DAST Automation with BASH
In this blog we will dicuss how someone can setup ZAP proxy in headless mode and export the finding to pdf/Html/Docx.
I will be using OWASP ZAP for scanning and will use a bash script to automate the process of scanning and generating a report with “export-report” add-on and converting the report into PDF and Docx.
Let’s get started:
Pre-requisites:
1) Install OWASP Zap – https://www.zaproxy.org/download/
2) Install wkhtmltopdf – sudo apt update; sudo apt install wkhtmltopdf
3) Install Pandoc – sudo apt install pandoc
I just used wget to install ZAP:
wget https://github.com/zaproxy/zaproxy/releases/download/v2.10.0/ZAP_2_10_0_unix.sh
Now run the file, and accept the terms and conditions:
After installation you can use the “zap.sh” file to execute commands.
For usage options, run:
./zap.sh -h
Now we need to install addon in headless mode:
./zap.sh -cmd -addoninstall exportreport
Now we will create a bash script to scan a webapp with just URL, the bash script can be found in my GitHub: https://github.com/san3ncrypt3d/DAST-Scanner-Automation
Git clone https://github.com/san3ncrypt3d/DAST-Scanner-Automation.git
cd DAST-Scanner-Automation/
./scanner.sh {URL}
Once the scanner finishes you will get a report in html, pdf and docx.