Skip to content

Instantly share code, notes, and snippets.

@ritesh
Last active September 9, 2022 14:43
Show Gist options
  • Save ritesh/2fcd9fd32995ffeb30f1 to your computer and use it in GitHub Desktop.
Save ritesh/2fcd9fd32995ffeb30f1 to your computer and use it in GitHub Desktop.
Docker compose for ZAP
target:
# The target application we want to scan
image: szsecurity/webgoat
# The port that the application is available on.
# If the application runs on a non-standard port,
# you can map it to 80 for convenience by using
# ports
# - "80:8080"
expose:
- "80"
zaproxy:
image: owasp/zap2docker-stable
command: zap.sh -daemon -port 8090 -host 0.0.0.0
expose:
# ZAP is running on 8090, we want it to be accessible by our tools
- "8090"
links:
- target
tooling:
build: tools/.
# Runzap.py contains the commands to run ZAP on the target application
command: python tools/runzap.py
links:
- zaproxy
# Reports end up here!
volumes:
- ./:/code
@itsecforu
Copy link

hey! what the default creds for ui?

@ritesh
Copy link
Author

ritesh commented May 5, 2020

Not sure what you mean by UI? For WebGoat? See here: https://github.com/OWASP/WebGoat/blob/master/webgoat/doc/attic/readme.txt

@itsecforu
Copy link

@ritesh Did zap-proxy havent UI? I mean as i start it in Kali Linux for example

@ritesh
Copy link
Author

ritesh commented May 5, 2020

It does have a UI, but we are running it in headless mode. Also, this is really out of date - you want to follow the instructions here to run ZAP via docker: https://www.zaproxy.org/docs/docker/about/

@itsecforu
Copy link

Do I need try to run it in headless mode?

@ritesh
Copy link
Author

ritesh commented May 5, 2020

Yes you have to. Even without headless mode - ZAP is a proxy and does not need credentials. WebGoat does.

@itsecforu
Copy link

my docker compose cant start ui with this command :-(
but cli works OK

@ritesh
Copy link
Author

ritesh commented May 5, 2020

I think there's a misunderstanding here, the compose script does two 2 things. 1 it quickly sets up a WebGoat container (vulnerable app instance), then it creates a Zap container and mounts a tools directory from your computer, runs the scan in headless mode using the tools\runzap.py script (not included here, this was created ages ago - don't have it anymore) and then dumps the report in the tools directory again. There is no UI that shows up, it all runs in a CLI and stops after it is done. You go to the tools directory and your report should be there. As I said, this is really, really old, ZAP has better ways to do this now - follow the instructions on the zap website to get the same outcome.

@itsecforu
Copy link

Good. As I understand it, now I can’t start zap in docker and go to it from the browser while doing this, but only scan it by going into the container

@ritesh
Copy link
Author

ritesh commented May 5, 2020

That is correct, you might be able to make the port that ZAP listens on (8090) accessible to your browser using ports in docker-compose (this works different on windows/linux/mac) so that you can reach it from your browser if that's what you want. See the docker-compose docs on how to do that.

@raianul
Copy link

raianul commented Sep 9, 2022

can you please paste the tools/runzap.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment