ZAP doesn't support this circular redirect, and because of that the application needs to be accessed at least once before the scan is started. Thus, in the first access to the application there will be a redirect to the server, that ends up redirecting the user back to the protected page, since the user is already authenticated. For CAS authentication, the login is done directly at the CAS server. The port of the server where the authentication is doneĭefine the URL of a protected page of the application that will be scannedĪs it was stated, the option protectedPage should have as value the URL of a protected page of the application that will be scanned. The host name of the server where the authentication is done HTTP authentication parameters: Parameter Regex that identifies a pattern in non-authenticated responses (needed to allow re-authentication)ĭefine the URLs regexs that will be excluded from the scan Regex that identifies a pattern in authenticated responses (needed to allow re-authentication) Used to define any extra parameters that must be passed in the authentication request (e.g.
These options can be overridden by the zapOptions parameter.ĭefine the authentication type: 'http', 'form', 'cas' or 'selenium' Besides that, it makes sure ZAP will run on the port specified by the port option. These options make ZAP start without a GUI, with its API key disabled, able to report errors details via API, and able to be accessed remotely. daemon -config api.disablekey=true -config api.incerrordetails=true -config proxy.ip=0.0.0.0 -port $ In both cases, by default, ZAP is initialized with the following options: To start ZAP with Docker, Docker must be locally installed and the option shouldRunWithDocker must be passed as true. If the installation folder contains more than one Jar, zapPath should point to the core Jar file. To automatically start ZAP, it must be installed locally and the option zapPath must be provided. ZAP's automatic initialization timeout in millisecondsĪbsolute or relative path where the generated reports will be saved
Options that will be used to automatically start ZAP Indicates whether ZAP should be automatically started with Docker These parameters are very sensitive and should be set accordingly.ĪPI key needed to access ZAP's API, in case it's enabledĪbsolute path where ZAP is installed, used to automatically start ZAP These options are useful when you want to spider through the whole application, but want to run the Active Scan for only a portion of it, for instance. If the options spiderStartingPoint, activeScanStartingPoint and context are all provided, targetUrl will be ignored. Indicates whether a new session should be started on ZAP before the analysis In case it's true, the Active Scan will not be executed Indicates whether ZAP should execute the AJAX Spider after the default Spider (it can improve the scan on applications that rely on AJAX) The URLs to be set on ZAP's context (absolute or relative) Starting point URL for the Spider (and AJAX Spider, in case it runs) URL of the application that will be scanned Skip the plugin execution (equivalent CLI property: zap.skip) The parameter reportPath can be used to specify another directory (absolute or relative). By default, the reports are saved in the directory target/zap-reports within the project.
The goals that run analysis save the generated reports in the end of the plugin execution. This goal is useful when there are Selenium integration tests that are executed with a proxy to ZAP and the navigation done by the tests should be used instead of the Spider. seleniumAnalyze: assumes ZAP is already executing and simply runs the Active Scan, closing ZAP after the analysis.startZap: simply starts ZAP (via local installation or Docker).analyze: performs a complete analysis running (by default) the Spider before the Active Scan and starting ZAP automatically if necessary (and closing it after the analysis).The list of available goals is presented bellow:
However, the plugin also provides other goals for more specific situations. The main goal provided is analyze, responsible to execute a ZAP analysis according to the configuration parameters.