ZAP - Docker Automation Framework status/progress

Question

ZAP - Docker Automation Framework status/progress

Tiaguituh05 opened this issue 3 months ago · comments

Is your feature request related to a problem? Please describe.

I believe it would be beneficial to have a status and a progress log or display when running automation framework using docker with zap headless. In cases when scanning a very large application, active scan can take several hours, and all we get in the logs is:

Job spider found 753 URLs
Job spider test of type stats passed: At least 100 URLs found [753 >= 100]
Job spider finished, time taken: 00:03:33
Job spiderAjax started
Job spiderAjax found 145 URLs
Job spiderAjax test of type stats passed: At least 100 URLs found [145 >= 100]
Job spiderAjax finished, time taken: 00:14:38
Job passiveScan-wait started
Job passiveScan-wait finished, time taken: 00:00:00
Job activeScan started
Job activeScan set default strength to MEDIUM
Job activeScan set default threshold to MEDIUM

Having something showing a % of the progress, or even a estimate ETA , would be great.

Describe the solution you'd like

Having something showing a % of the progress, or even a estimate ETA , would be great.

Describe alternatives you've considered

N/A

Screenshots

No response

Additional context

No response

Would you like to help fix this issue?

Yes

Simon Bennetts · Answer 1 · Tue Mar 05 2024 01:01:15 GMT+0800 (China Standard Time)

ETAs are notoriously unreliable, so I think the % would be better.
How about something like:

  parameters:
    infoOnProgress: 10

So that would output an info message like:

Job activeScan 10% complete
Job activeScan 20% complete
Job activeScan 30% complete

The value would be %s at which the info message was shown, so 2 would result in messages like:

Job activeScan 2% complete
Job activeScan 4% complete
Job activeScan 6% complete

Tiaguituh05 · Answer 2 · Tue Mar 05 2024 01:25:13 GMT+0800 (China Standard Time)

That sounds great! Also another thing came to mind. Maybe also include a INFO log showing at which step / which type of attack the activescan currently is on, for example:

Job activeScan started
Job activeScan set default strength to MEDIUM
Job activeScan set default threshold to MEDIUM
Job activeScan, analyzer started
Job activeScan 0% complete
Job activeScan, analyzer completed
Job activeScan, CRLF Injection started
Job activeScan 10% complete
Job activeScan, CRLF Injection completed
Job activeScan 20% complete
Job activeScan, SQL Injection started
Job activeScan 30% complete
Job activeScan, SQL Injection completed

And so on.