def launch_web_scan(target_url, project_id): try: with open(api_key_path, 'r+') as f: data = json.load(f) lod_apikey = data['zap_api_key'] apikey = signing.loads(lod_apikey) zapath = data['zap_path'] zap_port = data['zap_port'] except Exception as e: print e zap = ZAPv2(apikey=apikey, proxies={ 'http': 'http://127.0.0.1' + ':' + zap_port, 'https': 'http://127.0.0.1' + ':' + zap_port }) print target_url try: abc = zapscanner.start_zap() print abc except Exception as e: print e return HttpResponseRedirect("/webscanners/scans_list/") time.sleep(10) all_excluded = excluded_db.objects.filter( Q(exclude_url__icontains=target_url)) for data in all_excluded: global excluded_url excluded_url = data.exclude_url print "Exclude url ", excluded_url url_exclude = zap.spider.exclude_from_scan(regex=excluded_url) print "URL Excluded:", url_exclude all_cookie = cookie_db.objects.filter(url=target_url) for da in all_cookie: global cookies cookies = da.cookie remove_cookie = zap.replacer.remove_rule(target_url) print "Remove Cookie :", remove_cookie cookie_add = zap.replacer.add_rule(apikey=apikey, description=target_url, enabled="true", matchtype='REQ_HEADER', matchregex="false", replacement=cookies, matchstring="Cookie", initiators="") print "Cookies Added :", cookie_add zap.ajaxSpider.scan(target_url) scanid = zap.spider.scan(target_url) save_all = zap_spider_db(spider_url=target_url, spider_scanid=scanid) save_all.save() try: while (int(zap.spider.status(scanid)) < 100): # print 'Spider progress %:' + zap.spider.status(scanid) global spider_status spider_status = zap.spider.status(scanid) print "Spider progress", spider_status time.sleep(5) except Exception as e: print e spider_status = "100" spider_res_out = zap.spider.results(scanid) data_out = ("\n".join(map(str, spider_res_out))) print data_out total_spider = len(spider_res_out) # save_spider_results = zap_spider_results(spider_id=(scanid), spider_urls=(data_out)) # save_spider_results.save() # del_temp = zap_spider_db.objects.filter(spider_scanid__icontains=scanid).order_by('spider_scanid') # del_temp.delete() # save_all = zap_spider_db(spider_url=target_url, spider_scanid=scanid, urls_num=total_spider) # save_all.save() print 'Spider Completed------' print 'Target :', target_url global spider_alert spider_alert = "Spider Completed" time.sleep(5) print 'Scanning Target %s' % target_url scan_scanid = zap.ascan.scan(target_url) un_scanid = uuid.uuid4() print "updated scanid :", un_scanid try: save_all_scan = zap_scans_db(project_id=project_id, scan_url=target_url, scan_scanid=un_scanid) save_all_scan.save() except Exception as e: print e # zap_scans_db.objects.filter(pk=some_value).update(field1='some value') try: while (int(zap.ascan.status(scan_scanid)) < 100): print 'Scan progress from zap_scan_lauch function %: ' + zap.ascan.status( scan_scanid) global scans_status scans_status = zap.ascan.status(scan_scanid) zap_scans_db.objects.filter(scan_scanid=un_scanid).update( vul_status=scans_status) time.sleep(5) except Exception as e: print e # Save Vulnerability in database scans_status = "100" zap_scans_db.objects.filter(scan_scanid=un_scanid).update( vul_status=scans_status) print target_url time.sleep(5) all_vuln = zap.core.alerts(target_url) # print all_vuln for vuln in all_vuln: vuln_id = uuid.uuid4() confidence = vuln['confidence'] wascid = vuln['wascid'] cweid = vuln['cweid'] risk = vuln['risk'] reference = vuln['reference'] url = vuln['url'] name = vuln['name'] solution = vuln['solution'] param = vuln['param'] evidence = vuln['evidence'] sourceid = vuln['sourceid'] pluginId = vuln['pluginId'] other = vuln['other'] attack = vuln['attack'] messageId = vuln['messageId'] method = vuln['method'] alert = vuln['alert'] ids = vuln['id'] description = vuln['description'] global vul_col if risk == 'High': vul_col = "important" elif risk == 'Medium': vul_col = "warning" elif risk == 'Low': vul_col = "info" dump_all = zap_scan_results_db(vuln_id=vuln_id, vuln_color=vul_col, scan_id=un_scanid, project_id=project_id, confidence=confidence, wascid=wascid, cweid=cweid, risk=risk, reference=reference, url=url, name=name, solution=solution, param=param, evidence=evidence, sourceid=sourceid, pluginId=pluginId, other=other, attack=attack, messageId=messageId, method=method, alert=alert, id=ids, description=description) dump_all.save() time.sleep(5) zap_all_vul = zap_scan_results_db.objects.filter( scan_id=un_scanid).order_by('scan_id') total_vul = len(zap_all_vul) total_high = len(zap_all_vul.filter(risk="High")) total_medium = len(zap_all_vul.filter(risk="Medium")) total_low = len(zap_all_vul.filter(risk="Low")) zap_scans_db.objects.filter(scan_scanid=un_scanid).update( total_vul=total_vul, high_vul=total_high, medium_vul=total_medium, low_vul=total_low) spider_alert = "Scan Completed" time.sleep(5) for msg in zap_all_vul: msg_id = msg.messageId request_response = zap.core.message(id=msg_id) ja_son = json.dumps(request_response) ss = ast.literal_eval(ja_son) for key, value in ss.viewitems(): global note if key == "note": note = value global rtt if key == "rtt": rtt = value global tags if key == "tags": tags = value global timestamp if key == "timestamp": timestamp = value global responseHeader if key == "responseHeader": responseHeader = value global requestBody if key == "requestBody": requestBody = value global responseBody if key == "responseBody": responseBody = value global requestHeader if key == "requestHeader": requestHeader = value global cookieParams if key == "cookieParams": cookieParams = value global res_type if key == "type": res_type = value global res_id if key == "id": res_id = value zap_scan_results_db.objects.filter(messageId=msg_id).update( note=note, rtt=rtt, tags=tags, timestamp=timestamp, responseHeader=responseHeader, requestBody=requestBody, responseBody=responseBody, requestHeader=requestHeader, cookieParams=cookieParams, res_type=res_type, res_id=res_id) print msg_id print res_id
def launch_web_scan(target_url, project_id): try: with open(api_key_path, 'r+') as f: data = json.load(f) lod_apikey = data['zap_api_key'] apikey = signing.loads(lod_apikey) zapath = data['zap_path'] zap_port = data['zap_port'] except Exception as e: print e # Define settings to ZAP Proxy zap = ZAPv2(apikey=apikey, proxies={ 'http': 'http://127.0.0.1' + ':' + zap_port, 'https': 'http://127.0.0.1' + ':' + zap_port }) """ Zap scan start """ try: # ZAP launch function zapscanner.start_zap() except Exception as e: print e print "ZAP Failed.............." print "ZAP Restarting" time.sleep(15) # Get Excluded URL from excluded_db models try: all_excluded = excluded_db.objects.filter( Q(exclude_url__icontains=target_url)) for data in all_excluded: global excluded_url excluded_url = data.exclude_url print "excluded url ", excluded_url print "Excluded url ", excluded_url # Excluding URL from scans in zap API url_exclude = zap.spider.exclude_from_scan(regex=excluded_url) print "URL Excluded:", url_exclude except Exception as e: print "ZAP Failed.............." print "ZAP Restarting" all_cookie = cookie_db.objects.filter(Q(url__icontains=target_url)) for da in all_cookie: global cookies cookies = da.cookie print da.url print "Cookies from database:", cookies try: remove_cookie = zap.replacer.remove_rule(target_url) except Exception as e: print e print "Remove Cookie :", remove_cookie # Adding cookies value try: cookie_add = zap.replacer.add_rule(apikey=apikey, description=target_url, enabled="true", matchtype='REQ_HEADER', matchregex="false", replacement=cookies, matchstring="Cookie", initiators="") print "Cookies Added :", cookie_add except Exception as e: print e zap.ajaxSpider.scan(target_url) try: scanid = zap.spider.scan(target_url) save_all = zap_spider_db(spider_url=target_url, spider_scanid=scanid) save_all.save() except Exception as e: print e try: while (int(zap.spider.status(scanid)) < 100): global spider_status spider_status = zap.spider.status(scanid) print "Spider progress", spider_status