Automation Framework on ZAP

Automation Framework - GUI

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - GUI

The Automation Framework has a GUI that is in the process of being developed.

Automation Tab

This tab allows you to create, load, edit and run automation jobs.

Automation Framework - Options

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Options

The following options are available:

Open Last Plan on Start

If selected then the Automation tab will automatically load the last plan opened when the GUI starts. This can be useful if you need to regularly use the same plan.

Automation Framework - Environment

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Environment

This section of the YAML configuration file defines the applications which the rest of the jobs can act on.

The environment is covered in the video: ZAP Chat 08 Automation Framework Part 2 - Environment.

The Automation Framework supports all of the authentication mechanisms supported by ZAP.

Automation Framework - authentication

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - authentication

The Automation Framework supports all of the authentication mechanisms supported by ZAP.

Environmental Variables

ZAP supports a set of Authentication Header Environmental Variables - these will be applied by ZAP if they are defined however ZAP is run, including via the Automation Framework.

Automation Framework - addOns Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - addOns Job

This job has been depreciated, no longer does anything, and should no longer be used.

Previously it allowed you to manage the ZAP add-ons. However it turns out that adding and updating add-ons when running a plan is a bad idea and does not work well.

Automation Framework - activeScan-config Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - activeScan-config Job

This job configures the active scanner, for custom active scans (e.g. Sequence).

YAML

  - type: activeScan-config                # Configures the settings of the active scanner.
    parameters:
      maxRuleDurationInMins:               # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
      maxScanDurationInMins:               # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
      maxAlertsPerRule:                    # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
      defaultPolicy:                       # String: The name of the default scan policy to use, default: Default Policy
      handleAntiCSRFTokens:                # Bool: If set then automatically handle anti CSRF tokens, default: true
      injectPluginIdInHeader:              # Bool: If set then the relevant rule ID will be injected into the X-ZAP-Scan-ID header of each request, default: false
      threadPerHost:                       # Int: The max number of threads per host, default: 2 * Number of available processor cores
    inputVectors:                          # The input vectors used during the active scan.
      urlQueryStringAndDataDrivenNodes:    # Configures the scanning of query parameters and DDNs.
         enabled:                          # Bool: If query parameters and DDNs scanning should be enabled. Default: true
         addParam:                         # Bool: If a query parameter should be added if none present. Default: false
         odata:                            # Bool: If OData query filters should be scanned. Default: true
      postData:                            # Configures the scanning of request bodies.
        enabled:                           # Bool: If enabled. Default: true
        multiPartFormData:                 # Bool: If multipart form data bodies should be scanned. Default: true
        xml:                               # Bool: If XML bodies should be scanned. Default: true
        json:                              # Configures the scanning of JSON bodies.
          enabled:                         # Bool: If JSON scanning should be enabled. Default: true
          scanNullValues:                  # Bool: If null values should be scanned. Default: false
        googleWebToolkit:                  # Bool: If GWT scanning should be enabled. Default: false
        directWebRemoting:                 # Bool: If DWR scanning should be enabled. Default: false
      urlPath:                             # Bool: If URL path segments should be scanned. Default: false
      httpHeaders:                         # Configures the scanning of HTTP headers.
        enabled:                           # Bool: If HTTP header scanning should be enabled. Default: false
        allRequests:                       # Bool: If set then the headers of requests that do not include any parameters will be scanned. Default: false
      cookieData:                          # Configures the scanning of cookies.
        enabled:                           # Bool: If enabled. Default: false
        encodeCookieValues:                # Bool: If cookie values should be encoded. Default: false
      scripts:                             # Bool: If Input Vector scripts should be used. Default: true
    excludePaths:                          # An optional list of regexes to exclude
    enabled:                           # Bool: If set to false the job will not be run, default: true
    alwaysRun:                         # Bool: If set and the job is enabled then it will run even if the plan exits early, default: false

Note that the ’excludePaths’ will overwrite any existing session “Exclude from Scanner” paths.

Automation Framework - activeScan-policy Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - activeScan-policy Job

This job defines an active scan policy. This policy can be used later in the plan by active scan related jobs, like activeScan job.

