAP/zap.sh"
+        end
+
+        def status_for(component)
+            case component
+            when :ascan
+                Zap::Attack.new(:base=>@base,:target=>@target).status
+            when :spider
+                Zap::Spider.new(:base=>@base,:target=>@target).status
+            else
+                {:status=>"unknown component"}.to_json
+            end
+
+        end
+        def ok?(json_data)
+            json_data.is_a?(Hash) and json_data[0] == "OK"
+        end
+
+        def running?
+            begin
+                response = RestClient::get "#{@base}"
+            rescue Errno::ECONNREFUSED
+                return false
+            end
+            response.code == 200
+        end
+
+        def alerts
+            Zap::Alert.new(:base=>@base,:target=>@target)
+        end
+        
+        #attack
+        def ascan
+            Zap::Attack.new(:base=>@base,:target=>@target)
+        end
+
+        def spider
+            Zap::Spider.new(:base=>@base,:target=>@target)
+        end
+
+        def auth
+            Zap::Auth.new(:base=>@base) 
+        end
+
+        #TODO
+        #DOCUMENT the step necessary: install ZAP under $home/ZAP or should be passed to new as :zap parameter
+        def start
+            fork do
+               exec @zap_bin 
+            end
+        end
+
+        #shutdown zap
+        def shutdown
+            RestClient::get "#{@base}/core/action/shutdown/"
+        end
+
+        #xml report
+        #maybe it should be refactored to alert. 
+        def xml_report
+            RestClient::get "#{@base}/OTHER/core/other/xmlreport/"
+        end
+   end
+end

data/lib/owasp_zap/alert.rb

@@ -0,0 +1,18 @@
+module OwaspZap
+    class Alert
+        def initialize(params = {})
+            #handle params
+            @base = params[:base]
+            @target = params[:target]
+        end
+
+        #
+        # the API has an option to give an offset (start) and the amount of alerts (count) as parameter
+        def view
+            #http://localhost:8080/JSON/core/view/alerts/?zapapiformat=JSON&baseurl=http%3A%2F%2F192.168.1.113&start=&count=
+            url = Addressable::URI.parse "#{@base}/core/view/alerts/"
+            url.query_values = {:zapapiformat=>"JSON",:baseurl=>@target}
+            RestClient::get url.normalize.to_str
+        end
+    end
+end

data/lib/owasp_zap/attack.rb

@@ -0,0 +1,21 @@
+module OwaspZap
+    class Attack
+        def initialize(params = {})
+            #TODO
+            #handle it
+            @base = params[:base]
+            @target = params[:target]
+        end
+
+        def start
+            url = Addressable::URI.parse "#{@base}/ascan/action/scan/"
+            url.query_values = {:zapapiformat=>"JSON",:url=>@target}
+            RestClient::get url.normalize.to_str
+        end
+
+        def status
+            RestClient::get "#{@base}/ascan/view/status/?zapapiformat=JSON"
+        end
+
+    end
+end

data/lib/owasp_zap/auth.rb

@@ -0,0 +1,72 @@
+module OwaspZap
+    class Auth
+        attr_accessor :ctx,:base
+        def initialize(params = {})
+            @ctx = params[:context] || 1 #default context is the1
+            @base = params[:base] || "http://127.0.0.1:8080/JSON"
+        end
+
+        #
+        # define dynamically the methods from: http://127.0.0.1:8080/UI/auth/
+        #
+        #
+        [:login_url, :logout_url, :login_data, :logout_data, :logged_in_indicator, :logged_out_indicator].each do |method|
+            define_method method do
+                RestClient::get "#{@base}/auth/view/#{to_url(method)}/?zapapiformat=JSON&contextId=#{@ctx}"
+            end
+        end
+
+        #
+        # define methods login, logout 
+        #
+        #
+        [:login,:logout].each do |method|
+            define_method method do
+               RestClient::get "#{@base}/auth/action/#{to_url(method)}/?zapapiformat=JSON&contextId=#{@ctx}"
+            end
+        end
+
+        # params:
+        # args a hash with the following keys -> values
+        # url: url including http:// 
+        # post_data: an already encoded string like "email%3Dfoo%2540example.org%26passwd%3Dfoobar" 
+        # TODO: offer a way to encode it, giving a hash?
+        def set_login_url(args)
+            url = Addressable::URI.parse "#{@base}/auth/action/setLoginUrl/"
+            url.query_values = {:zapapiformat=>"JSON",:url=>args[:url],:postData=>args[:post_data],:contextId=>@ctx}
+            RestClient::get url.normalize.to_str
+        end
+
+        def set_logout_url(args)
+            url = Addressable::URI.parse "#{@base}/auth/action/setLogoutUrl/"
+            url.query_values = {:zapapiformat=>"JSON",:url=>args[:url],:postData=>args[:post_data],:contextId=>@ctx}
+            RestClient::get url.normalize.to_str
+        end
+
+        def set_logged_in_indicator(args)
+            url = Addressable::URI.parse "#{@base}/auth/action/setLoggedInIndicator/"
+            url.query_values = {:zapapiformat=>"JSON",:url=>args[:url],:postData=>args[:indicator],:contextId=>@ctx}
+            RestClient::get url.normalize.to_str
+        end
+
+        def set_logged_out_indicator(args)
+            url = Addressable::URI.parse "#{@base}/auth/action/setLoggedOutIndicator/"
+            url.query_values = {:zapapiformat=>"JSON",:url=>args[:url],:indicator=>args[:indicator],:contextId=>@ctx}
+            RestClient::get url.normalize.to_str
+        end
+
+        private
+        def to_url(str)
+            method_str = str.to_s
+            method_str.extend OwaspZap::StringExtension # monkey patch just this instance
+            method_str.camel_case
+         end
+
+        def to_method(str)
+            method_str = str.to_s
+            method_str.extend OwaspZap::StringExtension # monkey patch just this instance
+            method_str.snake_case
+        end
+    end
+end
+