time.sleep(5) except Exception as e: print e spider_status = "100" spider_res_out = zap.spider.results(scanid) data_out = ("\n".join(map(str, spider_res_out))) print data_out print 'Spider Completed------' print 'Target :', target_url global spider_alert spider_alert = "Spider Completed" time.sleep(5) print 'Scanning Target %s' % target_url """ ZAP Scan trigger on target_url """ try: scan_scanid = zap.ascan.scan(target_url) except Exception as e: print e un_scanid = uuid.uuid4() date_time = datetime.datetime.now() try: save_all_scan = zap_scans_db(project_id=project_id, scan_url=target_url, scan_scanid=un_scanid, date_time=date_time) save_all_scan.save() except Exception as e: print e try: while (int(zap.ascan.status(scan_scanid)) < 100): print 'ZAP Scan Status %: ' + zap.ascan.status(scan_scanid) global scans_status scans_status = zap.ascan.status(scan_scanid) zap_scans_db.objects.filter(scan_scanid=un_scanid).update( vul_status=scans_status) time.sleep(5) except Exception as e: print e # Save Vulnerability in database scans_status = "100" zap_scans_db.objects.filter(scan_scanid=un_scanid).update( vul_status=scans_status) print target_url time.sleep(5) all_vuln = zap.core.alerts(target_url) for vuln in all_vuln: vuln_id = uuid.uuid4() confidence = vuln['confidence'] wascid = vuln['wascid'] cweid = vuln['cweid'] risk = vuln['risk'] reference = vuln['reference'] url = vuln['url'] name = vuln['name'] solution = vuln['solution'] param = vuln['param'] evidence = vuln['evidence'] sourceid = vuln['sourceid'] pluginId = vuln['pluginId'] other = vuln['other'] attack = vuln['attack'] messageId = vuln['messageId'] method = vuln['method'] alert = vuln['alert'] ids = vuln['id'] description = vuln['description'] global vul_col if risk == 'High': vul_col = "important" elif risk == 'Medium': vul_col = "warning" elif risk == 'Low': vul_col = "info" else: vul_col = "info" # date_time = datetime.datetime.now() dump_all = zap_scan_results_db(vuln_id=vuln_id, vuln_color=vul_col, scan_id=un_scanid, project_id=project_id, confidence=confidence, wascid=wascid, cweid=cweid, risk=risk, reference=reference, url=url, name=name, solution=solution, param=param, evidence=evidence, sourceid=sourceid, pluginId=pluginId, other=other, attack=attack, messageId=messageId, method=method, alert=alert, ids=ids, description=description) dump_all.save() time.sleep(5) zap_all_vul = zap_scan_results_db.objects.filter(scan_id=un_scanid).values( 'name', 'risk', 'vuln_color').distinct() total_vul = len(zap_all_vul) total_high = len(zap_all_vul.filter(risk="High")) total_medium = len(zap_all_vul.filter(risk="Medium")) total_low = len(zap_all_vul.filter(risk="Low")) zap_scans_db.objects.filter(scan_scanid=un_scanid).update( total_vul=total_vul, high_vul=total_high, medium_vul=total_medium, low_vul=total_low) spider_alert = "Scan Completed" time.sleep(10) print un_scanid zap_web_all = zap_scan_results_db.objects.filter(scan_id=un_scanid) for m in zap_web_all: msg_id = m.messageId request_response = zap.core.message(id=msg_id) ja_son = json.dumps(request_response) ss = ast.literal_eval(ja_son) for key, value in ss.viewitems(): global note if key == "note": note = value global rtt if key == "rtt": rtt = value global tags if key == "tags": tags = value global timestamp if key == "timestamp": timestamp = value global responseHeader if key == "responseHeader": responseHeader = value global requestBody if key == "requestBody": requestBody = value global responseBody if key == "responseBody": responseBody = value global requestHeader if key == "requestHeader": requestHeader = value global cookieParams if key == "cookieParams": cookieParams = value global res_type if key == "type": res_type = value global res_id if key == "id": res_id = value zap_scan_results_db.objects.filter(messageId=msg_id).update( note=note, rtt=rtt, tags=tags, timestamp=timestamp, responseHeader=responseHeader, requestBody=requestBody, responseBody=responseBody, requestHeader=requestHeader, cookieParams=cookieParams, res_type=res_type, res_id=res_id) zapscanner.stop_zap() try: email_notification.email_notify() except Exception as e: print e return HttpResponse(status=201)
def url_api_scan(request): if request.POST.get("auth_val"): auth_val = request.POST.get("auth_val") print auth_val if auth_val == 'No': target_url = request.POST.get("scan_url") req_header = ast.literal_eval(request.POST.get("req_header")) req_body = request.POST.get("req_body") method = request.POST.get("method") project_id = request.POST.get("project_id") scan_id = request.POST.get("scan_id") auth_token_key = request.POST.get("auth_token_key") try: with open(api_key_path, 'r+') as f: data = json.load(f) lod_apikey = data['zap_api_key'] apikey = signing.loads(lod_apikey) zapath = data['zap_path'] zap_port = data['zap_port'] except Exception as e: print e zap = ZAPv2(apikey=apikey, proxies={ 'http': 'http://127.0.0.1' + ':' + zap_port, 'https': 'http://127.0.0.1' + ':' + zap_port }) print target_url """ ***Starting ZAP Scanner*** """ try: zap_scanner = zapscanner.start_zap() print "Status of zap scanner:", zap_scanner except Exception as e: print e return HttpResponseRedirect("/webscanners/scans_list/") """ *****End zap scanner**** """ time.sleep(10) """ Excluding URL from scanner """ scanid = zap.spider.scan(target_url) save_all = zap_spider_db(spider_url=target_url, spider_scanid=scanid) save_all.save() try: while (int(zap.spider.status(scanid)) < 100): # print 'Spider progress %:' + zap.spider.status(scanid) global spider_status spider_status = zap.spider.status(scanid) print "Spider progress", spider_status time.sleep(5) except Exception as e: print e spider_status = "100" spider_res_out = zap.spider.results(scanid) data_out = ("\n".join(map(str, spider_res_out))) print data_out total_spider = len(spider_res_out) print 'Spider Completed------' print 'Target :', target_url global spider_alert spider_alert = "Spider Completed" time.sleep(5) print 'Scanning Target %s' % target_url scan_scanid = zap.ascan.scan(target_url) un_scanid = uuid.uuid4() print "updated scanid :", un_scanid try: save_all_scan = zap_scans_db(project_id=project_id, scan_url=target_url, scan_scanid=un_scanid) save_all_scan.save() except Exception as e: print e # zap_scans_db.objects.filter(pk=some_value).update(field1='some value') try: while (int(zap.ascan.status(scan_scanid)) < 100): print 'Scan progress from zap_scan_lauch function %: ' + zap.ascan.status( scan_scanid) global scans_status scans_status = zap.ascan.status(scan_scanid) zap_scans_db.objects.filter(scan_scanid=un_scanid).update( vul_status=scans_status) time.sleep(5) except Exception as e: print e # Save Vulnerability in database scans_status = "100" zap_scans_db.objects.filter(scan_scanid=un_scanid).update( vul_status=scans_status) print target_url time.sleep(5) all_vuln = zap.core.alerts(target_url) # print all_vuln for vuln in all_vuln: vuln_id = uuid.uuid4() confidence = vuln['confidence'] wascid = vuln['wascid'] cweid = vuln['cweid'] risk = vuln['risk'] reference = vuln['reference'] url = vuln['url'] name = vuln['name'] solution = vuln['solution'] param = vuln['param'] evidence = vuln['evidence'] sourceid = vuln['sourceid'] pluginId = vuln['pluginId'] other = vuln['other'] attack = vuln['attack'] messageId = vuln['messageId'] method = vuln['method'] alert = vuln['alert'] ids = vuln['id'] description = vuln['description'] global vul_col if risk == 'High': vul_col = "important" elif risk == 'Medium': vul_col = "warning" elif risk == 'Low': vul_col = "info" dump_all = zap_scan_results_db(vuln_id=vuln_id, vuln_color=vul_col, scan_id=un_scanid, project_id=project_id, confidence=confidence, wascid=wascid, cweid=cweid, risk=risk, reference=reference, url=url, name=name, solution=solution, param=param, evidence=evidence, sourceid=sourceid, pluginId=pluginId, other=other, attack=attack, messageId=messageId, method=method, alert=alert, id=ids, description=description) dump_all.save() time.sleep(5) zap_all_vul = zap_scan_results_db.objects.filter( scan_id=un_scanid).order_by('scan_id') total_vul = len(zap_all_vul) total_high = len(zap_all_vul.filter(risk="High")) total_medium = len(zap_all_vul.filter(risk="Medium")) total_low = len(zap_all_vul.filter(risk="Low")) zap_scans_db.objects.filter(scan_scanid=un_scanid).update( total_vul=total_vul, high_vul=total_high, medium_vul=total_medium, low_vul=total_low) spider_alert = "Scan Completed" time.sleep(5) for msg in zap_all_vul: msg_id = msg.messageId request_response = zap.core.message(id=msg_id) ja_son = json.dumps(request_response) ss = ast.literal_eval(ja_son) for key, value in ss.viewitems(): global note if key == "note": note = value global rtt if key == "rtt": rtt = value global tags if key == "tags": tags = value global timestamp if key == "timestamp": timestamp = value global responseHeader if key == "responseHeader": responseHeader = value global requestBody if key == "requestBody": requestBody = value global responseBody if key == "responseBody": responseBody = value global requestHeader if key == "requestHeader": requestHeader = value global cookieParams if key == "cookieParams": cookieParams = value global res_type if key == "type": res_type = value global res_id if key == "id": res_id = value zap_scan_results_db.objects.filter(messageId=msg_id).update( note=note, rtt=rtt, tags=tags, timestamp=timestamp, responseHeader=responseHeader, requestBody=requestBody, responseBody=responseBody, requestHeader=requestHeader, cookieParams=cookieParams, res_type=res_type, res_id=res_id) print msg_id print res_id zap_scanner = zapscanner.stop_zap() print "Status of zap scanner:", zap_scanner return HttpResponseRedirect('/scanapi/') return render(request, 'api_scan_list.html')
def authenticate(request): global keyl if request.POST.get("scan_url"): auth_val = request.POST.get("auth_val") if auth_val == 'Yes': scan_url = request.POST.get("scan_url") req_header = ast.literal_eval(request.POST.get("req_header")) req_body = request.POST.get("req_body") method = request.POST.get("method") project_id = request.POST.get("project_id") scan_id = request.POST.get("scan_id") auth_token_key = request.POST.get("auth_token_key") extra_val_in_auth = request.POST.get("extra_auth_value") print scan_url p = json.loads(json.dumps(req_header)) print p for key, value in p.iteritems(): print key, value r = requests.post(scan_url, headers=req_header, data=req_body) data = json.loads(r.text) for key, value in data.viewitems(): keyl = data[key] api_token = extra_val_in_auth + " " + keyl print api_token try: with open(api_key_path, 'r+') as f: data = json.load(f) lod_apikey = data['zap_api_key'] apikey = signing.loads(lod_apikey) zapath = data['zap_path'] zap_port = data['zap_port'] except Exception as e: print e zap = ZAPv2(apikey=apikey, proxies={ 'http': 'http://127.0.0.1' + ':' + zap_port, 'https': 'http://127.0.0.1' + ':' + zap_port }) try: zap_scanner = zapscanner.start_zap() print "Status of zap scanner:", zap_scanner except Exception as e: print e return HttpResponseRedirect("/webscanners/scans_list/") time.sleep(10) """ Excluding URL from scanner """ remove_auth = zap.replacer.remove_rule(scan_url) print "Remove Auth :", remove_auth print "Auth token Key :", auth_token_key auth_token_add = zap.replacer.add_rule( apikey=apikey, description=scan_url, enabled="true", matchtype='REQ_HEADER', matchregex="false", replacement=api_token, matchstring=auth_token_key, initiators="") print "Auth Added :", auth_token_add p = json.loads(json.dumps(req_header)) print p for key, value in p.iteritems(): print key, value # remove_header = zap.replacer.remove_rule(target_url) # print "Remove extra value header :", remove_header header_add = zap.replacer.add_rule(apikey=apikey, description=scan_url, enabled="true", matchtype='REQ_HEADER', matchregex="false", replacement=value, matchstring=key, initiators="") print "Cookies Added :", header_add api_token_db.objects.filter(scan_url=scan_url).update( api_token=api_token) return HttpResponseRedirect('/scanapi/') else: return HttpResponseRedirect('/scanapi/')
