OWASP ZAP module
OWASP ZAP has an API that we can use. Additionally, there is a Python module for consuming the API. We will try and use that to learn how to write our own Ansible modules.
Create ZAP using Docker
For our development, let's use a Docker container to get ZAP going. Since we plan to use the API, we will run the container in headless mode:
$ docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true
Explanation of the command
- While we are doing dev, we can disable the API key:
-config api.disablekey=true
- Allow access to the API from any IP:
-config api.addrs.addr.name=.* -config api.addrs.addr.regex=true
- Listen to port
8080
If everything worked fine, you will see the following output:
Creating a vulnerable application
For a vulnerable application, we can host one of our own but let's use the same online vulnerable application we used for the OWASP ZAP + Jenkins...