YAML

  - type: activeScan-policy            # Defines a new active scan policy which can be used by later activeScan related jobs
    parameters:
      name:                            # String: Name of the policy, mandatory
    policyDefinition:                  # The policy definition
      defaultStrength:                 # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
      defaultThreshold:                # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
      alertTags:                       # Add rules based on alert tags; does not override or remove rules listed explicitly under "rules"
        include: []                    # List of alert tags to include, regex supported
        exclude: []                    # List of alert tags to exclude from this include list, regex supported
        strength:                      # String: The Attack Strength for this set of rules, one of Low, Medium, High, Insane, default: Medium
        threshold:                     # String: The Alert Threshold for this set of rules, one of Off, Low, Medium, High, default: Medium
      rules:                           # A list of one or more active scan rules and associated settings which override the defaults
      - id:                            # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
        name:                          # Comment: The name of the rule for documentation purposes - this is not required or actually used
        strength:                      # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
        threshold:                     # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
    enabled:                           # Bool: If set to false the job will not be run, default: true
    alwaysRun:                         # Bool: If set and the job is enabled then it will run even if the plan exits early, default: false

Policy Definition Hierarchy

ZAP processes the policy definition in the following order:

Automation Framework - activeScan Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - activeScan Job

This job runs the active scanner. This actively attacks your applications and should therefore only be used against applications that you have permission to test.

It is covered in the video: ZAP Chat 12 Automation Framework Part 6 - Delays and Active Scan.

By default this job will actively scan the first context defined in the environment and so none of the parameters are mandatory.

Automation Framework - delay Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - delay Job

This job waits for a specified time unless one of a specific set of conditions are met.
It can be used to wait for regression tests being proxied through ZAP in order to explore your application more thoroughly.

It is covered in the video: ZAP Chat 12 Automation Framework Part 6 - Delays and Active Scan.

Automation Framework - exitStatus Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - exitStatus Job

This job sets ZAP’s exit code based on scan results. It also allows you to choose which exit values are used. It should typically be the last job in a plan.

If warnLevel or errorLevel are set then the job will report a warning or error if any alerts are raised which have the same risk level or greater.

Automation Framework - requestor Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - requestor Job

This job sends specifically crafted requests to a target url, with a custom request method and body. The user can also specify an expected response code, against which the actual response is compared, and the user is warned in case it does not match. The user can add additional headers to the request e.g. Authorization Tokens, etc.

Automation Framework - Job Tests

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Job Outcome Tests

The automation framework supports testing the job outcomes based on conditions that you can set in the YAML file.

The currently supported tests are:

alert - Alert tests - validate the presence or absence of specified alerts
monitor - Monitor tests - allow you to stop long running jobs based on statistic thresholds
stats - Statistics tests - test any of the statistics maintained by ZAP
url - URL tests - validate the presence/absence of a URL and it’s specific expressions in the HTTP response/request

Automation Framework - Alert Job Test

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Alert Job Test

Alert tests are supported by the activeScan and passiveScan-wait jobs. These tests can be used to validate the presence/absence of specific alerts in the active/passive scan. It is mandatory for the alerts specified in the plan to have a scanRuleId, against which the generated alerts will always be matched. All other fields describing an alert are optional regexes, and will be matched against only if they are specified.

Automation Framework - Monitor Job Test

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Monitor Job Test

Monitor tests are supported by long running jobs, such as activeScan and spider.

Unlike the other Job Tests, monitor tests run while a job is running. They work in a similar way to statistic tests in that they check a specified statistic, but there is no ‘operator’ - instead the test will fail if the value of the statistic exceeds the given threshold.

Automation Framework - Statistics Job Test

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Statistics Job Test

Statistics-based tests are supported by all add-ons that have an automation job. If there is a relevant statistic used by an add-on, a test can be created for it.
An up to date list of the statistics ZAP maintains can be found at https://www.zaproxy.org/docs/internal-statistics/.

Automation Framework - URL Presence Job Tests

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - URL Presence Job Test

URL Presence tests are supported by all the jobs. These tests can be used to validate the presence/absence of a URL and it’s specific expressions in the HTTP response/request. The expressions are specified in the YAML file as regular expressions. The test will pass if the URL or the specified expression is found in the response/request depending upon the operator selection.

Automation Framework - About

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - About

Source Code

https://github.com/zaproxy/zap-extensions/tree/main/addOns/automation

Authors

ZAP Dev Team

Automation Framework - passiveScan-config Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - passiveScan-wait Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - spider Job

Mon, 01 Jan 0001 00:00:00 +0000