DAST Automation with BASH

In this blog we will dicuss how someone can setup ZAP proxy in headless mode and export the finding to pdf/Html/Docx.

I will be using OWASP ZAP for scanning and will use a bash script to automate the process of scanning and generating a report with “export-report” add-on and converting the report into PDF and Docx.

Let’s get started:


1) Install OWASP Zap – https://www.zaproxy.org/download/

2) Install wkhtmltopdf – sudo apt update; sudo apt install wkhtmltopdf

3) Install Pandoc – sudo apt install pandoc

I just used wget to install ZAP:

wget https://github.com/zaproxy/zaproxy/releases/download/v2.10.0/ZAP_2_10_0_unix.sh

Now run the file, and accept the terms and conditions:

After installation you can use the “zap.sh” file to execute commands.

For usage options, run:

./zap.sh -h

Now we need to install addon in headless mode:

./zap.sh -cmd -addoninstall exportreport

Now we will create a bash script to scan a webapp with just URL, the bash script can be found in my GitHub: https://github.com/san3ncrypt3d/DAST-Scanner-Automation

Git clone https://github.com/san3ncrypt3d/DAST-Scanner-Automation.git
cd DAST-Scanner-Automation/
./scanner.sh {URL}

Once the scanner finishes you will get a report in html, pdf and docx.

Written on April 10, 2021