data/lib/owasp_zap/spider.rb

@@ -0,0 +1,27 @@
+module OwaspZap
+    class Spider
+
+        def initialize(params = {})
+            #TODO
+            #handle it
+            @base = params[:base]
+            @target = params[:target]
+        end
+
+        def start
+            #http://localhost:8080/JSON/spider/action/scan/?zapapiformat=JSON&url=
+            url = Addressable::URI.parse "#{@base}/spider/action/scan/"
+            url.query_values = {:zapapiformat=>"JSON",:url=>@target}
+            RestClient::get url.normalize.to_str
+        end
+
+        def stop
+            RestClient::get "#{@base}/spider/action/stop/?zapapiformat=JSON"
+        end
+
+        def status
+            RestClient::get "#{@base}/spider/view/status/?zapapiformat=JSON"
+        end
+
+    end
+end

data/lib/owasp_zap/string_extension.rb

@@ -0,0 +1,16 @@
+module OwaspZap
+    # extending String instance
+    module StringExtension
+        # from camel_case to snake_case: ie: fooBar to foo_bar
+        def snake_case
+          return downcase if match(/\A[A-Z]+\z/)
+          gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2').
+          gsub(/([a-z])([A-Z])/, '\1_\2').
+          downcase
+        end
+        # from snake_case to camel_case: ie: foo_bar to fooBar
+        def camel_case
+          self.split('_').inject([]){ |buffer,e| buffer.push(buffer.empty? ? e : e.capitalize) }.join
+        end
+    end
+end

data/lib/owasp_zap/version.rb

@@ -0,0 +1,3 @@
+module OwaspZap
+  VERSION = "0.0.1"
+end

data/owasp_zap.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'owasp_zap/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "owasp_zap"
+  spec.version       = OwaspZap::VERSION
+  spec.authors       = ["Victor Pereira"]
+  spec.email         = ["vpereira@suse.de"]
+  spec.description   = %q{ruby wrapper for ZAP}
+  spec.summary       = %q{ruby wrapper for the zed application proxy}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "simplecov"
+  spec.add_development_dependency "webmock"
+  spec.add_dependency "rest-client"
+  spec.add_dependency "addressable"
+end
+

data/spec/auth_spec.rb

@@ -0,0 +1,52 @@
+require 'helper'
+
+describe OwaspZap::Auth do
+    before do 
+        @auth = OwaspZap::Auth.new 
+    end
+    it "should have context 1" do
+        assert_equal(@auth.ctx,1)
+    end
+    it "should have base on localhost" do 
+        assert_equal @auth.base,"http://127.0.0.1:8080/JSON"
+    end
+end
+
+describe "Auth view methods" do
+     before do
+         @h = OwaspZap::Auth.new
+         @methods = [:login_url, :logout_url, :login_data, :logout_data, :logged_in_indicator, :logged_out_indicator]
+         @methods.each do |m|
+            m_str = m.to_s
+            m_str.extend OwaspZap::StringExtension
+            m_str = m_str.camel_case
+            stub_request(:get, "http://127.0.0.1:8080/JSON/auth/view/#{m_str}/?zapapiformat=JSON&contextId=1").to_return(:status => 200, :body => "{\"Result\":\"OK\"}" , :headers => {})
+         end
+     end
+
+     it "should request all view methods" do
+         @methods.each do |m|
+            m_str = m.to_s
+            m_str.extend OwaspZap::StringExtension
+            m_str = m_str.camel_case
+            @h.send(m)
+            assert_requested :get,"http://127.0.0.1:8080/JSON/auth/view/#{m_str}/?zapapiformat=JSON&contextId=1"
+         end
+     end
+end
+
+describe "Login/Logout" do
+    before do 
+        @h = OwaspZap::Auth.new
+            stub_request(:get, "http://127.0.0.1:8080/JSON/auth/action/logout/?zapapiformat=JSON&contextId=1").to_return(:status => 200, :body => "{\"Result\":\"OK\"}" , :headers => {})
+            stub_request(:get, "http://127.0.0.1:8080/JSON/auth/action/login/?zapapiformat=JSON&contextId=1").to_return(:status => 200, :body => "{\"Result\":\"OK\"}" , :headers => {})
+    end
+    it "should call the login url" do
+        @h.login
+        assert_requested :get,"http://127.0.0.1:8080/JSON/auth/action/login/?zapapiformat=JSON&contextId=1"
+    end
+    it "should call the logout url" do
+        @h.logout
+        assert_requested :get,"http://127.0.0.1:8080/JSON/auth/action/logout/?zapapiformat=JSON&contextId=1"
+    end
+end

