owasp_zap 0.0.95 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +27 -3
  3. data/lib/owasp_zap.rb +31 -9
  4. data/lib/owasp_zap/auth.rb +7 -0
  5. data/lib/owasp_zap/spider.rb +12 -1
  6. data/lib/owasp_zap/version.rb +1 -1
  7. data/spec/spider_spec.rb +34 -0
  8. metadata +23 -21
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 782c553bfa5aee80dc9987f306cff31a3cfe6b7e
4
- data.tar.gz: 653a520ff07c6a14156cd84e43f33d6e814e81a0
3
+ metadata.gz: 6d6c84bf8558d7cf7a662388b75ddc327695dc9b
4
+ data.tar.gz: 8964c0d91f9b4d61c3a32d1c617e14602c0d6591
5
5
  SHA512:
6
- metadata.gz: 73ff7b887bce019164c72b040c7b3549d1fb523b88390c9c1dc35b9976a4d5d9fa1d64aa2fe6f131f5e578acc31fe54d1ec8910f98ef083fd61d27c0b02f76f1
7
- data.tar.gz: dc49d7f3e8e8f95408a722524b96a9c4e61159937f687ec0d0b0231a2c2dbfc66a7ee74b366ffc7156ffc0a961a5dc928a4ec0ae82684ef13cbebaeb6230bc09
6
+ metadata.gz: 7483f96f1e57554ffd017310af50bcf16f9fadaa8f638e1ac757462a0a05a1f4dbeb0e4618ea6a7c88b2a8d2a91cfc173afd2e8eb02767bca111a3379f660d54
7
+ data.tar.gz: 6612cade30f57e7dbf9d3b4c2d14600f36889109adc4ed132626ced4eb8836c9505f4cde75aa203539062a828aabe07bf0176cc30d46742cb8fe1dcdc7b7fe91
data/README.md CHANGED
@@ -8,6 +8,8 @@ if you need a rpm, check it here: https://build.opensuse.org/package/show/home:v
8
8
  [![Build Status](https://travis-ci.org/vpereira/owasp_zap.png?branch=master)](https://travis-ci.org/vpereira/owasp_zap)
9
9
  [![Code Climate](https://codeclimate.com/github/vpereira/owasp_zap.png)](https://codeclimate.com/github/vpereira/owasp_zap)
10
10
 
11
+ ## Status: Maintained
12
+
11
13
  ## Installation
12
14
 
13
15
  Add this line to your application's Gemfile:
@@ -25,18 +27,40 @@ Or install it yourself as:
25
27
  ## Usage
26
28
 
27
29
  require 'owasp_zap'
28
-
29
- include OwaspZap
30
+
31
+ include OwaspZap
30
32
 
31
33
  z = Zap.new :target=>'http://xxx.xxx.xxx' # create new Zap instance with default params
32
34
  z = Zap.new :target=>'http://yyy.yyy.yyy', :zap=>"/usr/share/owasp-zap/zap.sh" # if you got my obs package
33
35
  z = Zap.new :output=>'logfile.txt' # it will log the stdout log from Zap Proxy to a file
34
36
  z.start # start interactive
35
37
  # TODO
36
- # document it further :)
38
+ # document it further :)
37
39
  z.start :daemon=>true # start in daemon mode
40
+ z.scan # to run active scan
41
+ z.alerts.view # you can specify one format JSON, XML or HTML.. default JSON.
38
42
  z.shutdown # stop the proxy
39
43
 
44
+ # to disable a specific test
45
+ to_be_disabled = JSON.load(z.policy.all)["policies"].select { |p| p["name"] == "Information gathering" }.first
46
+
47
+ unless to_be_disabled.nil?
48
+ z.scanner.disable([to_be_disabled["id"]])
49
+ end
50
+
51
+ # to print the XML report
52
+ z.xml_report
53
+
54
+ ## Important
55
+
56
+ Starting from version 2.4.1 ZAP creates an API key. Applications that call the
57
+ API wont be able to set anything without the API KEY. We must implement it.
58
+ Therefore to keep it working, as default we are disabling the api key.
59
+
60
+ Please check https://github.com/zaproxy/zaproxy/wiki/FAQapikey
61
+
62
+ and https://github.com/vpereira/owasp_zap/blob/master/lib/owasp_zap.rb#L88
63
+
40
64
  ## Contributing
41
65
 
42
66
  1. Fork it
data/lib/owasp_zap.rb CHANGED
@@ -19,12 +19,13 @@ module OwaspZap
19
19
 
20
20
  class Zap
21
21
  attr_accessor :target,:base, :zap_bin
22
-
22
+ attr_reader :api_key
23
23
  def initialize(params = {})
24
24
  #TODO
25
25
  # handle params
26
26
  @base = params[:base] || "http://127.0.0.1:8080"
27
27
  @target = params[:target]
28
+ @api_key = params[:api_key]
28
29
  @zap_bin = params [:zap] || "#{ENV['HOME']}/ZAP/zap.sh"
29
30
  @output = params[:output] || $stdout #default we log everything to the stdout
30
31
  end
@@ -62,7 +63,7 @@ module OwaspZap
62
63
  def alerts
63
64
  Zap::Alert.new(:base=>@base,:target=>@target)
64
65
  end
65
-
66
+
66
67
  def scanner
67
68
  Zap::Scanner.new(:base=>@base)
68
69
  end
@@ -77,25 +78,42 @@ module OwaspZap
77
78
  end
78
79
 
79
80
  def auth
80
- Zap::Auth.new(:base=>@base)
81
+ Zap::Auth.new(:base=>@base)
81
82
  end
82
83
 
83
84
  # TODO
84
85
  # DOCUMENT the step necessary: install ZAP under $home/ZAP or should be passed to new as :zap parameter
85
86
  def start(params = {})
86
- cmd_line = if params.key? :daemon
87
- "#{@zap_bin} -daemon"
88
- else
89
- @zap_bin
87
+ # default we are disabling api key
88
+ params = {api_key:false}.merge(params)
89
+ cmd_line = "#{@zap_bin}"
90
+ case
91
+ when params.key?(:daemon)
92
+ cmd_line += " -daemon"
93
+ when params.key?(:api_key)
94
+ cmd_line += if params[:api_key] == true
95
+ " -config api.key=#{@api_key}"
96
+ else
97
+ " -config api.disablekey=true"
98
+ end
99
+ end
100
+ if params.key?(:host)
101
+ cmd_line += " -host #{params[:host]}"
102
+ end
103
+ if params.key?(:port)
104
+ cmd_line += " -port #{params[:port]}"
90
105
  end
91
106
  fork do
92
107
  # if you passed :output=>"file.txt" to the constructor, then it will send the forked process output
93
108
  # to this file (that means, ZAP stdout)
94
109
  unless @output == $stdout
95
110
  STDOUT.reopen(File.open(@output, 'w+'))
96
- STDOUT.sync = true
111
+ STDOUT.sync = true
97
112
  end
113
+ print "Running the following command: #{cmd_line} \n"
114
+
98
115
  exec cmd_line
116
+
99
117
  end
100
118
  end
101
119
 
