First push of new independent Python API for ZAP

.gitignore

@@ -3,6 +3,7 @@ __pycache__/
 *.py[cod]
 *$py.class
 
+.idea/
 # C extensions
 *.so
 

LICENSE

@@ -1,3 +1,4 @@
+
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -178,15 +179,15 @@
    APPENDIX: How to apply the Apache License to your work.
 
       To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
+      boilerplate notice, with the fields enclosed by brackets "[]"
       replaced with your own identifying information. (Don't include
       the brackets!)  The text should be enclosed in the appropriate
       comment syntax for the file format. We also recommend that a
       file or class name and description of purpose be included on the
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright {yyyy} {name of copyright owner}
+   Copyright [yyyy] [name of copyright owner]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

MANIFEST.in

@@ -0,0 +1,15 @@
+include LICENSE requirements.txt
+
+recursive-exclude * __pycache__
+recursive-exclude * *.pyc
+recursive-exclude * *.pyo
+recursive-exclude * *.orig
+recursive-exclude * .DS_Store
+global-exclude __pycache__/*
+global-exclude .deps/*
+global-exclude *.so
+global-exclude *.pyd
+global-exclude *.pyc
+global-exclude .git*
+global-exclude .DS_Store
+global-exclude .mailmap

examples/usage_example.py

@@ -0,0 +1,58 @@
+# -*- coding: utf-8 -*-
+
+from __future__ import print_function
+
+import time
+
+from pprint import pprint
+from zapv2 import ZAPv2
+
+target = 'http://127.0.0.1'
+
+# By default ZAP API client will connect to port 8080
+zap = ZAPv2()
+
+# Or, you can configure your own IP/Port
+# zap_9090 = ZAPv2(proxies={'http': '127.0.0.1:9090', 'https': '127.0.0.1:9090'})
+
+# Use the line below if ZAP is not listening on port 8080, for example, if listening on port 8090
+# zap = ZAPv2(proxies={'http': 'http://127.0.0.1:8090', 'https': 'http://127.0.0.1:8090'})
+
+# do stuff
+print('Accessing target %s' % target)
+
+# try have a unique enough session...
+zap.urlopen(target)
+
+# Give the sites tree a chance to get updated
+time.sleep(2)
+
+print('Spidering target %s' % target)
+scanid = zap.spider.scan(target)
+
+# Give the Spider a chance to start
+time.sleep(2)
+
+while int(zap.spider.status(scanid)) < 100:
+	print('Spider progress %: ' + zap.spider.status(scanid))
+	time.sleep(2)
+
+print('Spider completed')
+
+# Give the passive scanner a chance to finish
+time.sleep(5)
+
+print('Scanning target %s' % target)
+
+scanid = zap.ascan.scan(target)
+while int(zap.ascan.status(scanid)) < 100:
+	print('Scan progress %: ' + zap.ascan.status(scanid))
+	time.sleep(5)
+
+print('Scan completed')
+
+# Report the results
+
+print('Hosts: ' + ', '.join(zap.core.hosts))
+print('Alerts: ')
+pprint((zap.core.alerts()))

requirements.txt

@@ -0,0 +1,4 @@
+six
+ujson
+requests
+requests-cache

setup.py

@@ -0,0 +1,52 @@
+#!/usr/bin/env python
+
+"""
+Standard build script.
+"""
+
+from __future__ import print_function
+
+from os.path import dirname, join
+
+try:
+    from setuptools import setup, find_packages
+except ImportError:
+    print("You must have setuptools installed to use setup.py. Exiting...")
+    raise SystemExit(1)
+
+__docformat__ = 'restructuredtext'
+
+# Import requirements
+with open(join(dirname(__file__), 'requirements.txt')) as f:
+    required = f.read().splitlines()
+
+setup(
+    name="python-owasp-zap-v2.4",
+    version="0.0.8",
+    description="OWASP ZAP 2.4 API client",
+    install_requires=required,
+    long_description="OWASP Zed Attack Proxy 2.4 API python client",
+    author="ZAP development team",
+    author_email='',
+    url="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project",
+    download_url="https://github.com/zaproxy/zaproxy/releases/tag/2.4.3",
+    platforms=['any'],
+
+    license="ASL2.0",
+
+    package_dir={
+        '': 'src',
+    },
+    packages=find_packages('src'),
+
+    classifiers=[
+        'License :: OSI Approved :: Apache Software License',
+        'Development Status :: 4 - Beta',
+        'Topic :: Security',
+        'Topic :: Software Development :: Libraries :: Python Modules',
+        'Intended Audience :: Developers',
+        'Intended Audience :: Information Technology',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 3',
+        'Programming Language :: Python'],
+)

zapv2/__init__.py

@@ -0,0 +1,194 @@
+# Zed Attack Proxy (ZAP) and its related class files.
+#
+# ZAP is an HTTP/HTTPS proxy for assessing web application security.
+#
+# Copyright 2012 ZAP development team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+Client implementation for using the ZAP pentesting proxy remotely.
+"""
+
+try:
+    # High performance json library
+    import ujson as json
+except ImportError:
+    import json
+
+import os
+import six
+import requests
+import requests_cache
+requests_cache.install_cache('zap_cache', backend="memory")
+
+# Improving Python 2 & 3 compatibility
+if six.PY2:
+    from urllib import urlencode, urlopen
+    from urlparse import urlparse, urljoin
+else:
+    from urllib.parse import urlparse, urlencode, urljoin
+    from urllib.request import urlopen
+
+from .acsrf import acsrf
+from .ascan import ascan
+from .ajaxSpider import ajaxSpider
+from .authentication import authentication
+from .autoupdate import autoupdate
+from .brk import brk
+from .context import context
+from .core import core
+from .forcedUser import forcedUser
+from .httpSessions import httpSessions
+from .importLogFiles import importLogFiles
+from .params import params
+from .pnh import pnh
+from .pscan import pscan
+from .reveal import reveal
+from .script import script
+from .search import search
+from .selenium import selenium
+from .sessionManagement import sessionManagement
+from .spider import spider
+from .users import users
+
+__docformat__ = 'restructuredtext'
+
+
+class ZapError(Exception):
+    """
+    Base ZAP exception.
+    """
+    pass
+
+
+class ZAPv2(object):
+    """
+    Client API implementation for integrating with ZAP v2.
+    """
+
+    # base JSON api url
+    base = 'http://zap/JSON/'
+    # base OTHER api url
+    base_other = 'http://zap/OTHER/'
+
+    def __init__(self, proxies=None):
+        """
+        Creates an instance of the ZAP api client.
+
+        Example:
+        >>> z=ZAPv2()
+
+        Example with custom proxies
+        >>> my_proxies = {'http': 'http://10.0.1.1:9090', 'https': 'http://10.0.1.1:9090'}
+        >>> z=ZAPv2(proxies=my_proxies)
+
+        :param proxies: Dict with the scheme as key and PROXY url as value
+        :type proxies: dict(str:str)
+
+        """
+        if proxies is None:
+            # Set default
+            proxies = {'http': 'http://127.0.0.1:8080',
+                       'https': 'http://127.0.0.1:8080'}
+        self.__proxies = proxies
+
+        self.acsrf = acsrf(self)
+        self.ajaxSpider = ajaxSpider(self)
+        self.ascan = ascan(self)
+        self.authentication = authentication(self)
+        self.autoupdate = autoupdate(self)
+        self.brk = brk(self)
+        self.context = context(self)
+        self.core = core(self)
+        self.forcedUser = forcedUser(self)
+        self.httpsessions = httpSessions(self)
+        self.importLogFiles = importLogFiles(self)
+        self.params = params(self)
+        self.pnh = pnh(self)
+        self.pscan = pscan(self)
+        self.reveal = reveal(self)
+        self.script = script(self)
+        self.search = search(self)
+        self.selenium = selenium(self)
+        self.sessionManagement = sessionManagement(self)
+        self.spider = spider(self)
+        self.users = users(self)
+
+    def _expect_ok(self, json_data):
+        """
+        Checks that we have an OK response, else raises an exception.
+
+        :param json_data: the json data to look at.
+        :type json_data: json
+        """
+        if isinstance(json_data, list) and json_data[0] == u'OK':
+            return json_data
+
+        raise ZapError(*json_data.values())
+
+    def urlopen(self, *args, **kwargs):
+        """
+        Opens a url forcing the proxies to be used.
+
+        :param args: all non-keyword arguments.
+        :type args: list()
+
+        :param kwarg: all non-keyword arguments.
+        :type kwarg: dict()
+        """
+        # return urlopen(*args, **kwargs).read()
+        return requests.get(*args, proxies=self.__proxies).text
+
+    def status_code(self, *args, **kwargs):
+        """
+		Open a url forcing the proxies to be used.
+
+        :param args: all non-keyword arguments.
+        :type args: list()
+
+        :param kwarg: all non-keyword arguments.
+        :type kwarg: dict()
+		"""
+        # return urlopen(*args, **kwargs).getcode()
+        return requests.get(*args, proxies=self.__proxies).status_code
+
+    def _request(self, url, get=None):
+        """
+        Shortcut for a GET request.
+
+        :param url: the url to GET at.
+        :type url: str
+
+        :param get: the dictionary to turn into GET variables.
+        :type get: dict(str:str)
+        """
+        if get is None:
+            get = {}
+
+        return json.loads(self.urlopen("%s?%s" % (url, urlencode(get))))
+
+    def _request_other(self, url, get=None):
+        """
+        Shortcut for an API OTHER GET request.
+
+        :param url: the url to GET at.
+        :type url: str
+
+        :param get: the dictionary to turn into GET variables.
+        :type get: dict(str:str)
+        """
+        if get is None:
+            get = {}
+
+        return self.urlopen("%s?%s" % (url, urlencode(get)))