'alert' results are different when run from command line using zap-cli and ZAP UI
Closed this issue · 2 comments
Thanks for sharing wonderful work. It is really easy to use the tool.
Trying to use ZAP-CLI so that can control OWASP ZAP tool through command line and integrate with Bamboo pipeline. I can see 'alert' results are different when run from command line using zap-cli and ZAP UI.
- Run below command in linux system from command line zap-cli -p 8080 --zap-path /home/ubuntu/ZAP_2.6.0 quick-scan -s xss,sqli --spider -r http://xxxxx.com
- ZAP UI from windows machine: when run http://xxxxx.com from quick attack can get below alerts a. x-frame options headers not set, secure flag not set, http only tag is not set and all whereas from zap-cli getting no issues found.
Also please share more info on the below:
a. what other options can be set as argument as -s xss, sqli and all.
b. can authentication be performed using zap-cli (our application has login screen - oauth implemention)
The same has been asked on stackoverflow:
http://stackoverflow.com/questions/43587793/zap-cli-alert-results-are-different-when-run-using-zap-cli-and-zap-ui-zap-ui-g
Great work. Please guide.
Hi @kblakshmi! By default zap-cli will only output "High" alerts that are found (i.e. XSS, CSRF, SQLi, etc.). If you also want to output lower level alerts like the X-Frame-Options header being missing, you can use the --alert-level or -l parameter with the quick-scan command (which can be either High, Medium, Low, Informational).
So, if you want to output all alerts, you could use "Informational" with your command:
zap-cli -p 8080 --zap-path /home/ubuntu/ZAP_2.6.0 quick-scan -l Informational -s xss,sqli --spider -r http://www.example.com
You can also change that to Low or Medium to output fewer alerts by only including those of a higher severity.
For the other questions:
a. what other options can be set as argument as -s xss, sqli and all.
The groups you can use are all, sqli, xss_persistent, xss_reflected, and xss, which are just aliases around groups of scan IDs. You can also enable individual scanners by their ID. You can see the list of available scanners and their IDs by running zap-cli scanners list. So, for example, if you wanted to enable all XSS scanners as well as "External Redirect" (20019) and "Buffer Overflow" (30001), you could run:
zap-cli -p 8080 --zap-path /home/ubuntu/ZAP_2.6.0 quick-scan -l Informational -s xss,20019,30001 --spider -r http://www.example.com
b. can authentication be performed using zap-cli (our application has login screen - oauth implemention)
Not right now. This is currently on my todo list to add support for the authentication methods in ZAP and scanning as a user for a given context, so hopefully will be available soon. Currently in my CI pipeline, as a workaround, I use zap-cli to control scanning as different users by having httpsender scripts that set the appropriate access_token for the user for all the requests to the site, with the access_token being retrieved from the OAuth server in advance of running the scan. Then I use zap-cli scripts to load, enable, and disable the scripts before each scan run. But, I hope to add proper support for the authentication methods in ZAP soon.
I hope that helps!