Latest version

Released:

Zap Owasp Tool

Custom report to display owasp zap historical execution records

Zap 2.6 for Mac can be downloaded from our website for free. This Mac application is an intellectual property of com.xenquinsw. Our antivirus check shows that this Mac download is malware free. The application lies within Games, more precisely Strategy. I will show you one of the easiest way to run a web penetration with the tool OWASP ZAP (Zed Attack Proxy). What is OWASP ZAP? OWASP (Open Web Application Security Project) is worldwide non-profit organization focused on improving the security of software. OWASP ZAP (Zed Attack Proxy) is one of the world’s most popular security tool. 🅳🅾🆆🅽🅻🅾🅰🅳 Free download OWASP ZAP 2.6.0. You can use this comprehensive and effective penetration testing tool to successfully discover the vulnerabilities in your web applications. OWASP ZAP is a powerful tool that lets you test your web applications for vulnerabilities. It includes a large number of components which let you analyze the security risks of vulnerabilities detected in your online application. To test a web application you’ll have to enter its URL and press the Attack button.

Project description

OWASP-ZAP-Historic (OZH) is a free, custom html report which provides historical ZAP execution results by storing execution results info in MySQL database and generating html reports from the database using Flask. It borrows heavily from the work done by adiralashiva8 for https://github.com/adiralashiva8/robotframework-historic

MYSQL + Flask + OWASP Zed Attack Proxy

OZH Overview

Features

• Store ZAP results historically
• Visualize ZAP results over time, by app version, by environment, etc.
• Search historical ZAP records by name / environment / scan type / execution id / etc
• Export results (Excel, CSV, Print, Copy)

Why OZH?

• It is open source
• Made by QA

How OZH Works:

• ZAP job runs in Jenkins and produces report.html artifact and published HTML (stored in MySQL as URL_Link for access between OZH and published ZAP report)
• Parser stores results for one or more applications in local / remote hosted MySQL database and creates a delta report for Jenkins to email out to recipient list.
• Generate report tables / reports using Flask

Requirements

• Python 3.6
• MySQL DB

Installation

• Step 1: Download and Install MySQL Server - guide

• Step 2: Install owasp-zap-historic

  Case 1: Using pip install

  Case 2: Using setup.py (root)

  Case 3: Using git (latest changes)

• Step 3: Create owaspzaphistoric default user with permissions - guide

• Step 4: Create TB_PROJECT table

  • CREATE DATABASE owaspzaphistoric /*!40100 DEFAULT CHARACTER SET latin1 */;

  • USE owaspzaphistoric;

  • CREATE TABLE TB_PROJECT (Project_Id int(11) NOT NULL AUTO_INCREMENT,Project_Name text,Project_Desc text,Project_Image text,Environment text,Scan_Type text,Created_Date datetime DEFAULT NULL,Last_Updated datetime DEFAULT NULL,Total_Executions int(11) DEFAULT NULL,Recent_High int(11) DEFAULT NULL,Recent_Medium int(11) DEFAULT NULL,Recent_Low int(11) DEFAULT NULL,Recent_Informational int(11) DEFAULT NULL,Version varchar(50) DEFAULT 'Not Captured',PRIMARY KEY (Project_Id)) ENGINE=InnoDB AUTO_INCREMENT=14 DEFAULT CHARSET=latin1;

• Step 5: Create TB_USERS table

  • CREATE DATABASE accounts /*!40100 DEFAULT CHARACTER SET latin1 */;

  • USE accounts;

  • CREATE TABLE TB_USERS (id int(6) unsigned NOT NULL AUTO_INCREMENT,name varchar(255) NOT NULL,email varchar(255) NOT NULL,password varchar(255) NOT NULL,PRIMARY KEY (id)) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=latin1;

• Step 5: Install robotframework-historic-parser

Note: All actions above are one time activities

Help / Know More

To know more on available commands refer to cmd help

How to use OZH

• Step 1: Create user in OZH

  You may have to bypass the security for the first time you create a user. Any user created has the authority to create another user beyond that.

  • Remove / comment out lines 57 & 97 ({% if session['name'] %} and {% endif %}
  • (from CMD) python setup.py install
  • (from CMD) owaspzaphistoric
  • (localhost:5000/register) enter a valid username and password
  • Lines 57 & 97 can be uncommented / replaced now

• Step 2: Create project in OZH

  • Login to OZH
  • Click the New Project button
  • Enter a valid name for the project (it must meet MySQL db naming standards

• Step 3: Push data to OZH using owasp_zap_historic.py and owasp_zap_historic.bat

  • These were built with processing from Jenkins in mind. At Accruent, the OWASP ZAP job can be ran as a standalone job or as a child job. In Jenkins, the parameters that OZH needs are defaulted for the standalone job (environment, version)
  • The parameters that owaspzaphistoricparser expects from the CMD / bat file are:
    • s --> mysql hosted machine ip address (default: localhost)
    • t --> mysql port (default: 3306)
    • u --> mysql user name (default: superuser)
    • p --> mysql password (default: passw0rd)
    • n --> project name in owasp zap historic
    • e --> environment name (default: Not Provided)
    • i --> type of scan (active, passive, etc) (default: Not Provided)
    • l --> URL for published ZAP report (default: Not Provided)
    • v --> version of application tested by ZAP (default: Not Provided)
    • f --> filepath & report.html produced by ZAP
  • In order to not store the production username/password in the repo, localhost entries are referenced in the repo. These can be hidden in the .bat file.
  • Example call from Jenkins:
  • This returns the delta email body back to the email_body variable in Jenkins, which then emails the report to a recipient list.
  • Here is the basic process for owasp_zap_historic.py:
    • The ZAP file is scraped for alerts
    • The data is pushed to the TB_EXECUTION and TB_ALERTS tables in MySQL in the project's db
    • The row for the project in owaspzaphistoric.TB_PROJECT is updated with recent data to display on the landing page
    • It looks for a previous row in TB_EXECUTION to compare results to and produces a delta report
  • More information at owasp-zap-historic-parser

• Step 4: View results on the OZH app!

  • Click the View button for any project to view its dashboard
  • From here, you can click the Historic tab to view all executions for a project
    • From there, you can dive into individual executions to see the ZAP alerts, or click the link to view the published ZAP report, or even delete executions
  • Clicking the Alerts tab will show you all alerts for the project, which can be sorted or filtered as needed to help you determine how your application is performing over time.

Release historyRelease notifications | RSS feed

0.1.2

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Hashes for owasp_zap_historic-0.1.2-py3-none-any.whl

Hashes for owasp-zap-historic-0.1.2.tar.gz

Checksums for all of the ZAP downloads are maintained on the 2.9.0 Release Page and in the relevant version files.

As with all software we strongly recommend that ZAP is only installed and used on operating systems and JREs that are fully patched and actively maintained.

ZAP 2.9.0

• Most of the files contain the default set of functionality, and you can add more functionality at any time via the ZAP Marketplace.
• The core package contains the minimal set of functionality you need to get you started.
• The Windows and Linux versions require Java 8 or higher to run.
• The macOS version includes Java 8 - you can use the Linux or Cross Platform versions if you do not want to download this.
• The installers are built using a multi-platform installer builder.
• For more information about this release see the release notes.

Launch the installation wizard by double clicking on the downloaded executable file

Read the License agreement and click 'Accept' to continue the installation

Select 'Standard' or 'Custom' installation

Click 'Finish' to exit set up

Owasp Zap Tutorial

Docker

• See Docker for more information.

ZAP Weekly

• We generate weekly releases of ZAP from the develop branch, typically every Monday.
• These are just intended for people who want to use all of the features we've added since the last ‘full’ release but don't want the hassle of building ZAP from the source code.
• While we endeavor to ensure that weekly releases are robust, things may be broken or only partially implemented.
• It is cross platform (Windows, Linux and macOS) but does not include any installers.
• It requires Java 8 or higher to run.

Snapcraft

• On Linux systems you can use Snapcraft.
• To install: snap install zaproxy --classic
• To run: zaproxy

Download Owasp Zap

Homebrew Cask

• On Mac OS X you can also install ZAP using Homebrew Cask
• To install: brew cask install owasp-zap

Flathub

• On Linux systems you can also use Flathub.
• To install: flatpak install flathub org.zaproxy.ZAP
• To run: flatpak run org.zaproxy.ZAP

Latest Versions

• We maintain a page containing XML with links to the latest ZAP release files
• You can use this to automatically pull down the latest ZAP release for the platform you need.
• ZAP uses similar URLs when checking for updates.
• These are version specific and define the add-on on the ZAP Marketplace for that release stream.
• The 2.9 release stream uses https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-2.9.xml
• The development code uses https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions-dev.xml
• At the moment these files are the same, but it does allow us to maintain different versions of add-ons for different versions of ZAP, if we need to support this in the future.