@@ -105,9 +123,13 @@ module OwaspZap
105
123
  end
106
124
 
107
125
  #xml report
108
- #maybe it should be refactored to alert.
126
+ #maybe it should be refactored to alert.
109
127
  def xml_report
110
128
  RestClient::get "#{@base}/OTHER/core/other/xmlreport/"
111
129
  end
130
+
131
+ def html_report
132
+ RestClient::get "#{@base}/OTHER/core/other/htmlreport/"
133
+ end
112
134
  end
113
135
  end
data/lib/owasp_zap/auth.rb CHANGED
@@ -2,6 +2,7 @@ module OwaspZap
2
2
  class Auth
3
3
  attr_accessor :ctx,:base
4
4
  def initialize(params = {})
5
+ import_context(params[:context_name]) if !params[:context_name].nil?
5
6
  @ctx = params[:context] || 1 #default context is the1
6
7
  @base = params[:base] || "http://127.0.0.1:8080/JSON"
7
8
  end
@@ -31,6 +32,12 @@ module OwaspZap
31
32
  # url: url including http://
32
33
  # post_data: an already encoded string like "email%3Dfoo%2540example.org%26passwd%3Dfoobar"
33
34
  # TODO: offer a way to encode it, giving a hash?
35
+ def import_context(context)
36
+ set_query "{@base}/context/action/importContext/",postData: context
37
+ contexts = RestClient::get "{@base}/context/view/contextList"
38
+ puts contexts
39
+ end
40
+
34
41
  def set_login_url(args)
35
42
  set_query "#{@base}/auth/action/setLoginUrl/",:postData=>args[:post_data]
36
43
  end
data/lib/owasp_zap/spider.rb CHANGED
@@ -24,10 +24,21 @@ module OwaspZap
24
24
  if ret.has_key? "status"
25
25
  ret["status"].to_i
26
26
  else
27
- 100 # it means no running
27
+ 100 # it means not running
28
28
  end
29
29
  end
30
30
 
