Skip to content

Docker

Jump to bottom Edit New page
psiinon edited this page May 17, 2016 · 29 revisions

Introduction

Docker image with Owasp Zed Attack Proxy preinstalled.

Details

Install instructions:

docker pull owasp/zap2docker-stable

Or if you want to try the latest weekly release:

docker pull owasp/zap2docker-weekly

Usage instructions:

ZAP headless:

You can also start the ZAP in headless mode with following command:

docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080

ZAP headless with xvfb:

You can start the ZAP in headless mode with xvfb following command:

docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap-x.sh -daemon -host 0.0.0.0 -port 8080

This first starts xvfb (X virtual frame buffer) which allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment. Firefox is also installed so can be used with these add-ons.

ZAP Baseline Scan

The ZAP Baseline Scan runs the ZAP spider against the specified target for (by default) 1 minute and then waits for the passive scanning to complete before reporting the results.

To run it with no 'file' params use:

docker run -t owasp/zap2docker-weekly zap-baseline.py -t https://www.example.com

If you use 'file' params then you need to mount the directory those file are in or will be generated in, eg

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-baseline.py \
    -t https://www.example.com -g gen.conf -r testreport.html

For more details see the ZAP Baseline Scan page.

ZAP CLI:

ZAP CLI is a ZAP wrapper written in Python. It provides a simple way to do scanning from the command line:

docker run -i owasp/zap2docker-stable zap-cli quick-scan --self-contained \
    --start-options '-config api.disablekey=true' http://target

ZAPR:

Zapr is ruby script for ZAP which allows commandline active scanning for desired target:

docker run -u zap -i owasp/zap2docker-stable zapr --debug --summary http://target

Accessing the API from outside of the Docker container:

Docker appears to assign 'random' IP addresses, so an approach that appears to work is:

Run ZAP as a daemon listening on "0.0.0.0":

docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0

Find out the container id:

docker ps

Find out which address has been assigned to it:

docker inspect <CONTAINER ID> | grep IPAddress

You should be then able to point your browser at the specified host/port and access the ZAP API, eg http://172.17.0.8:8090/

Note that on Macs the IP will be the IP of the Docker VM host. This is accessible with:

docker-machine ip <host>
Add a custom footer
Clone this wiki locally