def url_api_scan(request): if request.POST.get("auth_val"): auth_val = request.POST.get("auth_val") print auth_val if auth_val == 'No': target_url = request.POST.get("scan_url") req_header = ast.literal_eval(request.POST.get("req_header")) req_body = request.POST.get("req_body") method = request.POST.get("method") project_id = request.POST.get("project_id") scan_id = request.POST.get("scan_id") auth_token_key = request.POST.get("auth_token_key") try: with open(api_key_path, 'r+') as f: data = json.load(f) lod_apikey = data['zap_api_key'] apikey = signing.loads(lod_apikey) zapath = data['zap_path'] zap_port = data['zap_port'] except Exception as e: print e zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1' + ':' + zap_port, 'https': 'http://127.0.0.1' + ':' + zap_port}) print target_url """ ***Starting ZAP Scanner*** """ try: zap_scanner = zapscanner.start_zap() print "Status of zap scanner:", zap_scanner except Exception as e: print e return HttpResponseRedirect("/webscanners/scans_list/") """ *****End zap scanner**** """ time.sleep(10) """ Excluding URL from scanner """ scanid = zap.spider.scan(target_url) save_all = zap_spider_db(spider_url=target_url, spider_scanid=scanid) save_all.save() try: while (int(zap.spider.status(scanid)) < 100): # print 'Spider progress %:' + zap.spider.status(scanid) global spider_status spider_status = zap.spider.status(scanid) print "Spider progress", spider_status time.sleep(5) except Exception as e: print e spider_status = "100" spider_res_out = zap.spider.results(scanid) data_out = ("\n".join(map(str, spider_res_out))) print data_out total_spider = len(spider_res_out) print 'Spider Completed------' print 'Target :', target_url global spider_alert spider_alert = "Spider Completed" time.sleep(5) print 'Scanning Target %s' % target_url scan_scanid = zap.ascan.scan(target_url) un_scanid = uuid.uuid4() print "updated scanid :", un_scanid try: save_all_scan = zap_scans_db(project_id=project_id, scan_url=target_url, scan_scanid=un_scanid) save_all_scan.save() except Exception as e: print e # zap_scans_db.objects.filter(pk=some_value).update(field1='some value') try: while (int(zap.ascan.status(scan_scanid)) < 100): print 'Scan progress from zap_scan_lauch function %: ' + zap.ascan.status(scan_scanid) global scans_status scans_status = zap.ascan.status(scan_scanid) zap_scans_db.objects.filter(scan_scanid=un_scanid).update(vul_status=scans_status) time.sleep(5) except Exception as e: print e # Save Vulnerability in database scans_status = "100" zap_scans_db.objects.filter(scan_scanid=un_scanid).update(vul_status=scans_status) print target_url time.sleep(5) all_vuln = zap.core.alerts(target_url) # print all_vuln for vuln in all_vuln: vuln_id = uuid.uuid4() confidence = vuln['confidence'] wascid = vuln['wascid'] cweid = vuln['cweid'] risk = vuln['risk'] reference = vuln['reference'] url = vuln['url'] name = vuln['name'] solution = vuln['solution'] param = vuln['param'] evidence = vuln['evidence'] sourceid = vuln['sourceid'] pluginId = vuln['pluginId'] other = vuln['other'] attack = vuln['attack'] messageId = vuln['messageId'] method = vuln['method'] alert = vuln['alert'] ids = vuln['id'] description = vuln['description'] global vul_col if risk == 'High': vul_col = "important" elif risk == 'Medium': vul_col = "warning" elif risk == 'Low': vul_col = "info" dump_all = zap_scan_results_db(vuln_id=vuln_id, vuln_color=vul_col, scan_id=un_scanid, project_id=project_id, confidence=confidence, wascid=wascid, cweid=cweid, risk=risk, reference=reference, url=url, name=name, solution=solution, param=param, evidence=evidence, sourceid=sourceid, pluginId=pluginId, other=other, attack=attack, messageId=messageId, method=method, alert=alert, id=ids, description=description) dump_all.save() time.sleep(5) zap_all_vul = zap_scan_results_db.objects.filter(scan_id=un_scanid).order_by('scan_id') total_vul = len(zap_all_vul) total_high = len(zap_all_vul.filter(risk="High")) total_medium = len(zap_all_vul.filter(risk="Medium")) total_low = len(zap_all_vul.filter(risk="Low")) zap_scans_db.objects.filter(scan_scanid=un_scanid).update(total_vul=total_vul, high_vul=total_high, medium_vul=total_medium, low_vul=total_low) spider_alert = "Scan Completed" time.sleep(5) for msg in zap_all_vul: msg_id = msg.messageId request_response = zap.core.message(id=msg_id) ja_son = json.dumps(request_response) ss = ast.literal_eval(ja_son) for key, value in ss.viewitems(): global note if key == "note": note = value global rtt if key == "rtt": rtt = value global tags if key == "tags": tags = value global timestamp if key == "timestamp": timestamp = value global responseHeader if key == "responseHeader": responseHeader = value global requestBody if key == "requestBody": requestBody = value global responseBody if key == "responseBody": responseBody = value global requestHeader if key == "requestHeader": requestHeader = value global cookieParams if key == "cookieParams": cookieParams = value global res_type if key == "type": res_type = value global res_id if key == "id": res_id = value zap_scan_results_db.objects.filter(messageId=msg_id).update(note=note, rtt=rtt, tags=tags, timestamp=timestamp, responseHeader=responseHeader, requestBody=requestBody, responseBody=responseBody, requestHeader=requestHeader, cookieParams=cookieParams, res_type=res_type, res_id=res_id) print msg_id print res_id zap_scanner = zapscanner.stop_zap() print "Status of zap scanner:", zap_scanner return HttpResponseRedirect('/scanapi/') return render(request, 'api_scan_list.html')
def authenticate(request): global keyl if request.POST.get("scan_url"): auth_val = request.POST.get("auth_val") if auth_val == 'Yes': scan_url = request.POST.get("scan_url") req_header = ast.literal_eval(request.POST.get("req_header")) req_body = request.POST.get("req_body") method = request.POST.get("method") project_id = request.POST.get("project_id") scan_id = request.POST.get("scan_id") auth_token_key = request.POST.get("auth_token_key") extra_val_in_auth = request.POST.get("extra_auth_value") print scan_url p = json.loads(json.dumps(req_header)) print p for key, value in p.iteritems(): print key, value r = requests.post(scan_url, headers=req_header, data=req_body) data = json.loads(r.text) for key, value in data.viewitems(): keyl = data[key] api_token = extra_val_in_auth + " " + keyl print api_token try: with open(api_key_path, 'r+') as f: data = json.load(f) lod_apikey = data['zap_api_key'] apikey = signing.loads(lod_apikey) zapath = data['zap_path'] zap_port = data['zap_port'] except Exception as e: print e zap = ZAPv2(apikey=apikey, proxies={'http': 'http://127.0.0.1' + ':' + zap_port, 'https': 'http://127.0.0.1' + ':' + zap_port}) try: zap_scanner = zapscanner.start_zap() print "Status of zap scanner:", zap_scanner except Exception as e: print e return HttpResponseRedirect("/webscanners/scans_list/") time.sleep(10) """ Excluding URL from scanner """ remove_auth = zap.replacer.remove_rule(scan_url) print "Remove Auth :", remove_auth print "Auth token Key :", auth_token_key auth_token_add = zap.replacer.add_rule(apikey=apikey, description=scan_url, enabled="true", matchtype='REQ_HEADER', matchregex="false", replacement=api_token, matchstring=auth_token_key, initiators="") print "Auth Added :", auth_token_add p = json.loads(json.dumps(req_header)) print p for key, value in p.iteritems(): print key, value # remove_header = zap.replacer.remove_rule(target_url) # print "Remove extra value header :", remove_header header_add = zap.replacer.add_rule(apikey=apikey, description=scan_url, enabled="true", matchtype='REQ_HEADER', matchregex="false", replacement=value, matchstring=key, initiators="") print "Cookies Added :", header_add api_token_db.objects.filter(scan_url=scan_url).update(api_token=api_token) return HttpResponseRedirect('/scanapi/') else: return HttpResponseRedirect('/scanapi/')