Reputation: 301
How to working Owasp ZAP on web interface
I do not want to use it from the desktop application. I need software that works on the web.
I want to use it on a server. Personnel who want to use ZAP need to do this by connecting to that server.
I could only run the desktop application
Upvotes: 2
Views: 3776
Answers (4)
Reputation: 2268
One possible option, is to run the official container with webswing according to the official wiki: https://www.zaproxy.org/docs/docker/webswing/
TLDR; Stable:
docker run -d --name zaproxy -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh- visit http://localhost:8080 (http! not https!)
Starting with version 2.5.0 you can run the ZAP Desktop UI in your browser without having to install Java, thanks to the magic of Docker and Webswing
To do this you will just need Docker installed. Start the container with webswing support:
Stable: docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh
Weekly: docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-weekly zap-webswing.sh Then point your browser at:
http://localhost:8080/zap You will then see the familiar ZAP splash screen while ZAP starts up.
Upvotes: 1
Reputation: 140
While waiting for a native Web GUI you can do as the ZAP team did with ZAP on docker using Webswing.
Webswing allows you to use a Java Swing application through the browser, so the result will be the ZAP GUI through your browser.
First you'll have to install Webswing and ZAP and if you're using a headless linux server you'll have to install xvfb.
Second you'll have to create a Webswing configuration file for running ZAP through Webswing. You can use the configuration file used by the ZAP docker or you can create one using the tutorial provided by Webswing
Finally, enjoy!
Upvotes: 0
Reputation: 1
One of the options you could follow is setting up a VNC Server ( https://archive.realvnc.com/products/vnc/documentation/4.6/unix/man/Xvnc.html) on the target and grant user/SSH access to N desktops for your users so that each could spawn it's own proxy - providing they don't port collide. There's a security recommendation to provide VNC access through an SSH tunnel, so you need to keep that in mind. Also would recommend to disable 'password' SSH access and work with users with properly protected SSH identities aka keys.
Upvotes: 0
Reputation: 6186
We have a plan for this, otherwise known as ZAP as a Service (ZaaS). Its not progressing as quickly as we'd like, due to lack of contributors. If you (or anyone else) has suitable skills and would like to work on ZAP then we'd be very pleased to hear from you :)
Simon (ZAP project lead)
Upvotes: 4
Related Questions
- Install & Run OWASP ZAP via Ubuntu command line
- How to login and scan with OWASP Zap
- OWASP ZAP, how to authenticate using Form-based Auth Login context and POST request
- OWASP Zap Plug-In Development
- How to capture HTTP request in OWASP ZAP
- 'request hooks' for Owasp ZAP
- Basic Authorization in OWASP ZAP
- How do I work with HTTP sites using the HUD in OWASP's Zap Proxy
- Form Based Authentication OWASP ZAP for HTTPS application
- ZAP Authentication using API calls