pwn 0.5.398 → 0.5.399

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 39074d56f83a8de876485919dc9e9e84e1bef64d200c2400d47de8a6bb992b95
-  data.tar.gz: 473823371595e3f73f9f96d89bfc692fa8511e4b48f5c26680ed66573de0acf5
+  metadata.gz: e10ec68e7ef2ebf6cce111bacbb8c9fbe95a5f5db4f775f845f1d1829d30f89a
+  data.tar.gz: 0fec666835b27fae7f193a6468d78c5351eec13cffd6293d3e175fec7dcc3891
 SHA512:
-  metadata.gz: f36ab7c999280bdc5d02c18d0aab8ab1246700eac42abb720e31880c1edd2601b19b87c1ae6748fb054e72b4e7ef472a588c70fa6ff5ef49be81653ae74162e2
-  data.tar.gz: c962fc165790548b427b439b47c554e0326ec0b1e14aaf0f7881057cddb12c03a5163ef2df4a095ad8b3910aad42de14d677bb83acb3be8c66b21106f6333a3f
+  metadata.gz: 69b64372dbe837e9320ad98a1064956b12581f154c1d14e1e77d1f4ba4e2de0530fa5b8ba13c31320fd4f8cbbcaf7db81c62b44f5612ef576355e7c997d685ae
+  data.tar.gz: 0b2fbf6d6c83e491ec54a30e114adddae1a211b063ca66d4aca07388df80da8b8fd2d455cb884523d3bedb31740de4f0a79986ccb5bfd496430087c81a427dd6

data/README.md

@@ -37,7 +37,7 @@ $ cd /opt/pwn
 $ ./install.sh
 $ ./install.sh ruby-gem
 $ pwn
-pwn[v0.5.398]:001 >>> PWN.help
+pwn[v0.5.399]:001 >>> PWN.help
 ```
 
 [![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
@@ -52,7 +52,7 @@ $ rvm use ruby-3.4.4@pwn
 $ gem uninstall --all --executables pwn
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.5.398]:001 >>> PWN.help
+pwn[v0.5.399]:001 >>> PWN.help
 ```
 
 If you're using a multi-user install of RVM do:
@@ -62,7 +62,7 @@ $ rvm use ruby-3.4.4@pwn
 $ rvmsudo gem uninstall --all --executables pwn
 $ rvmsudo gem install --verbose pwn
 $ pwn
-pwn[v0.5.398]:001 >>> PWN.help
+pwn[v0.5.399]:001 >>> PWN.help
 ```
 
 PWN periodically upgrades to the latest version of Ruby which is reflected in `/opt/pwn/.ruby-version`.  The easiest way to upgrade to the latest version of Ruby from a previous PWN installation is to run the following script:

data/bin/pwn_burp_suite_pro_active_rest_api_scan

@@ -1,7 +1,6 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
-require 'fileutils'
 require 'pwn'
 require 'optparse'
 require 'uri'
@@ -16,14 +15,22 @@ OptionParser.new do |options|
     opts[:target_url] = t
   end
 
-  options.on('-oPATH', '--report_output_path=PATH', '<Required - Output Path for Active Scan Issues>') do |o|
-    opts[:output_path] = o
+  options.on('-oDIR', '--report_output_dir=DIR', '<Required - Output Directory for Active Scan Report>') do |o|
+    opts[:output_dir] = o
   end
 
   options.on('-dSWAGGER', '--swagger_definitions=SWAGGER', '<Required - Comma-delimited list of Swagger JSON/YAML files to import>') do |s|
     opts[:swagger_definitions] = s
   end
 
+  options.on('-bBPATH', '--burp_path=BPATH', '<Optional - Path to Burp Suite Pro Jar File (Defaults to /opt/burpsuite/burpsuite-pro.jar)>') do |b|
+    opts[:burp_jar_path] = b
+  end
+
+  options.on('-h', '--[no-]headless', '<Optional - Run Burp and Browser Headless>') do |h|
+    opts[:headless] = h
+  end
+
   options.on('-D', '--[no-]debug', '<Optional - Enable Debug Output and Do Not Delete Temporary OpenAPI Spec>') do |d|
     opts[:debug] = d
   end
@@ -48,14 +55,6 @@ OptionParser.new do |options|
     opts[:exclude_paths] = e
   end
 
-  options.on('-bBPATH', '--burp_path=BPATH', '<Optional - Path to Burp Suite Pro Jar File (Defaults to /opt/burpsuite/burpsuite-pro.jar)>') do |b|
-    opts[:burp_jar_path] = b
-  end
-
-  options.on('-h', '--[no-]headless', '<Optional - Run Burp and Browser Headless>') do |h|
-    opts[:headless] = h
-  end
-
   options.on('-iURL', '--in_scope=URL', '<Optional - URL to add include in scope (Defaults to value of --target_url)>') do |s|
     opts[:in_scope] = s
   end
@@ -70,17 +69,17 @@ begin
   timestamp = Time.now.strftime('%Y-%m-%d_%H-%M-%S%Z')
   logger = PWN::Plugins::PWNLogger.create
 
-  burp_jar_path = opts[:burp_jar_path]
-  headless = opts[:headless] || false
   target_url = opts[:target_url]
   raise 'ERROR: --target_url is required.' if target_url.nil?
 
-  output_path = opts[:output_path]
-  raise 'ERROR: --report_output_path is required.' if output_path.nil?
+  output_dir = opts[:output_dir]
+  raise 'ERROR: --report_output_dir is required.' if output_dir.nil?
 
   swagger_definitions = opts[:swagger_definitions]
   raise 'ERROR: --swagger_definitions is required.' if swagger_definitions.nil?
 
+  burp_jar_path = opts[:burp_jar_path]
+  headless = opts[:headless] || false
   debug = opts[:debug] || false
 
   swagger_defs_arr = swagger_definitions.split(',').map(&:strip)
@@ -146,7 +145,7 @@ begin
 
   raise "ERROR: Failed to import OpenAPI/Swagger spec #{openapi_spec} into Burp Suite Pro's Sitemap." if json_sitemap.nil? || json_sitemap.empty?
 
-  PWN::Plugins::BurpSuite.invoke_active_scan(
+  PWN::Plugins::BurpSuite.active_scan(
     burp_obj: burp_obj,
     target_url: in_scope,
     exclude_paths: exlude_paths
@@ -159,17 +158,11 @@ begin
   # Once DefectDojo begins to support XML report results
   report_types = %i[html xml]
   report_types.each do |report_type|
-    this_output_path = "#{output_path}.html"
-    # this_output_path = "#{File.dirname(output_path)}/#{File.basename(output_path, File.extname(output_path))}.html"
-
-    this_output_path = "#{output_path}.xml" if report_type == :xml
-    # this_output_path = "#{File.dirname(output_path)}/#{File.basename(output_path, File.extname(output_path))}.xml" if report_type == :xml
-
     PWN::Plugins::BurpSuite.generate_scan_report(
       burp_obj: burp_obj,
       target_url: in_scope,
       report_type: report_type,
-      output_path: this_output_path
+      output_dir: output_dir
     )
   end
 
@@ -177,6 +170,5 @@ begin
 rescue StandardError => e
   raise e
 ensure
-  FileUtils.rm_f(openapi_spec) unless debug
   burp_obj = PWN::Plugins::BurpSuite.stop(burp_obj: burp_obj) unless burp_obj.nil?
 end

data/bin/pwn_burp_suite_pro_active_scan

@@ -14,8 +14,8 @@ OptionParser.new do |options|
     opts[:target_url] = t
   end
 
-  options.on('-oPATH', '--report_output_path=PATH', '<Required - Output Path for Active Scan Issues>') do |o|
-    opts[:output_path] = o
+  options.on('-oDIR', '--report_output_dir=DIR', '<Required - Output Directory for Active Scan Report>') do |o|
+    opts[:output_dir] = o
   end
 
   options.on('-eLIST', '--exclude_paths=LIST', '<Optional - Comma-delimited list of paths to exlude from scanning (e.g. "/api/login, /api/logout, /api/etc")>') do |e|
@@ -30,6 +30,10 @@ OptionParser.new do |options|
     opts[:headless] = h
   end
 
+  options.on('-bTYPE', '--browser_type=TYPE', '<Optional - Browser Type <firefox|chrome|headless|rest> (Defaults to chrome)>') do |b|
+    opts[:browser_type] = b
+  end
+
   options.on('-s', '--[no-]spider', '<Optional - Crawl / Spider Target Prior to Scanning (Defaults to false)>') do |s|
     opts[:spider] = s
   end
@@ -51,20 +55,19 @@ end
 begin
   logger = PWN::Plugins::PWNLogger.create
 
-  burp_jar_path = opts[:burp_jar_path]
-  headless = opts[:headless] || false
-  spider = opts[:spider] || false
   target_url = opts[:target_url]
   raise 'ERROR: --target_url is required.' if target_url.nil?
 
-  output_path = opts[:output_path]
-  raise 'ERROR: --report_output_path is required.' if output_path.nil?
+  output_dir = opts[:output_dir]
+  raise 'ERROR: --report_output_dir is required.' if output_dir.nil?
 
   exlude_paths = opts[:exclude_paths]
   exlude_paths = exlude_paths.split(',').map(&:strip) if exlude_paths.is_a?(String)
-
+  burp_jar_path = opts[:burp_jar_path]
+  headless = opts[:headless] || false
+  browser_type = opts[:browser_type] ||= :chrome
+  spider = opts[:spider] || false
   navigation_instruct = opts[:navigation_instruct]
-
   in_scope = opts[:in_scope] ||= target_url
 
   # ------
@@ -77,7 +80,7 @@ begin
   else
     burp_obj = PWN::Plugins::BurpSuite.start(
       burp_jar_path: burp_jar_path,
-      browser_type: :chrome
+      browser_type: browser_type
     )
   end
 
@@ -101,7 +104,7 @@ begin
   browser = browser_obj[:browser]
   browser.goto(target_url)
 
-  unless navigation_instruct.nil?
+  if navigation_instruct
     File.read(navigation_instruct).each_line do |instruction|
       # Look for any set method in this instruction and replace its value w/ asterisks
       redact_regex = /\.set\(['"]([^'"]*)['"]\)/
@@ -112,13 +115,7 @@ begin
   end
 
   PWN::Plugins::BurpSuite.spider(burp_obj: burp_obj, target_url: in_scope) if spider
-
-  duration = 9
-  print "Waiting #{duration} seconds prior to kicking off active scan..."
-  sleep duration # Sleep for now so everything loads the way we expect - blech.
-  print "\n"
-
-  PWN::Plugins::BurpSuite.invoke_active_scan(
+  PWN::Plugins::BurpSuite.active_scan(
     burp_obj: burp_obj,
     target_url: in_scope,
     exclude_paths: exlude_paths
@@ -131,17 +128,11 @@ begin
   # Once DefectDojo begins to support XML report results
   report_types = %i[html xml]
   report_types.each do |report_type|
-    this_output_path = "#{output_path}.html"
-    # this_output_path = "#{File.dirname(output_path)}/#{File.basename(output_path, File.extname(output_path))}.html"
-
-    this_output_path = "#{output_path}.xml" if report_type == :xml
-    # this_output_path = "#{File.dirname(output_path)}/#{File.basename(output_path, File.extname(output_path))}.xml" if report_type == :xml
-
     PWN::Plugins::BurpSuite.generate_scan_report(
       burp_obj: burp_obj,
       target_url: in_scope,
       report_type: report_type,
-      output_path: this_output_path
+      output_dir: output_dir
     )
   end
 

data/bin/pwn_zaproxy_active_rest_api_scan

@@ -0,0 +1,166 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'fileutils'
+require 'pwn'
+require 'optparse'
+require 'uri'
+
+opts = {}
+OptionParser.new do |options|
+  options.banner = "USAGE:
+    #{File.basename($PROGRAM_NAME)} [opts]
+  "
+
+  options.on('-aAPIKEY', '--api_key=APIKEY', '<Required - OWASP Zap API Key (Tools>Options>API)>') do |a|
+    opts[:api_key] = a
+  end
+
+  options.on('-tTARGET', '--target_url=TARGET', '<Required - Target URI to Scan>') do |t|
+    opts[:target_url] = t
+  end
+
+  options.on('-oPATH', '--report_output_path=PATH', '<Required - Output Path for Active Scan Issues>') do |o|
+    opts[:output_path] = o
+  end
+
+  options.on('-dSWAGGER', '--swagger_definitions=SWAGGER', '<Required - Comma-delimited list of Swagger JSON/YAML files to import>') do |s|
+    opts[:swagger_definitions] = s
+  end
+
+  options.on('-zZPATH', '--zap_bin_path=ZPATH', '<Optional - Path to zap.sh>') do |z|
+    opts[:zap_bin_path] = z
+  end
+
+  options.on('-h', '--[no-]headless', '<Optional - Run ZAP and Browser Headless>') do |h|
+    opts[:headless] = h
+  end
+
+  options.on('-D', '--[no-]debug', '<Optional - Enable Debug Output and Do Not Delete Temporary OpenAPI Spec>') do |d|
+    opts[:debug] = d
+  end
+
+  options.on('-vVERSION', '--openapi_spec_version=VERSION', '<Optional - OpenAPI/Swagger Specification Version (Defaults to 3.0.3)>') do |o|
+    opts[:openapi_spec_version] = o
+  end
+
+  options.on('-HJSON', '--additional_http_headers=JSON', '<Optional - JSON string of additional HTTP headers to include in requests (e.g. \'{"Header1":"Value1","Header2":"Value2"}\')>') do |h|
+    opts[:additional_http_headers] = h
+  end
+
+  options.on('-eLIST', '--exclude_paths=LIST', '<Optional - Comma-delimited list of paths to exlude from scanning (e.g. "/api/login, /api/logout, /api/etc")>') do |e|
+    opts[:exclude_paths] = e
+  end
+
+  options.on('-iURL', '--in_scope=URL', '<Optional - URL to add include in scope (Defaults to value of --target_url)>') do |s|
+    opts[:in_scope] = s
+  end
+end.parse!
+
+if opts.empty?
+  puts `#{File.basename($PROGRAM_NAME)} --help`
+  exit 1
+end
+
+begin
+  timestamp = Time.now.strftime('%Y-%m-%d_%H-%M-%S%Z')
+  logger = PWN::Plugins::PWNLogger.create
+
+  api_key = opts[:api_key]
+  raise 'ERROR: --api_key is required.' if api_key.nil?
+
+  target_url = opts[:target_url]
+  raise 'ERROR: --target_url is required.' if target_url.nil?
+
+  output_path = opts[:output_path]
+  raise 'ERROR: --report_output_path is required.' if output_path.nil?
+
+  swagger_definitions = opts[:swagger_definitions]
+  raise 'ERROR: --swagger_definitions is required.' if swagger_definitions.nil?
+
+  zap_bin_path = opts[:zap_bin_path]
+  headless = opts[:headless] || false
+  debug = opts[:debug] || false
+
+  swagger_defs_arr = swagger_definitions.split(',').map(&:strip)
+  scheme = URI.parse(target_url).scheme
+  target_host = URI.parse(target_url).host
+  base_url = "#{scheme}://#{target_host}"
+
+  openapi_spec_version = opts[:openapi_spec_version]
+  openapi_spec_root = File.dirname(swagger_defs_arr.first)
+  openapi_spec = "#{openapi_spec_root}/openapi_spec-#{target_host}-#{timestamp}.json"
+
+  PWN::Plugins::OpenAPI.generate_spec(
+    spec_paths: swagger_defs_arr,
+    base_url: base_url,
+    output_json_path: openapi_spec,
+    target_version: openapi_spec_version,
+    debug: debug
+  )
+
+  additional_http_headers = opts[:additional_http_headers]
+  additional_http_headers = JSON.parse(additional_http_headers, symbolize_names: true) if additional_http_headers.is_a?(String)
+
+  exlude_paths = opts[:exclude_paths]
+  exlude_paths = exlude_paths.split(',').map(&:strip) if exlude_paths.is_a?(String)
+
+  in_scope = opts[:in_scope] ||= target_url
+
+  # ------
+  # Open ZAP
+  if headless
+    zap_obj = PWN::Plugins::Zaproxy.start(
+      zap_bin_path: zap_bin_path,
+      headless: headless
+    )
+  else
+    zap_obj = PWN::Plugins::Zaproxy.start(
+      zap_bin_path: zap_bin_path,
+      browser_type: :chrome
+    )
+  end
+
+  logger.info(zap_obj)
+
+  json_sitemap = PWN::Plugins::Zaproxy.import_openapi_to_sitemap(
+    zap_obj: zap_obj,
+    openapi_spec: openapi_spec
+  )
+
+  raise "ERROR: Failed to import OpenAPI/Swagger spec #{openapi_spec} into ZAP's Sitemap." if json_sitemap.nil? || json_sitemap.empty?
+
+  PWN::Plugins::Zaproxy.active_scan(
+    zap_obj: zap_obj,
+    target_url: target_url,
+    exclude_paths: exlude_paths
+  )
+
+  # Dump a list of scan issues from Active Scan result
+  # scan_issues = PWN::Plugins::Zaproxy.get_scan_issues(zap_obj: zap_obj)
+  # puts scan_issues
+
+  # Once DefectDojo begins to support XML report results
+  report_types = %i[html xml]
+  report_types.each do |report_type|
+    this_output_path = "#{output_path}.html"
+    # this_output_path = "#{File.dirname(output_path)}/#{File.basename(output_path, File.extname(output_path))}.html"
+
+    this_output_path = "#{output_path}.xml" if report_type == :xml
+    # this_output_path = "#{File.dirname(output_path)}/#{File.basename(output_path, File.extname(output_path))}.xml" if report_type == :xml
+
+    PWN::Plugins::Zaproxy.generate_scan_report(
+      zap_obj: zap_obj,
+      target_url: in_scope,
+      report_type: report_type,
+      output_path: this_output_path
+    )
+  end
+
+  zap_obj = PWN::Plugins::Zaproxy.stop(zap_obj: zap_obj)
+rescue StandardError => e
+  raise e
+ensure
+  FileUtils.rm_f(openapi_spec) unless debug
+  zap_obj = PWN::Plugins::Zaproxy.stop(zap_obj: zap_obj) unless zap_obj.nil?
+end

data/bin/{pwn_owasp_zap_active_scan → pwn_zaproxy_active_scan}

@@ -22,12 +22,8 @@ OptionParser.new do |options|
     opts[:output_dir] = o
   end
 
-  options.on('-bTYPE', '--browser_type=TYPE', '<Optional - Browser Type <firefox|chrome|headless|rest> (Defaults to chrome)>') do |b|
-    opts[:browser_type] = b
-  end
-
-  options.on('-IINST', '--navigation_instruct=INST', '<Optional - Path to Navigation Instructions (e.g. Auth w/ Target - see /pwn/etc/owasp_zap/navigation.instruct.EXAMPLE)>') do |i|
-    opts[:navigation_instruct] = i
+  options.on('-eLIST', '--exclude_paths=LIST', '<Optional - Comma-delimited list of paths to exlude from scanning (e.g. "/api/login, /api/logout, /api/etc")>') do |e|
+    opts[:exclude_paths] = e
   end
 
   options.on('-zZPATH', '--zap_bin_path=ZPATH', '<Optional - Path to zap.sh>') do |z|
@@ -38,8 +34,20 @@ OptionParser.new do |options|
     opts[:headless] = h
   end
 
-  options.on('-pPROXY', '--proxy=PROXY', '<Optional - Change Local Zap Proxy Listener (Default http://127.0.0.1:<Random 1024-65535>)>') do |p|
-    opts[:proxy] = p
+  options.on('-bTYPE', '--browser_type=TYPE', '<Optional - Browser Type <firefox|chrome|headless|rest> (Defaults to chrome)>') do |b|
+    opts[:browser_type] = b
+  end
+
+  options.on('-s', '--[no-]spider', '<Optional - Crawl / Spider Target Prior to Scanning (Defaults to false)>') do |s|
+    opts[:spider] = s
+  end
+
+  options.on('-IINST', '--navigation_instruct=INST', '<Optional - Path to Navigation Instructions (e.g. Auth w/ Target - see /pwn/etc/owasp_zap/navigation.instruct.EXAMPLE)>') do |i|
+    opts[:navigation_instruct] = i
+  end
+
+  options.on('-iURL', '--in_scope=URL', '<Optional - URL to add include in scope (Defaults to value of --target_url)>') do |s|
+    opts[:in_scope] = s
   end
 end.parse!
 
@@ -59,64 +67,64 @@ begin
     browser_type = opts[:browser_type].to_s.strip.chomp.scrub.to_sym
   end
 
-  target_url = opts[:target_url].to_s.strip.chomp.scrub
-  output_dir = opts[:output_dir].to_s.strip.chomp.scrub
-  navigation_instruct = opts[:navigation_instruct].to_s.strip.chomp.scrub if File.exist?(opts[:navigation_instruct].to_s.strip.chomp.scrub)
+  target_url = opts[:target_url]
+  raise 'ERROR: --target_url is required.' if target_url.nil?
+
+  output_dir = opts[:output_dir]
+  raise 'ERROR: --report_output_dir is required.' if output_dir.nil?
+
+  exlude_paths = opts[:exclude_paths]
+  exlude_paths = exlude_paths.split(',').map(&:strip) if exlude_paths.is_a?(String)
   zap_bin_path = opts[:zap_bin_path].to_s.strip.chomp.scrub if File.exist?(opts[:zap_bin_path].to_s.strip.chomp.scrub)
-  headless = opts[:headless]
-  proxy = opts[:proxy]
+  headless = opts[:headless] || false
+  browser_type = opts[:browser_type] ||= :chrome
+  spider = opts[:spider] || false
+  navigation_instruct = opts[:navigation_instruct]
+  in_scope = opts[:in_scope] ||= target_url
 
   # ------
   # Dynamically build arguments hash based on flags passed and Open Zap
-  start_args = {}
-  start_args[:api_key] = api_key
-  start_args[:zap_bin_path] = zap_bin_path if zap_bin_path != ''
-  start_args[:headless] = true if headless
-  start_args[:proxy] = proxy
-  zap_obj = PWN::Plugins::OwaspZap.start(start_args)
+  if headless
+    zap_obj = PWN::Plugins::Zaproxy.start(
+      zap_bin_path: zap_bin_path,
+      api_key: api_key,
+      headless: headless,
+      browser_type: :headless
+    )
+  else
+    zap_obj = PWN::Plugins::Zaproxy.start(
+      zap_bin_path: zap_bin_path,
+      api_key: api_key,
+      browser_type: browser_type
+    )
+  end
 
   logger.info(zap_obj)
 
-  browser_obj = PWN::Plugins::TransparentBrowser.open(
-    browser_type: browser_type,
-    proxy: proxy
-  )
+  browser_obj = zap_obj[:zap_browser]
   browser = browser_obj[:browser]
-
-  if browser_type == :rest
-    browser.get(target_url)
-  else
-    browser.goto(target_url)
-  end
+  browser.goto(target_url)
 
   if navigation_instruct
     File.read(navigation_instruct).each_line do |instruction|
+      # Look for any set method in this instruction and replace its value w/ asterisks
+      redact_regex = /\.set\(['"]([^'"]*)['"]\)/
+      redacted_instruction = instruction.gsub(redact_regex, ".set('********')")
+      print "\nExecuting Instruction: #{redacted_instruction}"
       browser.instance_eval(instruction.to_s.scrub.strip.chomp)
     end
   end
 
-  PWN::Plugins::OwaspZap.spider(
+  PWN::Plugins::Zaproxy.spider(zap_obj: zap_obj, target_url: target_url) if spider
+  PWN::Plugins::Zaproxy.active_scan(
     zap_obj: zap_obj,
-    target: target_url
-  )
-
-  PWN::Plugins::OwaspZap.active_scan(
-    zap_obj: zap_obj,
-    target: target_url
+    target_url: target_url
   )
 
   # Generate all Report Types
-  (1..3).each do |report_iteration|
-    case report_iteration
-    when 1
-      report_type = 'html'
-    when 2
-      report_type = 'markdown'
-    when 3
-      report_type = 'xml'
-    end
-
-    report_path = PWN::Plugins::OwaspZap.generate_report(
+  report_types = %i[html markdown xml]
+  report_types.each do |report_type|
+    report_path = PWN::Plugins::Zaproxy.generate_scan_report(
       zap_obj: zap_obj,
       output_dir: output_dir,
       report_type: report_type
@@ -125,10 +133,10 @@ begin
     logger.info("Report can be found here: #{report_path}")
   end
 
-  PWN::Plugins::OwaspZap.stop(zap_obj: zap_obj)
+  PWN::Plugins::Zaproxy.stop(zap_obj: zap_obj)
 rescue StandardError => e
   raise e
 ensure
-  PWN::Plugins::OwaspZap.stop(zap_obj: zap_obj) unless zap_obj.nil?
+  PWN::Plugins::Zaproxy.stop(zap_obj: zap_obj) unless zap_obj.nil?
   browser_obj = PWN::Plugins::TransparentBrowser.close(browser_obj: browser_obj) unless browser_obj.nil?
 end

data/lib/pwn/plugins/burp_suite.rb

@@ -879,13 +879,13 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # active_scan_url_arr = PWN::Plugins::BurpSuite.invoke_active_scan(
+      # active_scan_url_arr = PWN::Plugins::BurpSuite.active_scan(
       #   burp_obj: 'required - burp_obj returned by #start method',
       #   target_url: 'required - target url to scan in sitemap (should be loaded & authenticated w/ burp_obj[:burp_browser])',
       #   exclude_paths: 'optional - array of paths to exclude from active scan (default: [])'
       # )
 
-      public_class_method def self.invoke_active_scan(opts = {})
+      public_class_method def self.active_scan(opts = {})
         burp_obj = opts[:burp_obj]
         rest_browser = burp_obj[:rest_browser]
         pwn_burp_api = burp_obj[:pwn_burp_api]
@@ -1016,9 +1016,9 @@ module PWN
       # Supported Method Parameters::
       # PWN::Plugins::BurpSuite.generate_scan_report(
       #   burp_obj: 'required - burp_obj returned by #start method',
-      #   target_url: 'required - target_url passed to #invoke_active_scan method',
-      #   report_type: :html|:xml|:both,
-      #   output_path: 'required - path to save report results'
+      #   target_url: 'required - target_url passed to #active_scan method',
+      #   output_dir: 'required - directory to save the report',
+      #   report_type: required - <:html|:xml>'
       # )
 
       public_class_method def self.generate_scan_report(opts = {})
@@ -1026,16 +1026,20 @@ module PWN
         target_url = opts[:target_url]
         rest_browser = burp_obj[:rest_browser]
         pwn_burp_api = burp_obj[:pwn_burp_api]
+        output_dir = opts[:output_dir]
+        raise "ERROR: #{output_dir} does not exist." unless Dir.exist?(output_dir)
+
         report_type = opts[:report_type]
-        # When pwn_burp begins to support XML report generation
-        valid_report_types_arr = %i[
-          html
-          xml
-        ]
 
-        raise 'INVALID Report Type' unless valid_report_types_arr.include?(report_type)
+        valid_report_types_arr = %i[html xml]
+        raise "ERROR: INVALID Report Type => #{report_type}" unless valid_report_types_arr.include?(report_type)
 
-        output_path = opts[:output_path].to_s.scrub
+        case report_type
+        when :html
+          report_path = "#{output_dir}/burp_active_scan_results.html"
+        when :xml
+          report_path = "#{output_dir}/burp_active_scan_results.xml"
+        end
 
         scheme = URI.parse(target_url).scheme
         host = URI.parse(target_url).host
@@ -1058,7 +1062,7 @@ module PWN
           "http://#{pwn_burp_api}/scanreport/#{report_type.to_s.upcase}/#{report_url}"
         )
 
-        File.open(output_path, 'w') do |f|
+        File.open(report_path, 'w') do |f|
           f.puts(report_resp.body.gsub("\r\n", "\n"))
         end
       rescue RestClient::BadRequest => e
@@ -1198,7 +1202,7 @@ module PWN
             comment: 'optional - comment for the sitemap entry (default: \"\")',
           )
 
-          active_scan_url_arr = #{self}.invoke_active_scan(
+          active_scan_url_arr = #{self}.active_scan(
             burp_obj: 'required - burp_obj returned by #start method',
             target_url: 'required - target url to scan in sitemap (should be loaded & authenticated w/ burp_obj[:burp_browser])',
             exclude_paths: 'optional - array of paths to exclude from active scan (default: [])'
@@ -1210,9 +1214,9 @@ module PWN
 
           #{self}.generate_scan_report(
             burp_obj: 'required - burp_obj returned by #start method',
-            target_url: 'required - target_url passed to #invoke_active_scan method',
-            report_type: :html|:xml,
-            output_path: 'required - path to save report results'
+            target_url: 'required - target_url passed to #active_scan method',
+            output_dir: 'required - directory to save the report',
+            report_type: 'required - <:html|:xml>'
           )
 
           #{self}.stop(

data/lib/pwn/plugins/{owasp_zap.rb → zaproxy.rb}

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'cgi'
 require 'pty'
 require 'securerandom'
 require 'json'
@@ -9,7 +10,7 @@ module PWN
   module Plugins
     # This plugin converts images to readable text
     # TODO: Convert all rest requests to POST instead of GET
-    module OwaspZap
+    module Zaproxy
       @@logger = PWN::Plugins::PWNLogger.create
 
       # Supported Method Parameters::
@@ -30,12 +31,10 @@ module PWN
                       end
         params = opts[:params]
         http_body = opts[:http_body].to_s.scrub
-        host = zap_obj[:host]
-        port = zap_obj[:port]
-        base_zap_api_uri = "http://#{host}:#{port}"
+        zap_rest_api = zap_obj[:zap_rest_api]
+        base_zap_api_uri = "http://#{zap_rest_api}"
 
-        browser_obj = PWN::Plugins::TransparentBrowser.open(browser_type: :rest)
-        rest_client = browser_obj[:browser]::Request
+        rest_client = zap_obj[:rest_browser]::Request
 
         case http_method
         when :get
@@ -72,10 +71,11 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # zap_obj = PWN::Plugins::OwaspZap.start(
+      # zap_obj = PWN::Plugins::Zaproxy.start(
       #   api_key: 'required - api key for API authorization',
       #   zap_bin_path: 'optional - path to zap.sh file'
       #   headless: 'optional - run zap headless if set to true',
+      #   browser_type: 'optional - defaults to :firefox.  See PWN::Plugins::TransparentBrowser.help for a list of types',
       #   proxy: 'optional - change local zap proxy listener (defaults to http://127.0.0.1:<Random 1024-65535>)',
       # )
 
@@ -84,14 +84,9 @@ module PWN
         api_key = opts[:api_key].to_s.scrub.strip.chomp
         zap_obj[:api_key] = api_key
 
-        headless = if opts[:headless]
-                     true
-                   else
-                     false
-                   end
-
         if opts[:zap_bin_path]
-          zap_bin_path = opts[:zap_bin_path].to_s.scrub.strip.chomp if File.exist?(opts[:zap_bin_path].to_s.scrub.strip.chomp)
+          zap_bin_path = opts[:zap_bin_path]
+          raise "ERROR: zap.sh not found at #{zap_bin_path}" unless File.exist?(zap_bin_path)
         else
           underlying_os = PWN::Plugins::DetectOS.type
 
@@ -108,21 +103,36 @@ module PWN
         zap_bin = File.basename(zap_bin_path)
         zap_dir = File.dirname(zap_bin_path)
 
+        headless = opts[:headless] || false
+        browser_type = opts[:browser_type] ||= :firefox
+        zap_ip = opts[:zap_ip] ||= '127.0.0.1'
+        zap_port = opts[:zap_port] ||= PWN::Plugins::Sock.get_random_unused_port
+
+        zap_rest_ip = opts[:pwn_zap_ip] ||= '127.0.0.1'
+        zap_rest_port = opts[:pwn_zap_port] ||= PWN::Plugins::Sock.get_random_unused_port
+
         if headless
-          owasp_zap_cmd = "cd #{zap_dir} && ./#{zap_bin} -daemon"
+          zaproxy_cmd = "cd #{zap_dir} && ./#{zap_bin} -daemon"
         else
-          owasp_zap_cmd = "cd #{zap_dir} && ./#{zap_bin}"
+          zaproxy_cmd = "cd #{zap_dir} && ./#{zap_bin}"
         end
 
-        random_port = PWN::Plugins::Sock.get_random_unused_port
+        browser_obj1 = PWN::Plugins::TransparentBrowser.open(browser_type: :rest)
+        rest_browser = browser_obj1[:browser]
 
-        proxy = "http://127.0.0.1:#{random_port}"
-        proxy = opts[:proxy].to_s.scrub.strip.chomp if opts[:proxy]
+        zap_obj[:mitm_proxy] = "#{zap_ip}:#{zap_port}"
+        zap_obj[:zap_rest_api] = zap_obj[:mitm_proxy]
+        zap_obj[:rest_browser] = rest_browser
 
-        proxy_uri = URI.parse(proxy)
-        owasp_zap_cmd = "#{owasp_zap_cmd} -host #{proxy_uri.host} -port #{proxy_uri.port}"
-        zap_obj[:host] = proxy_uri.host.to_s.scrub
-        zap_obj[:port] = proxy_uri.port.to_i
+        zaproxy_cmd = "#{zaproxy_cmd} -host #{zap_ip} -port #{zap_port}"
+
+        browser_obj2 = PWN::Plugins::TransparentBrowser.open(
+          browser_type: browser_type,
+          proxy: "http://#{zap_obj[:mitm_proxy]}",
+          devtools: true
+        )
+
+        zap_obj[:zap_browser] = browser_obj2
 
         pwn_stdout_log_path = "/tmp/pwn_plugins_owasp-#{SecureRandom.hex}.log"
         pwn_stdout_log = File.new(pwn_stdout_log_path, 'w')
@@ -131,7 +141,7 @@ module PWN
         pwn_stdout_log.fsync
 
         fork_pid = Process.fork do
-          PTY.spawn(owasp_zap_cmd) do |stdout, _stdin, _pid|
+          PTY.spawn(zaproxy_cmd) do |stdout, _stdin, _pid|
             stdout.each do |line|
               puts line
               pwn_stdout_log.puts line
@@ -176,25 +186,57 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # PWN::Plugins::OwaspZap.spider(
+      # PWN::Plugins::Zaproxy.import_openapi_to_sitemap(
+      #   zap_obj: 'required - zap_obj returned from #open method',
+      #   openapi_spec: 'required - path to OpenAPI JSON or YAML spec file'
+      # )
+
+      public_class_method def self.import_openapi_to_sitemap(opts = {})
+        zap_obj = opts[:zap_obj]
+        api_key = zap_obj[:api_key].to_s.scrub
+        openapi_spec = opts[:openapi_spec]
+        raise "ERROR: openapi_spec file #{openapi_spec} does not exist" unless File.exist?(openapi_spec)
+
+        openapi_spec_root = File.dirname(openapi_spec)
+        Dir.chdir(openapi_spec_root)
+
+        params = {
+          apikey: api_key,
+          file: openapi_spec
+        }
+
+        response = zap_rest_call(
+          zap_obj: zap_obj,
+          rest_call: 'JSON/openapi/action/importFile/',
+          params: params
+        )
+
+        JSON.parse(response.body, symbolize_names: true)
+      rescue StandardError, SystemExit, Interrupt => e
+        stop(zap_obj) unless zap_obj.nil?
+        raise e
+      end
+
+      # Supported Method Parameters::
+      # PWN::Plugins::Zaproxy.spider(
       #   zap_obj: 'required - zap_obj returned from #open method',
-      #   target: 'required - url to spider'
+      #   target_url: 'required - url to spider'
       # )
 
       public_class_method def self.spider(opts = {})
         zap_obj = opts[:zap_obj]
-        target = opts[:target].to_s.scrub
+        target_url = opts[:target_url].to_s.scrub
         api_key = zap_obj[:api_key].to_s.scrub
 
-        # target_domain_name = URI.parse(target).host
+        # target_domain_name = URI.parse(target_url).host
 
         params = {
           apikey: api_key,
-          url: target,
+          url: target_url,
           maxChildren: 9,
           recurse: 3,
           contextName: '',
-          subtreeOnly: target
+          subtreeOnly: target_url
         }
 
         response = zap_rest_call(
@@ -229,26 +271,26 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # PWN::Plugins::OwaspZap.active_scan(
+      # PWN::Plugins::Zaproxy.active_scan(
       #   zap_obj: 'required - zap_obj returned from #open method',
-      #   target:  'required - url to scan',
+      #   target_url:  'required - url to scan',
       #   scan_policy: 'optional - scan policy to use (defaults to Default Policy)'
       # )
 
       public_class_method def self.active_scan(opts = {})
         zap_obj = opts[:zap_obj]
         api_key = zap_obj[:api_key].to_s.scrub
-        target = opts[:target]
+        target_url = opts[:target_url]
         if opts[:scan_policy].nil?
           scan_policy = 'Default Policy'
         else
           scan_policy = opts[:scan_policy].to_s.scrub.strip.chomp
         end
 
-        # TODO: Implement adding target to scope so that inScopeOnly can be changed to true
+        # TODO: Implement adding target_url to scope so that inScopeOnly can be changed to true
         params = {
           apikey: api_key,
-          url: target,
+          url: target_url,
           recurse: true,
           inScopeOnly: true,
           scanPolicyName: scan_policy
@@ -286,19 +328,19 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # PWN::Plugins::OwaspZap.alerts(
+      # PWN::Plugins::Zaproxy.alerts(
       #   zap_obj: 'required - zap_obj returned from #open method',
-      #   target: 'required - base url to return alerts'
+      #   target_url: 'required - base url to return alerts'
       # )
 
       public_class_method def self.alerts(opts = {})
         zap_obj = opts[:zap_obj]
         api_key = zap_obj[:api_key].to_s.scrub
-        target = opts[:target]
+        target_url = opts[:target_url]
 
         params = {
           apikey: api_key,
-          url: target
+          url: target_url
         }
 
         response = zap_rest_call(
@@ -314,36 +356,39 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # report_path = PWN::Plugins::OwaspZap.generate_report(
+      # report_path = PWN::Plugins::Zaproxy.generate_scan_report(
       #   zap_obj: 'required - zap_obj returned from #open method',
       #   output_dir: 'required - directory to save report',
-      #   report_type: 'required - <html|markdown|xml>'
+      #   report_type: 'required - <:html|:markdown|:xml>'
       # )
 
-      public_class_method def self.generate_report(opts = {})
+      public_class_method def self.generate_scan_report(opts = {})
         zap_obj = opts[:zap_obj]
         api_key = zap_obj[:api_key].to_s.scrub
-        output_dir = opts[:output_dir] if Dir.exist?(opts[:output_dir])
-        report_type = opts[:report_type].to_s.strip.chomp.scrub.to_sym
+        output_dir = opts[:output_dir]
+        raise "ERROR: output_dir #{output_dir} does not exist." unless Dir.exist?(output_dir)
 
-        params = {
-          apikey: api_key
-        }
+        report_type = opts[:report_type]
+
+        valid_report_types_arr = %i[html markdown xml]
+        raise "ERROR: Invalid report_type => #{report_type}" unless valid_report_types_arr.include?(report_type)
 
         case report_type
         when :html
-          report_path = "#{output_dir}/OWASP_Zap_Results.html"
+          report_path = "#{output_dir}/zaproxy_active_scan_results.html"
           rest_call = 'OTHER/core/other/htmlreport/'
         when :markdown
-          report_path = "#{output_dir}/OWASP_Zap_Results.md"
+          report_path = "#{output_dir}/zaproxy_active_scan_results.md"
           rest_call = 'OTHER/core/other/mdreport/'
         when :xml
-          report_path = "#{output_dir}/OWASP_Zap_Results.xml"
+          report_path = "#{output_dir}/zaproxy_active_scan_results.xml"
           rest_call = 'OTHER/core/other/xmlreport/'
-        else
-          raise @@logger.error("ERROR: Unsupported report type: #{report_type}\nValid report types are <html|markdown|xml>")
         end
 
+        params = {
+          apikey: api_key
+        }
+
         response = zap_rest_call(
           zap_obj: zap_obj,
           rest_call: rest_call,
@@ -361,7 +406,7 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # PWN::Plugins::OwaspZap.breakpoint(
+      # PWN::Plugins::Zaproxy.breakpoint(
       #   zap_obj: 'required - zap_obj returned from #open method',
       #   regex_type: 'required - :url, :request_header, :request_body, :response_header or :response_body',
       #   regex_pattern: 'required - regex pattern to search for respective regex_type',
@@ -395,7 +440,7 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # PWN::Plugins::OwaspZap.tamper(
+      # PWN::Plugins::Zaproxy.tamper(
       #   zap_obj: 'required - zap_obj returned from #open method',
       #   domain: 'required - FQDN to tamper (e.g. test.domain.local)',
       #   enabled: 'optional - boolean (defaults to true)'
@@ -427,42 +472,7 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # PWN::Plugins::OwaspZap.import_openapi_spec_file(
-      #   zap_obj: 'required - zap_obj returned from #open method',
-      #   spec: 'required - path to OpenAPI spec file (e.g. /path/to/openapi.yaml)',
-      #   target: 'required - target URL to ovverride the service URL in the OpenAPI spec (e.g. https://fq.dn)',
-      #   context_id: 'optional - ID of the ZAP context (Defaults to first context, if any)',
-      #   user_id: 'optional - ID of the ZAP user (Defaults to first user, if any)'
-      # )
-
-      public_class_method def self.import_openapi_spec_file(opts = {})
-        zap_obj = opts[:zap_obj]
-        api_key = zap_obj[:api_key].to_s.scrub
-        spec = opts[:spec]
-        target = opts[:target]
-        context_id = opts[:context_id]
-        user_id = opts[:user_id]
-
-        params = {
-          apikey: api_key,
-          file: spec,
-          target: target,
-          contextId: context_id,
-          user_id: user_id
-        }
-
-        zap_rest_call(
-          zap_obj: zap_obj,
-          rest_call: "JSON/break/action/openapi/?zapapiformat=JSON&apikey=#{api_key}",
-          params: params
-        )
-      rescue StandardError, SystemExit, Interrupt => e
-        stop(zap_obj) unless zap_obj.nil?
-        raise e
-      end
-
-      # Supported Method Parameters::
-      # watir_resp = PWN::Plugins::OwaspZap.request(
+      # watir_resp = PWN::Plugins::Zaproxy.request(
       #   zap_obj: 'required - zap_obj returned from #open method',
       #   browser_obj: 'required - browser_obj w/ browser_type: :firefox||:headless returned from #open method',
       #   instruction: 'required - watir instruction to make (e.g. button(text: "Google Search").click)'
@@ -502,14 +512,28 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # PWN::Plugins::OwaspZap.stop(
-      #   :zap_obj => 'required - zap_obj returned from #start method'
+      # PWN::Plugins::Zaproxy.stop(
+      #   zap_obj: 'required - zap_obj returned from #open method'
       # )
 
       public_class_method def self.stop(opts = {})
         zap_obj = opts[:zap_obj]
-        Process.kill('TERM', zap_obj[:pid]) unless zap_obj.nil?
-      rescue StandardError => e
+        api_key = zap_obj[:api_key]
+        browser_obj = zap_obj[:zap_browser]
+        rest_browser = zap_obj[:rest_browser]
+
+        browser_obj = PWN::Plugins::TransparentBrowser.close(browser_obj: browser_obj)
+
+        params = { apikey: api_key }
+        zap_rest_call(
+          zap_obj: zap_obj,
+          rest_call: 'JSON/core/action/shutdown/',
+          params: params
+        )
+
+        zap_obj = nil
+      rescue StandardError, SystemExit, Interrupt => e
+        stop(zap_obj) unless zap_obj.nil?
         raise e
       end
 
@@ -531,28 +555,32 @@ module PWN
             headless: 'optional - run zap headless if set to true',
             proxy: 'optional - change local zap proxy listener (defaults to http://127.0.0.1:<Random 1024-65535>)'
           )
-          puts zap_obj.public_methods
 
           #{self}.spider(
             zap_obj: 'required - zap_obj returned from #open method',
-            target: 'required - url to spider'
+            target_url: 'required - url to spider'
+          )
+
+          #{self}.import_openapi_to_sitemap(
+            zap_obj: 'required - zap_obj returned from #open method',
+            openapi_spec: 'required - path to OpenAPI JSON or YAML spec file'
           )
 
           #{self}.active_scan(
             zap_obj: 'required - zap_obj returned from #open method'
-            target: 'required - url to scan',
+            target_url: 'required - url to scan',
             scan_policy: 'optional - scan policy to use (defaults to Default Policy)'
           )
 
           json_alerts = #{self}.alerts(
             zap_obj: 'required - zap_obj returned from #open method'
-            target: 'required - base url to return alerts'
+            target_url: 'required - base url to return alerts'
           )
 
-          report_path = #{self}.generate_report(
+          report_path = #{self}.generate_scan_report(
             zap_obj: 'required - zap_obj returned from #open method',
             output_dir: 'required - directory to save report',
-            report_type: 'required - <html|markdown|xml>'
+            report_type: 'required - <:html|:markdown|:xml>'
           )
 
           #{self}.breakpoint(

data/lib/pwn/plugins.rb

@@ -51,7 +51,6 @@ module PWN
     autoload :OpenAI, 'pwn/plugins/open_ai'
     autoload :OpenAPI, 'pwn/plugins/open_api'
     autoload :OpenVAS, 'pwn/plugins/openvas'
-    autoload :OwaspZap, 'pwn/plugins/owasp_zap'
     autoload :Packet, 'pwn/plugins/packet'
     autoload :PDFParse, 'pwn/plugins/pdf_parse'
     autoload :Pony, 'pwn/plugins/pony'
@@ -77,6 +76,7 @@ module PWN
     autoload :Voice, 'pwn/plugins/voice'
     autoload :Vsphere, 'pwn/plugins/vsphere'
     autoload :XXD, 'pwn/plugins/xxd'
+    autoload :Zaproxy, 'pwn/plugins/zaproxy'
 
     # Display a List of Every PWN::Plugins Module
 

data/lib/pwn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PWN
-  VERSION = '0.5.398'
+  VERSION = '0.5.399'
 end

data/spec/lib/pwn/plugins/{owasp_zap_spec.rb → zaproxy_spec.rb}

@@ -2,14 +2,14 @@
 
 require 'spec_helper'
 
-describe PWN::Plugins::OwaspZap do
+describe PWN::Plugins::Zaproxy do
   it 'should display information for authors' do
-    authors_response = PWN::Plugins::OwaspZap
+    authors_response = PWN::Plugins::Zaproxy
     expect(authors_response).to respond_to :authors
   end
 
   it 'should display information for existing help method' do
-    help_response = PWN::Plugins::OwaspZap
+    help_response = PWN::Plugins::Zaproxy
     expect(help_response).to respond_to :help
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pwn
 version: !ruby/object:Gem::Version
-  version: 0.5.398
+  version: 0.5.399
 platform: ruby
 authors:
 - 0day Inc.
@@ -1308,7 +1308,6 @@ executables:
 - pwn_nexpose
 - pwn_nmap_discover_tcp_udp
 - pwn_openvas_vulnscan
-- pwn_owasp_zap_active_scan
 - pwn_pastebin_sample_filter
 - pwn_phone
 - pwn_rdoc_to_jsonl
@@ -1324,6 +1323,8 @@ executables:
 - pwn_www_checkip
 - pwn_www_uri_buster
 - pwn_xss_dom_vectors
+- pwn_zaproxy_active_rest_api_scan
+- pwn_zaproxy_active_scan
 extensions: []
 extra_rdoc_files: []
 files:
@@ -1378,7 +1379,6 @@ files:
 - bin/pwn_nexpose
 - bin/pwn_nmap_discover_tcp_udp
 - bin/pwn_openvas_vulnscan
-- bin/pwn_owasp_zap_active_scan
 - bin/pwn_pastebin_sample_filter
 - bin/pwn_phone
 - bin/pwn_rdoc_to_jsonl
@@ -1394,6 +1394,8 @@ files:
 - bin/pwn_www_checkip
 - bin/pwn_www_uri_buster
 - bin/pwn_xss_dom_vectors
+- bin/pwn_zaproxy_active_rest_api_scan
+- bin/pwn_zaproxy_active_scan
 - build_pwn_gem.sh
 - documentation/PWN.png
 - documentation/PWN_Contributors_and_Users.png
@@ -1873,7 +1875,6 @@ files:
 - lib/pwn/plugins/ocr.rb
 - lib/pwn/plugins/open_api.rb
 - lib/pwn/plugins/openvas.rb
-- lib/pwn/plugins/owasp_zap.rb
 - lib/pwn/plugins/packet.rb
 - lib/pwn/plugins/pdf_parse.rb
 - lib/pwn/plugins/pony.rb
@@ -1900,6 +1901,7 @@ files:
 - lib/pwn/plugins/voice.rb
 - lib/pwn/plugins/vsphere.rb
 - lib/pwn/plugins/xxd.rb
+- lib/pwn/plugins/zaproxy.rb
 - lib/pwn/reports.rb
 - lib/pwn/reports/fuzz.rb
 - lib/pwn/reports/html_footer.rb
@@ -2217,7 +2219,6 @@ files:
 - spec/lib/pwn/plugins/ocr_spec.rb
 - spec/lib/pwn/plugins/open_api_spec.rb
 - spec/lib/pwn/plugins/openvas_spec.rb
-- spec/lib/pwn/plugins/owasp_zap_spec.rb
 - spec/lib/pwn/plugins/packet_spec.rb
 - spec/lib/pwn/plugins/pdf_parse_spec.rb
 - spec/lib/pwn/plugins/pony_spec.rb
@@ -2244,6 +2245,7 @@ files:
 - spec/lib/pwn/plugins/voice_spec.rb
 - spec/lib/pwn/plugins/vsphere_spec.rb
 - spec/lib/pwn/plugins/xxd_spec.rb
+- spec/lib/pwn/plugins/zaproxy_spec.rb
 - spec/lib/pwn/plugins_spec.rb
 - spec/lib/pwn/reports/fuzz_spec.rb
 - spec/lib/pwn/reports/html_footer_spec.rb