Computers, Programming, Technology, Music, Literature

Archive for the ‘scripts’ Category

OWASP ZAP : Workaround – Html Report from APIs daemon mode

leave a comment »

 

Ok, may be the title is a bit misleading. The below post is going to show you a few workarounds that you can use to generate (or mimic) a html report when running OWASP ZAP automated in a headless mode.

Zed Attack Proxy (ZAP), as of version 2.3.1 stable release, provides options to generate an Xml report and an html report for the alerts found. We could get these two reports from the UI via the Report menu.

Use case:

One of the unique features of ZAP is the REST API that aids in automating scans. When running ZAP in daemon mode and pivoting ZAP from the REST APIs, there is a number of ways to harvest the alerts identified by ZAP.

Here’s a couple of them:

  1. alerts based on id (http://localhost:7070/UI/core/view/alert/)
  2. alerts for the baseurl (http://localhost:7070/UI/core/view/alerts/)
  3. xmlreport (http://localhost:7070/UI/core/other/xmlreport/) [Same as clicking Report –> Generate Xml Report…]

Using the API and your favorite programming language, you could very well gather the alerts and decide what you want to do with it.

Problem:

One convenience is just pulling a html report out of the scan and mail the application owners or ourselves so they could be fixed. There is an enhancement request open in the projects page – https://code.google.com/p/zaproxy/issues/detail?id=1355

Until the feature is available in the next stable release, I decided to love with a couple of workarounds. There is a workaround in python, there is also a workaround in an exe format (written in C#). They are not perfect in terms of formatting, but they are close enough to the original html report generated through the ZAP UI.

Workarounds:

Download from here – https://github.com/gmaran23/HtmlReportThroughZapAPIs

 

Workaround #1:

A python script to inject an xslt stylesheet into the xml report file generated through the API. Use the sample function to insert the sample (ZapReport.xslt) into the xml file generated. Needless to say that the ZapReport.xslt and the xmlreportfile should be in the same location.

If needed to email the xml report, we can zip the xml report with the xslt file, so when unzipped the xslt file resides in the same location as the xml file.

When the xml file is opened in Firefox, or IE –> see the formatting in action! (Does not work in chrome though Sad smile)

import io

def InsertXSLTSheetIntoXmlReport(xmlreportfile, xsltfile, xmlreportfileout):
    texttofind = '<?xml version="1.0" encoding="UTF-8"?>'
    texttoreplace = '<?xml version="1.0" encoding="UTF-8"?><?xml-stylesheet type="text/xsl" href="{0}" ?>'.format(xsltfile)
    with io.open(xmlreportfile, 'r', encoding="utf8") as f:
        xmlreport = f.read()
    xmlreportstyleinserted = xmlreport.replace(texttofind, texttoreplace)
    with io.open(xmlreportfileout, 'w', encoding="utf8") as f:
        f.write(xmlreportstyleinserted)


InsertXSLTSheetIntoXmlReport('SampleOWASPZAPReport.xml', 'ZapReport.xslt', 'SampleOWASPZAPReport-Mod.xml')

 

There is also another xslt template available from https://code.google.com/p/zaproxy/source/browse/trunk/src/xml/report.html.xsl

 

Workaround #2:

Use the command line program named XmlToHtmlWithXSLT.exe (requires .Net 4.0) as below to obtain a html report as output.

XmlToHtmlWithXSLT.exe SampleOWASPZAPReport.xml ZapReport.xslt converted.html

 

If you don’t have .Net 4.0, use the source below to recompile to any .Net version.

using System;
using System.IO;
using System.Text;
using System.Xml;
using System.Xml.Xsl;

namespace XmlToHtmlWithXSLT
{
    class Program
    {
        static void Main(string[] args)
        {
            string inputXmlFileName = args[0];
            string xsltfile = args[1];
            string outputHtmlFileName = args[2];

            XslCompiledTransform transform = LoadXsltTransform(xsltfile);

            StringWriter transformedToHtml = ApplyXsltTransform(inputXmlFileName, transform);

            WriteHtmlToFile(outputHtmlFileName, transformedToHtml);

            PrintStatus(outputHtmlFileName);
        }


        private static XslCompiledTransform LoadXsltTransform(string xsltfile)
        {
            XslCompiledTransform transform = new XslCompiledTransform();
            using (XmlReader reader = XmlReader.Create(xsltfile, new XmlReaderSettings() { DtdProcessing = DtdProcessing.Ignore }))
            {
                transform.Load(reader);
            }
            return transform;
        }

        private static StringWriter ApplyXsltTransform(string inputXmlFileName, XslCompiledTransform transform)
        {
            StringWriter transformedToHtml = new StringWriter();
            using (XmlReader reader = XmlReader.Create(inputXmlFileName, new XmlReaderSettings() { DtdProcessing = DtdProcessing.Ignore }))
            {
                transform.Transform(reader, null, transformedToHtml);
            }
            return transformedToHtml;
        }

        private static void WriteHtmlToFile(string outputHtmlFileName, StringWriter transformedToHtml)
        {
            using (StreamWriter outputFileStream = new StreamWriter(new FileStream(outputHtmlFileName, FileMode.Create)))
            {
                outputFileStream.Write(transformedToHtml.ToString());
            }
        }

        private static void PrintStatus(string outputHtmlFileName)
        {
            Console.WriteLine("Output Written to {0}", outputHtmlFileName);
        }
    }
}

 

Untill, the enhancement request (https://code.google.com/p/zaproxy/issues/detail?id=1355) is completed, these are some workarounds that I personally could live with, may be you can too, for your automating needs Winking smile.

Worth looking at – https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT

Advertisements

Written by gmaran23

January 13, 2015 at 9:52 pm