-
-
Notifications
You must be signed in to change notification settings - Fork 240
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Simon Bennetts <psiinon@gmail.com>
- Loading branch information
Showing
3 changed files
with
98 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
// This script monitors the active scanner and ends the scan if certain conditions are met. | ||
// By default it just ends the scan for high: | ||
// * Connection failures | ||
// * Authentication failures | ||
// * Response times | ||
// You can easily chane the script to end the scan for other conditions, such as high 4xx / 5xx response codes, | ||
// but these tend to be application specific so they are not enabled by default. | ||
|
||
var SessionStructure = Java.type("org.zaproxy.zap.model.SessionStructure"); | ||
var Timer = Java.type("java.util.Timer"); | ||
var TimerTask = Java.type("java.util.TimerTask"); | ||
var URI = Java.type("org.apache.commons.httpclient.URI"); | ||
var View = Java.type("org.parosproxy.paros.view.View"); | ||
|
||
var extAscan = control.getExtensionLoader().getExtension("ExtensionActiveScan"); | ||
var inMemoryStats = control.getExtensionLoader() | ||
.getExtension("ExtensionStats").getInMemoryStats(); | ||
|
||
var timer = new Timer(); | ||
var timerSecs = 10 * 1000; // Check every 10 secs | ||
|
||
// Set to true to see the stats reported live | ||
var log = false; | ||
|
||
/** | ||
* This function is called when the script is enabled. | ||
* | ||
* @param helper - a helper class which provides the methods: | ||
* getView() this returns a View object which provides an easy way to add graphical elements. | ||
* It will be null is ZAP is running in daemon mode. | ||
* getApi() this returns an API object which provides an easy way to add new API calls. | ||
* Links to any functionality added should be held in script variables so that they can be removed in uninstall. | ||
*/ | ||
function install(helper) { | ||
timer.scheduleAtFixedRate(new TimerTask() { | ||
run() { | ||
runchecks(); | ||
} | ||
}, 0, timerSecs); | ||
} | ||
|
||
function getStat(site, stat) { | ||
var val = site == null ? inMemoryStats.getStat(stat) : inMemoryStats.getStat(site, stat); | ||
return val == null ? 0 : val; | ||
} | ||
|
||
// Response times are recorded in logarithmic time slices | ||
function getLongRespStats(site) { | ||
return getStat(site, "stats.responseTime.16384") | ||
+ getStat(site, "stats.responseTime.32768") | ||
+ getStat(site, "stats.responseTime.65536"); | ||
} | ||
|
||
function runchecks() { | ||
if (log) print("Running checks.."); | ||
ascans = extAscan.getActiveScans(); | ||
ascans.forEach((as, i) => { | ||
// For the full set of stats that can be monitored see https://www.zaproxy.org/docs/internal-statistics/ | ||
var site = SessionStructure.getHostName(new URI(as.getDisplayName(), true)); | ||
print("Site: " + site); | ||
// Connection failures are global rather than site specific | ||
var connFails = getStat(null, "stats.connect.failure"); // TODO change to new name | ||
// All HTTP response codes are recorded, so you can add checks for 401, 403 etc etc | ||
var stats401 = getStat(site, "stats.code.401"); | ||
var stats500 = getStat(site, "stats.code.500"); | ||
// Auth fails are only relevant for authenticated scans | ||
var authFails = getStat(site, "stats.auth.failure"); | ||
var longResp = getLongRespStats(site) | ||
|
||
if (log) { | ||
print(" 401 resps:\t" + stats401); | ||
print(" 500 resps:\t" + stats500); | ||
print(" conn fails:\t" + connFails); | ||
print(" auth fails:\t" + authFails); | ||
print(" long resps:\t" + longResp); | ||
} | ||
if (connFails > 1000 || authFails > 1000 || longResp > 1000) { | ||
if (log) print("Stopping ascan " + site); | ||
as.stopScan(); | ||
} | ||
}); | ||
} | ||
|
||
/** | ||
* This function is called when the script is disabled. | ||
* | ||
* @param helper - a helper class which provides the methods: | ||
* getView() this returns a View object which provides an easy way to add graphical elements. | ||
* It will be null is ZAP is running in daemon mode. | ||
* getApi() this returns an API object which provides an easy way to add new API calls. | ||
*/ | ||
function uninstall(helper) { | ||
timer.cancel(); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters