Last active
November 4, 2016 22:20
-
-
Save garethr/7288597 to your computer and use it in GitHub Desktop.
Example of using OWASP ZAP Python API to produce an ascii table of potential security alerts, sample output is part of a longer set from the wackopicko vulnerable web app
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://victim/pictures/search.php?query=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E | |
| +------+----------------------------------+ | |
| | Risk | Description | | |
| +------+----------------------------------+ | |
| | High | Cross Site Scripting (Reflected) | | |
| +------+----------------------------------+ | |
| http://victim/css/ | |
| +--------+--------------------+ | |
| | Risk | Description | | |
| +--------+--------------------+ | |
| | Medium | Directory browsing | | |
| +--------+--------------------+ | |
| http://victim/users/login.php | |
| +---------------+---------------------------------------+ | |
| | Risk | Description | | |
| +---------------+---------------------------------------+ | |
| | Informational | X-Frame-Options header not set | | |
| | Low | Cookie set without HttpOnly flag | | |
| | Low | Password Autocomplete in browser | | |
| | Low | X-Content-Type-Options header missing | | |
| | Medium | Application Error disclosure | | |
| +---------------+---------------------------------------+ | |
| http://victim/tos.php | |
| +---------------+---------------------------------------+ | |
| | Risk | Description | | |
| +---------------+---------------------------------------+ | |
| | Informational | X-Frame-Options header not set | | |
| | Low | Cookie set without HttpOnly flag | | |
| | Low | X-Content-Type-Options header missing | | |
| +---------------+---------------------------------------+ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Start ZAP in daemon mode with ./zap.sh -daemon | |
| import time | |
| from collections import defaultdict | |
| from random import randrange | |
| from zap import ZAP, ZapError | |
| from prettytable import PrettyTable | |
| # Specify the URL to start the attack | |
| TARGET = "http://victim" | |
| print "Attacking %s with ZAP" % TARGET | |
| zap = ZAP() | |
| zap.urlopen(TARGET) | |
| # Start spidering the site from the specified URL | |
| # Note that the exception here isn't an error, I think | |
| # it's a bug in the client as the content of the error | |
| # says OK | |
| try: | |
| zap.start_spider(TARGET) | |
| except ZapError, e: | |
| pass | |
| print "Spidering" | |
| # Wait for the spider to finish | |
| while (int(zap.spider_status['status']) < 100): | |
| time.sleep(1) | |
| # Start scanning the collected URLs for vulnerabilities | |
| try: | |
| zap.start_scan(TARGET) | |
| except ZapError, e: | |
| pass | |
| print "Scanning" | |
| # wait for the scanning to finish | |
| while (int(zap.scan_status['status']) < 100): | |
| time.sleep(1) | |
| # create a data structure to match our output | |
| sort_by_url = defaultdict(list) | |
| for alert in zap.alerts['alerts']: | |
| sort_by_url[alert['url']].append({ | |
| 'risk': alert['risk'], | |
| 'alert': alert['alert'] | |
| }) | |
| # print a useful set of tables of the alerts | |
| for url in sort_by_url: | |
| print url | |
| results = PrettyTable(["Risk", "Description"]) | |
| results.padding_width = 1 | |
| results.align = "l" | |
| results.sortby = "Risk" | |
| for details in sort_by_url[url]: | |
| results.add_row([details['risk'], details['alert']]) | |
| print results |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi ,
Can zap.urlopen(taget) be used to make rest calls with JSON payload