In a penetration test, there are vulnerabilities, exploits and misconfiguration to find, which requires a lot of time to test for. But, we can solve this easily and efficiently with the help of automation.
With the ZAP application, there are many ways to automate ZAP, such as using the command line, APIs or a docker package. In this article, we will be focusing on the Automation Framework provided by ZAP, as it is a feature that is already part of the ZAP application and is also the easiest way to automate ZAP.
How to use the ZAP Automation Frameworks?
ZAP Automation Framework from the GUI
The Automation framework should already be part of the ZAP application. However, if this is not the case, you can install it from the ZAP Marketplace.
To use the automation framework you must first make a “plan”.
The automation framework comes with profiles (plan templates) that you can choose from. You can also create your own custom plan.
Each plan consists of multiple jobs such as:
- Spidering
- Ajax Spidering
- Passive Scanning
- Active Scanning
- Reporting
- etc.
This is an example of the “FULL Scan” profile.
After choosing a plan template, you can still edit the plan to suit your needs.
You can add a job.
Remove a job.
Or Prioritize a Job by moving them up or down. The jobs will execute from the top down so the jobs at the top are prioritized.
You can also save or load a plan
Finally, you can run the plan here.
Automation Framework GUI Example
For example, let’s say I want to generate 2 kinds of reports from 1 scan. I can do this by adding another “report” job
Next, you need to fill in the details of the job. In this example, I can rename the job, rename the report title, specify the file download location, choose the report template and more.
As you can see below, there are now 2 jobs for reporting but with different templates.
After making the plan, you should save it.
The plan is saved as a YAML file. Here is an example of the YAML file created by the automation framework.
You can load the plan again from here.
To set your target, you must add it to the Default Context.
Note that when loading a plan, you may have to edit the default context again to change the target. This can also be done by manually editing the YAML file).
This is what it looks like when running the scan:
ZAP Automation Framework from the CLI
The automation framework can also be executed from the CLI only.
This is the command format to execute it:
(zap.bat/zap.sh/zaproxy) -cmd -autorun <Automation Plan YAML file>In the example below, on a Windows machine, the command used is:
zap.bat -cmd -autorun main.yaml
The results produced will be identical to that of the GUI. But using the GUI is more advantageous because it is easier to read and analyze the vulnerabilities.
Errors you may face when using the CLI
We can run the automation framework from the CLI but the file must be generated from the GUI.
From the CLI, you could generate a plan using one of these commands provided by the ZAP CLI. However, you are also required to edit the YAML file manually which makes it tedious and time-consuming. You may also miss out on variables, leading you to errors when running the command.
-autogenmin <file name> (Generate template automation file with the key parameters.)
-autogenmax <file name> (Generate template automation file with all parameters.)
-autogenconf <file name> (Generate template automation file using the current configuration.)Currently, the automation files created from the CLI do not work. It seems that the format of the YAML file created by the CLI is slightly different than the ones generated from the GUI.
Using the plan created by the CLI also does not work on the GUI.
Thus, the automation file created through the CLI does not work, and you will have to use the GUI first to make the automation file. However, you may still want to test it out yourself as the bug may have been fixed by now.
Conclusion
The ZAP automation framework is very useful to run the same scanning options multiple times. The CLI can help you further fully automate it by integrating it into a script. Overall, this will greatly reduce the time spent on scanning basic vulnerabilities on your target web application.
ZAP Automation Framework Documentation: https://www.zaproxy.org/docs/automate/automation-framework/
ZAP Automation: https://www.zaproxy.org/docs/automate/