npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

zap-test-runner

v1.0.1

Published

Use the OWASP ZAP API to execute spider, passive, active scanning and report generation

Downloads

5

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

adam_n_brownadam_n_brown

Keywords

Readme

OWASP ZAP Test Utils

GitHub Workflow Status (branch) npm

Configuration

This node project ZAP Test which triggers the scanning and generates the report requires the following parameters:

| Parameter | Short form | Long form | Required | |-------------- |------------ |--------------- |---------- | | ZAP Host | -z | --zap-host | Yes | | Test Machine | -t | --test-system | Yes | | Scan Type | -f | --full-scan | No |

In this E2E test project, the required properties are passed through to docker-compose using environment variables which should be declared in a .env file in the root project folder and never checked into source control.

# The hostname and port of the Zap container to proxy requests and run analysis through e.g.: zap:9090 if using the docker-compose setup
ZAP_HOST=zapHost:zapPort

# The hostname and post of the test server e.g.: 127.0.0.1:8080 if running locally
HOST=hostname:port

# The account to login to run the E2E tests with
USERNAME=username

# The account password to login to run E2E tests with
PASSWORD=password

There are 2 kinds of scans which can be used in this project:

  • A quick scan which will run the Spider scan, Passive scan and Report steps.
   zap-test -z ${ZAP_HOST} -t ${HOST}
  • A full scan which will also run an Active scan.
   zap-test -z ${ZAP_HOST} -t ${HOST} -f

Test Analysis

Once the tests complete the ZAP analysis stage kicks in, this consists of the following distinct steps from the recommended Explore, Attack, Report pattern:

  • Traditional Spider Scanning

Traditional Spider Scanning will automatically discover resources/URLs on the website. The spider will visit each URL, identify links and keep track of them. Any "hidden" resources will be discovered with the Spider scan, this is useful for discovering Information Disclosure. We don't want to expose unnecessary information from the server that could aid an attacker.

  • AJAX Spider Scanning

The AJAX Spider allows you to crawl modern web applications written in AJAX in far more depth than the traditional Spider. Use the AJAX Spider if you have web applications written in AJAX. You should also use the native Traditional Spider as well for complete coverage of a web application e.g. covering HTML comments.

  • Passive Scanning

Passive Scanning works alongside the Spider Scanning and will analyse all HTTP requests and responses that were sent. This is useful for catching missing protection like Anti-CSRF, CSP, or CORS headers and will show any cookies not flagged as HttpOnly or Secure.

  • Active Scanning

Active Scanning is the long-running process which will attempt to actively change data to exploit known vulnerabilities. Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. Manual penetration testing should always be performed in addition to active scanning to find all types of vulnerabilities.

  • Report Generation

This step will collect all the processed results from each scanner and output to HTML reports available at:

`zap-reports/scanning-report.html`

This is the overall summary of the discovered vulnerabilities.

`zap-reports/all-alerts.html`

This is the more detailed view of all the discovered alerts. Most likely all the relevant information will be displayed in the summary report.

`zap-reports/spidering-report.html`

This is a report of the vulnerabilities discovered in the AJAX Spider scan stage. Most likely all the relevant information will be displayed in the summary report.