Running daily scans manually is a very cumbersome and boring task. So I thought of automating them for ease and fast processing. So Zaproxy is very well known OWASP vulnerability scanner that can be very helpful for webapps pentesting and lot more. So here are few steps to get started with OWASP Zaproxy:
Step1: Download ZAProxy from here
Step2: You can run Zaproxy in GUI mode to get feel and things that are available on this beautiful scanner. But in order to automated I prefer it running in daemon mode. So I use follwoing command:
./zap.sh -daemon -config api.disablekey=true &
So this command will start ZAP in daemon mode with ZAP APIs listening on 8080 by default. Oh I forget to tell you that this scanner comes with REST API which you can access using python, java or ruby also. Everything that you can do from gui is also supported by these APIs.
I generally use python so I installed owasp-zapv2 using pip.
pip install python-owasp-zap-v2.4
If you want to read more about python Zap apis follow this link:
So now ZAP is running in daemon mode with api key disabled . API key is required for secure access to API i.e only client having api key can request ZAP-API. So that means now it is open for all.
Lets fix it with a small startup script. Reason for disabling API-key is every time while writing scripts you have to take care of this api key. I'll recommend to use it :P . So here comes the fix for stupidity:
/usr/share/zaproxy/zap.sh -daemon -config api.disablekey=true &
iptables -A INPUT -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
move this file to /etc/init.d/ and run following commands.
chmod +x name-of-script
update-rc.d mystartup.sh defaults 100