data/spec/helper.rb

@@ -0,0 +1,8 @@
+require 'simplecov'
+SimpleCov.start
+SimpleCov.add_filter '/spec/'
+require 'minitest/autorun'
+require 'webmock/minitest'
+#SimpleCov.command_name 'minitest'
+require File.expand_path('../../lib/owasp_zap', __FILE__)
+require 'owasp_zap'

data/spec/zap_spec.rb

@@ -0,0 +1,122 @@
+require 'helper'
+
+include OwaspZap
+
+describe Zap do
+    before do
+        @zap = Zap.new(:target=>'http://127.0.0.1')
+    end
+
+    it "shouldnt be nil" do
+        @zap.wont_be :nil?
+    end
+
+    it "should have a target" do
+        @zap.respond_to? :target
+    end
+
+    it "target shouldnt be nil" do
+        @zap.target.wont_be :nil?
+    end
+
+    it "should have a base" do
+        assert_respond_to @zap,:base
+    end
+
+    it "should have method start" do
+        assert_respond_to @zap,:start
+    end
+
+    it "should have a method shutdown" do
+        assert_respond_to @zap,:shutdown
+    end
+
+    it "should respond_to to spider" do
+        assert_respond_to @zap,:spider
+    end
+
+    it "should call spider and get a spider object" do
+        assert_equal @zap.spider.class,Zap::Spider
+    end
+
+    it "should respond_to auth" do
+        assert_respond_to @zap,:auth
+    end
+
+    it "should call auth and get an auth object" do
+        assert_equal @zap.auth.class, Zap::Auth
+    end
+
+    it "should respond_to ascan" do 
+        assert_respond_to @zap,:ascan
+    end
+
+    it "should call ascan and get an attack object" do
+        assert_equal @zap.ascan.class, Zap::Attack
+    end
+
+    it "should respond_to alerts" do
+        assert_respond_to @zap,:alerts
+    end
+
+    it "should call alerts and get a alert object" do
+        assert_equal @zap.alerts.class,Zap::Alert
+    end
+
+    it "base shouldnt be nil" do
+        @zap.base.wont_be :nil?
+    end
+
+    it "base default should be http://127.0.0.1:8080/JSON" do
+        assert_equal @zap.base, "http://127.0.0.1:8080/JSON"
+    end
+end
+
+describe "changing default params" do
+    it "should be able to set base" do
+        @zap = Zap.new(:target=>'http://127.0.0.1',:base=>'http://127.0.0.2:8383')
+        assert_equal @zap.base, "http://127.0.0.2:8383"
+    end
+end
+
+describe "method shutdown" do
+    before do
+        @h = Zap::Zap.new :target=>"http://127.0.0.1"
+        stub_request(:get, "http://127.0.0.1:8080/JSON/core/action/shutdown/").to_return(:status => 200, :body => "{\"Result\":\"OK\"}" , :headers => {})
+    end
+
+    it "should receive a json as answer" do
+         @h.shutdown.wont_be :nil?
+    end
+    it "should request the shutdown url" do
+        @h.shutdown
+        assert_requested :get,"http://127.0.0.1:8080/JSON/core/action/shutdown/"
+    end
+
+end
+
+describe "StringExtension" do
+    it "should not respond_to camel_case and snake_case" do
+        @str = "" 
+        [:camel_case,:snake_case].each do |m|
+            refute_respond_to(@str,m)
+        end
+    end
+     it "should respond_to camel_case and snake_case" do
+        @str = "" 
+        @str.extend Zap::StringExtension
+        [:camel_case,:snake_case].each do |m|
+            assert_respond_to @str,m
+        end
+    end
+    it "should answer to camel_case" do
+        @str = "foo_bar"
+        @str.extend Zap::StringExtension
+        assert_equal @str.camel_case,"fooBar"
+    end
+    it "should answer to snake_case" do
+        @str = "fooBar"
+        @str.extend Zap::StringExtension
+        assert_equal @str.snake_case,"foo_bar" 
+    end
+end

metadata

@@ -0,0 +1,162 @@
+--- !ruby/object:Gem::Specification
+name: owasp_zap
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Victor Pereira
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-03-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rest-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: ruby wrapper for ZAP
+email:
+- vpereira@suse.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .travis.yml
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/owasp_zap.rb
+- lib/owasp_zap/alert.rb
+- lib/owasp_zap/attack.rb
+- lib/owasp_zap/auth.rb
+- lib/owasp_zap/spider.rb
+- lib/owasp_zap/string_extension.rb
+- lib/owasp_zap/version.rb
+- owasp_zap.gemspec
+- spec/auth_spec.rb
+- spec/helper.rb
+- spec/zap_spec.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
+specification_version: 4
+summary: ruby wrapper for the zed application proxy
+test_files:
+- spec/auth_spec.rb
+- spec/helper.rb
+- spec/zap_spec.rb