Open afeld opened 8 years ago
What problems have you encountered? And how can we, the ZAP core team, help? Thats what we're here for :)
Hi! I kind of felt bad about posting this, because you have been super helpful and supportive in the millions of times you've come up in Google searches 😄 The work I'm doing is here, if you're interested: https://github.com/18F/concourse-compliance-testing/pull/100
I've been wanting to post issues as I came across them, but have been in hustle mode, so didn't get a chance to (yet). For context: we have a bunch of sites we scan using ZAP via Concourse CI, and that number is growing all of the time. We have a number that use single-sign on, so I'm trying to automate getting through that so the sites can be fully tested. The high-level issues I've run into with ZAP in working on this feature:
contextName
in some places, vs. contextId
in others.JSON/context/view/contextList/
gives the list of names (as a stringified array?), but not the IDs.zap2docker-stable
provides Rhino. This was a not-pleasant surprise (I couldn't figure out why my script was working in one place but not the other), and it doesn't seem to be documented. Would be nice to pick one and use it in both places.sleep
ing...would be nice to have that built in as an option to make users' lives easier. Also, it's not obvious to me when something's not working as expected, or if I just didn't sleep
long enough, or what.Unable to persist User
), which led me to digging through the source of ZAP itself.authentication/action/setAuthenticationMethod/
taking authMethodConfigParams
.ENTER
in the forms through the API UI doesn't submit the form.Will add to this list if I remember others. I really want to like ZAP, but it just feels like I've had to jump through a lot of hoops to do setup that doesn't seem like it should be super complicated. I know that's a lot all at once...thanks in advance for any response!
Er ... best advice - talk to us as and when you hit issues rather than waiting until you feel overwhelmed :P They all look like completely understandable problems, but what you're trying is completely in line with what we want to support so we want to fix them. And if you're ok with using the weekly releases we can get any code fixes required to you relatively quickly. My advice - take things one step at a time. Whats the first thing that you want to get working - one that will show you that you've made a start? And what problems have you encountered with ZAP that prevent you from achieving that? Thats what we'll help you with :) If you're ok with that then are you ok moving this discussion to the ZAP User Group? https://groups.google.com/forum/#!forum/zaproxy-users I'm sure lots of other ZAP users can learn from this, and some might even have good solutions for some of your problems. Many thanks
talk to us as and when you hit issues rather than waiting until you feel overwhelmed
Heh, yeah, definitely hear that. I was trying to do this in a rush so was trying to get it working however I could, but will hopefully have time over the coming week or so to step back and open bug reports or start discussions where appropriate.
if you're ok with using the weekly releases we can get any code fixes required to you relatively quickly
👍
If you're ok with that then are you ok moving this discussion to the ZAP User Group?
Yep! Will try and post an overall "how would you approach this?" discussion there soon.
ZAP has been harder to work with than expected...we should look into alternatives.
Lists
Specifics