-
-
Save ritesh/2fcd9fd32995ffeb30f1 to your computer and use it in GitHub Desktop.
| target: | |
| # The target application we want to scan | |
| image: szsecurity/webgoat | |
| # The port that the application is available on. | |
| # If the application runs on a non-standard port, | |
| # you can map it to 80 for convenience by using | |
| # ports | |
| # - "80:8080" | |
| expose: | |
| - "80" | |
| zaproxy: | |
| image: owasp/zap2docker-stable | |
| command: zap.sh -daemon -port 8090 -host 0.0.0.0 | |
| expose: | |
| # ZAP is running on 8090, we want it to be accessible by our tools | |
| - "8090" | |
| links: | |
| - target | |
| tooling: | |
| build: tools/. | |
| # Runzap.py contains the commands to run ZAP on the target application | |
| command: python tools/runzap.py | |
| links: | |
| - zaproxy | |
| # Reports end up here! | |
| volumes: | |
| - ./:/code |
Not sure what you mean by UI? For WebGoat? See here: https://github.com/OWASP/WebGoat/blob/master/webgoat/doc/attic/readme.txt
@ritesh Did zap-proxy havent UI? I mean as i start it in Kali Linux for example
It does have a UI, but we are running it in headless mode. Also, this is really out of date - you want to follow the instructions here to run ZAP via docker: https://www.zaproxy.org/docs/docker/about/
Do I need try to run it in headless mode?
Yes you have to. Even without headless mode - ZAP is a proxy and does not need credentials. WebGoat does.
my docker compose cant start ui with this command :-(
but cli works OK
I think there's a misunderstanding here, the compose script does two 2 things. 1 it quickly sets up a WebGoat container (vulnerable app instance), then it creates a Zap container and mounts a tools directory from your computer, runs the scan in headless mode using the tools\runzap.py script (not included here, this was created ages ago - don't have it anymore) and then dumps the report in the tools directory again. There is no UI that shows up, it all runs in a CLI and stops after it is done. You go to the tools directory and your report should be there. As I said, this is really, really old, ZAP has better ways to do this now - follow the instructions on the zap website to get the same outcome.
Good. As I understand it, now I can’t start zap in docker and go to it from the browser while doing this, but only scan it by going into the container
That is correct, you might be able to make the port that ZAP listens on (8090) accessible to your browser using ports in docker-compose (this works different on windows/linux/mac) so that you can reach it from your browser if that's what you want. See the docker-compose docs on how to do that.
can you please paste the tools/runzap.py
hey! what the default creds for ui?