我开始对项目中的api执行自动化测试, 我想运行安全验证,就像使用 owasp zap 扫描仪完成的那样,但沉浸在我的空手道自动化中。也就是说,当使用 owasp api 时会执行自动验证。 你知道这是否可以做到吗? 如果您可以为我提供任何指南,我将非常感激!
public class ActiveScan {
private static final int ZAP_PORT = 8080;
private static final String ZAP_API_KEY = null;
private static final String ZAP_ADDRESS = "localhost";
private static final String TARGET = "https://public-firing-range.appspot.com";
public static void main(String[] args) {
ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY);
try {
// TODO : explore the app (Spider, etc) before using the Active Scan API, Refer the explore section
System.out.println("Active Scanning target : " + TARGET);
ApiResponse resp = api.ascan.scan(TARGET, "True", "False", null, null, null);
String scanid;
int progress;
// The scan now returns a scan id to support concurrent scanning
scanid = ((ApiResponseElement) resp).getValue();
// Poll the status until it completes
while (true) {
Thread.sleep(5000);
progress =
Integer.parseInt(
((ApiResponseElement) api.ascan.status(scanid)).getValue());
System.out.println("Active Scan progress : " + progress + "%");
if (progress >= 100) {
break;
}
}
System.out.println("Active Scan complete");
// Print vulnerabilities found by the scanning
System.out.println("Alerts:");
System.out.println(new String(api.core.xmlreport(), StandardCharsets.UTF_8));
} catch (Exception e) {
System.out.println("Exception : " + e.getMessage());
e.printStackTrace();
}
}
}
您可以编写一个java实用程序并在功能文件中调用它。上面的代码是进行主动扫描,取自文档。尝试一下吧。文档链接:https://www.zaproxy.org/docs/api/?java#using-active-scan