31
+ def set_depth(max_d)
32
+ #http://localhost:8084/JSON/spider/action/setOptionMaxDepth/?Integer=1
33
+ url = Addressable::URI.parse("#{@base}/JSON/spider/action/setOptionMaxDepth/")
34
+ url.query_values = {:integer=>max_d.to_i}
35
+ RestClient::get url.normalize.to_str
36
+ end
37
+
38
+ def depth
39
+ JSON.parse(RestClient::get("#{@base}/JSON/spider/view/optionMaxDepth/?zapapiformat=JSON"))
40
+ end
41
+
31
42
  def running?
32
43
  self.status != 100
33
44
  end
data/lib/owasp_zap/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module OwaspZap
2
- VERSION = "0.0.95"
2
+ VERSION = "0.1.0"
3
3
  end
data/spec/spider_spec.rb ADDED
@@ -0,0 +1,34 @@
1
+ describe OwaspZap::Spider do
2
+ before do
3
+ @spider = OwaspZap::Spider.new :base=>"http://127.0.0.1:8080",:target=>"http://example.org"
4
+ end
5
+ it "should not be_nil" do
6
+ refute @spider.nil?
7
+ end
8
+ it "should respond_to running?" do
9
+ @spider.must_respond_to :running?
10
+ end
11
+ it "should be running if status != 100" do
12
+ @spider.stub(:status,95) do
13
+ @spider.running?.must_equal true
14
+ end
15
+ end
16
+
17
+ it "should not be running if status == 100" do
18
+ @spider.stub(:status,100) do
19
+ @spider.running?.must_equal false
20
+ end
21
+ end
22
+
23
+ it "should set depth" do
24
+ stub_request(:get, "http://127.0.0.1:8080/JSON/spider/action/setOptionMaxDepth/?integer=1").
25
+ to_return(:status => 200, :body => "{\"Result\":\"OK\"}", :headers => {})
26
+ @spider.set_depth(1).wont_be_nil
27
+ end
28
+
29
+ it "should get depth" do
30
+ stub_request(:get, "http://127.0.0.1:8080/JSON/spider/view/optionMaxDepth/?zapapiformat=JSON").
31
+ to_return(:status => 200, :body => "{\"MaxDepth\":\"2\"}", :headers => {})
32
+ @spider.depth.wont_be_nil
33
+ end
34
+ end
metadata CHANGED
@@ -1,111 +1,111 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: owasp_zap
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.95
4
+ version: 0.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Victor Pereira
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-08-07 00:00:00.000000000 Z
11
+ date: 2018-03-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - ~>
17
+ - - "~>"
18
18
  - !ruby/object:Gem::Version
19
19
  version: '1.3'
20
20
  type: :development
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
- - - ~>
24
+ - - "~>"
25
25
  - !ruby/object:Gem::Version
26
26
  version: '1.3'
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rake
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - '>='
31
+ - - ">="
32
32
  - !ruby/object:Gem::Version
33
33
  version: '0'
34
34
  type: :development
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - '>='
38
+ - - ">="
39
39
  - !ruby/object:Gem::Version
40
40
  version: '0'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: minitest
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
- - - '>='
45
+ - - ">="
46
46
  - !ruby/object:Gem::Version
47
47
  version: '0'
48
48
  type: :development
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
- - - '>='
52
+ - - ">="
53
53
  - !ruby/object:Gem::Version
54
54
  version: '0'
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: simplecov
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
- - - '>='
59
+ - - ">="
60
60
  - !ruby/object:Gem::Version
61
61
  version: '0'
62
62
  type: :development
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
- - - '>='
66
+ - - ">="
67
67
  - !ruby/object:Gem::Version
68
68
  version: '0'
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: webmock
71
71
  requirement: !ruby/object:Gem::Requirement
72
72
  requirements:
73
- - - '>='
73
+ - - ">="
74
74
  - !ruby/object:Gem::Version
75
75
  version: '0'
76
76
  type: :development
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
- - - '>='
80
+ - - ">="
81
81
  - !ruby/object:Gem::Version
82
82
  version: '0'
83
83
  - !ruby/object:Gem::Dependency
84
84
  name: rest-client
85
85
  requirement: !ruby/object:Gem::Requirement
86
86
  requirements:
87
- - - '>='
87
+ - - ">="
88
88
  - !ruby/object:Gem::Version
89
89
  version: '0'
90
90
  type: :runtime
91
91
  prerelease: false
92
92
  version_requirements: !ruby/object:Gem::Requirement
93
93
  requirements:
94
- - - '>='
94
+ - - ">="
95
95
  - !ruby/object:Gem::Version
96
96
  version: '0'
97
97
  - !ruby/object:Gem::Dependency
98
98
  name: addressable
99
99
  requirement: !ruby/object:Gem::Requirement
100
100
  requirements:
101
- - - '>='
101
+ - - ">="
102
102
  - !ruby/object:Gem::Version
103
103
  version: '0'
104
104
  type: :runtime
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
- - - '>='
108
+ - - ">="
109
109
  - !ruby/object:Gem::Version
110
110
  version: '0'
111
111
  description: ruby wrapper for ZAP
@@ -115,8 +115,8 @@ executables: []
115
115
  extensions: []
116
116
  extra_rdoc_files: []
117
117
  files:
118
- - .gitignore
119
- - .travis.yml
118
+ - ".gitignore"
119
+ - ".travis.yml"
120
120
  - Gemfile
121
121
  - LICENSE.txt
122
122
  - README.md
@@ -136,6 +136,7 @@ files:
136
136
  - spec/auth_spec.rb
137
137
  - spec/helper.rb
138
138
  - spec/scanner_spec.rb
139
+ - spec/spider_spec.rb
139
140
  - spec/zap_spec.rb
140
141
  homepage: ''
141
142
  licenses:
@@ -147,17 +148,17 @@ require_paths:
147
148
  - lib
148
149
  required_ruby_version: !ruby/object:Gem::Requirement
149
150
  requirements:
150
- - - '>='
151
+ - - ">="
151
152
  - !ruby/object:Gem::Version
152
153
  version: '0'
153
154
  required_rubygems_version: !ruby/object:Gem::Requirement
154
155
  requirements:
155
- - - '>='
156
+ - - ">="
156
157
  - !ruby/object:Gem::Version
157
158
  version: '0'
158
159
  requirements: []
159
160
  rubyforge_project:
160
- rubygems_version: 2.0.14
161
+ rubygems_version: 2.6.14
161
162
  signing_key:
162
163
  specification_version: 4
163
164
  summary: ruby wrapper for the zed application proxy
@@ -166,4 +167,5 @@ test_files:
166
167
  - spec/auth_spec.rb
167
168
  - spec/helper.rb
168
169
  - spec/scanner_spec.rb
170
+ - spec/spider_spec.rb
169
171
  - spec/zap_spec.rb