Always On

Massive Attack

The functionality of the baseline scripts are highly useful, but for mass deployment across many machines, the clever ZAP offers an alternative that lets you aim for multiple targets at once. These ZAP scripts are available in the Community Scripts repository on GitHub [9].

API Options

ZAP stores everything in a database, which doesn't suit automated integrations with a CI pipeline, so you should use the handy -config database.recoverylog=false option, which speeds things up significantly. If you want to update add-ons to make sure that ZAP tests against the very latest attacks, use the -addonupdate option.

Face Your Daemons

The impressive API can be presented to a number of clients for all your scripting needs, including PHP, Python, Java, Node.js, .NET, and Go. You can run the API in a Docker container in -daemon mode and then expose the host port as usual. The API even provides an HTTP version that you can check and make basic queries (GET requests) against. The developers called it RESTful-ish at one point. The basic command is along these lines:

$ docker run -p 9090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0

The last line of the container output should be similar to:

73280 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:9090

I had greater success from the command line by using curl on the server itself, as opposed to using a remote web browser with the following command:

$ docker run -p 9090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config 'api.disablekey=true' -config 'api.addrs.addr.name=.*' -config 'api.addrs.addr.regex=true'

which I found on the ZAP Issues page [10].

If you get not permitted messages in your container output, then within the VNC GUI you can try using Options | Tools | API options to alter which IP addresses can connect. The preceding example allows all clients to connect, so use it with care. Figure 5 shows Curl output connecting on TCP port 8090 and the host's HTML output. The documentation mentions that you probably have the best chance of connecting to the API locally by using the 172 IP address for your container. Use the following command:

Figure 5: Using curl to query the helpful HTTP user interface offered by the API.

docker inspect CONTAINER-HASH | grep Address

to see which IP address your container has been assigned by Docker.

If you struggle with external browser access to your container because of firewalling and container port exposure, remember that command-line web browsers such as ELinks [11] are available, and although not fully functional, they are still useful in a closed, non-DMZ environment. In Debian derivatives, the command

$ apt install elinks

installs the ELinks browser. Figure 6 shows ELinks' view of the ZAP API user interface.

Figure 6: A terminal-based web browser view of the API for ease of access on the local machine.