secfigo/zap-scan.py

## zap-scan.py
#!/usr/bin/env python3
import time

from pprint import pprint
from zapv2 import ZAPv2 as ZAP

from selenium import webdriver
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.firefox.options import Options
from selenium.webdriver.common.proxy import Proxy, ProxyType

#Declarations
browser_proxy = "127.0.0.1"
browser_proxy_port = 8080
#zap_proxy =
target = "http://10.0.1.22:8000"
#apikey = 'changeme'


print("Started ZAP Scan")

#non API
zap = ZAP(proxies={'http': 'http://127.0.0.1:8080', 'https':'https://127.0.0.1:8080'})
#enable whtn APIkey is being used.
#zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1:8080', 'https':'https://127.0.0.1:8080'})

##Selenium Section Start
#arguments for running firefox headless
options = Options()
options.add_argument("--headless")

#configure firefoxproxy through FirefoxProfile, 1 for manual proxy, to redirect selenium traffic
# through a zap proxy.
profile = webdriver.FirefoxProfile()
profile.set_preference('network.proxy.type', 1)
profile.set_preference('network.proxy.http', browser_proxy)
profile.set_preference('network.proxy.http_port', browser_proxy_port)
profile.update_preferences()

#invoking firefox driver
driver=webdriver.Firefox(firefox_profile=profile, firefox_options=options)

#the following selenium script is specifically written for the djangonv.. Please modify it according to your website

print("Started Djangonv Selenium Script \n")

#signup
driver.get(target + '/taskManager/register/')

#enter the username, password, firstname,lastname etc.
driver.find_element_by_id("id_username").send_keys('user10')
driver.find_element_by_id('id_first_name').send_keys('user')
driver.find_element_by_id('id_last_name').send_keys('user')
driver.find_element_by_id('id_email').send_keys('user@user1.com')
driver.find_element_by_id("id_password").send_keys('user123')
submit=driver.find_element_by_css_selector('.btn.btn-danger').click()

#login
driver.get(target + '/taskManager/login/')
driver.find_element_by_id('username').send_keys('user10')
driver.find_element_by_name('password').send_keys('user123')
submit=driver.find_element_by_xpath("//button[@type='submit']")
submit.click()

#spider the URL's
driver.get(target + "/taskManager/dashboard/")
driver.get(target +"/taskManager/task_list/")
driver.get(target + "/taskManager/project_list/")
driver.get(target + "/taskManager/search/")

#editing some data for better scan results
driver.get(target + "/taskManager/profile/")
driver.find_element_by_name('first_name').send_keys('firstroot')
driver.find_element_by_name('last_name').send_keys('lastroot')
driver.find_element_by_xpath("//button[@type='submit']").click()

time.sleep(2)
driver.close()

print("Djangonv Selenium Spidering End")

## End of Selenium section

print('Accessing the target {}'.format(target))
zap.urlopen(target)
time.sleep(2)

print('Continuing the ZAP Spidering')
scanid = zap.spider.scan(target)
time.sleep(2)
while(int(zap.spider.status(scanid))<100):
	print('Spider progress %: {}'.format(zap.spider.status(scanid)))
	time.sleep(5)

print('Active Scanning started on target {}'.format(target))
scanid = zap.ascan.scan(target)
while(int(zap.ascan.status(scanid))<100):
	print(' Active scan is still %: {}'.format(zap.ascan.status(scanid)))
	time.sleep(10)

print ('Active Scan Completed')

print ('Hosts Scanned: {}'.format(', '.join(zap.core.hosts)))
print ('Writing ZAP Alerts: ')
print (zap.core.alerts())
print("ZAP Scan is successfully done.")
	#!/usr/bin/env python3
	import time

	from pprint import pprint
	from zapv2 import ZAPv2 as ZAP

	from selenium import webdriver
	from selenium.webdriver.common.keys import Keys
	from selenium.webdriver.firefox.options import Options
	from selenium.webdriver.common.proxy import Proxy, ProxyType

	#Declarations
	browser_proxy = "127.0.0.1"
	browser_proxy_port = 8080
	#zap_proxy =
	target = "http://10.0.1.22:8000"
	#apikey = 'changeme'


	print("Started ZAP Scan")

	#non API
	zap = ZAP(proxies={'http': 'http://127.0.0.1:8080', 'https':'https://127.0.0.1:8080'})
	#enable whtn APIkey is being used.
	#zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1:8080', 'https':'https://127.0.0.1:8080'})

	##Selenium Section Start
	#arguments for running firefox headless
	options = Options()
	options.add_argument("--headless")

	#configure firefoxproxy through FirefoxProfile, 1 for manual proxy, to redirect selenium traffic
	# through a zap proxy.
	profile = webdriver.FirefoxProfile()
	profile.set_preference('network.proxy.type', 1)
	profile.set_preference('network.proxy.http', browser_proxy)
	profile.set_preference('network.proxy.http_port', browser_proxy_port)
	profile.update_preferences()

	#invoking firefox driver
	driver=webdriver.Firefox(firefox_profile=profile, firefox_options=options)

	#the following selenium script is specifically written for the djangonv.. Please modify it according to your website

	print("Started Djangonv Selenium Script \n")

	#signup
	driver.get(target + '/taskManager/register/')

	#enter the username, password, firstname,lastname etc.
	driver.find_element_by_id("id_username").send_keys('user10')
	driver.find_element_by_id('id_first_name').send_keys('user')
	driver.find_element_by_id('id_last_name').send_keys('user')
	driver.find_element_by_id('id_email').send_keys('user@user1.com')
	driver.find_element_by_id("id_password").send_keys('user123')
	submit=driver.find_element_by_css_selector('.btn.btn-danger').click()

	#login
	driver.get(target + '/taskManager/login/')
	driver.find_element_by_id('username').send_keys('user10')
	driver.find_element_by_name('password').send_keys('user123')
	submit=driver.find_element_by_xpath("//button[@type='submit']")
	submit.click()

	#spider the URL's
	driver.get(target + "/taskManager/dashboard/")
	driver.get(target +"/taskManager/task_list/")
	driver.get(target + "/taskManager/project_list/")
	driver.get(target + "/taskManager/search/")

	#editing some data for better scan results
	driver.get(target + "/taskManager/profile/")
	driver.find_element_by_name('first_name').send_keys('firstroot')
	driver.find_element_by_name('last_name').send_keys('lastroot')
	driver.find_element_by_xpath("//button[@type='submit']").click()

	time.sleep(2)
	driver.close()

	print("Djangonv Selenium Spidering End")

	## End of Selenium section

	print('Accessing the target {}'.format(target))
	zap.urlopen(target)
	time.sleep(2)

	print('Continuing the ZAP Spidering')
	scanid = zap.spider.scan(target)
	time.sleep(2)
	while(int(zap.spider.status(scanid))<100):
	print('Spider progress %: {}'.format(zap.spider.status(scanid)))
	time.sleep(5)

	print('Active Scanning started on target {}'.format(target))
	scanid = zap.ascan.scan(target)
	while(int(zap.ascan.status(scanid))<100):
	print(' Active scan is still %: {}'.format(zap.ascan.status(scanid)))
	time.sleep(10)

	print ('Active Scan Completed')

	print ('Hosts Scanned: {}'.format(', '.join(zap.core.hosts)))
	print ('Writing ZAP Alerts: ')
	print (zap.core.alerts())
	print("ZAP Scan is successfully done.")