Skip to content

HelpAddonsExportreportExportreport

Jump to bottom
thc202 edited this page Sep 2, 2016 · 5 revisions

Export Report Version 1.0

Report Export module that allows users to customize content and export in a desired format.

  • Created by JordanGS.
  • Minimum Supported Version: Weekly Release ZAP_D-2016-08-15
  • Project on GitHub. You can also find a zip of the minimum supported release in the zap-download folder.

Source Info

User entered and automatically retrieve data relevant to the report. Hover over each field in the extension for tool tip.

  • Title - Defaults to Session Name
  • By
  • For
  • Scan Date - User entered date of AScan, defaults to current datetime
  • Report Date - Defaults to current datetime
  • Scan Version - Placeholder for future
  • Report Version - Defaults to current version of ZAP tool

Version 1.0 UI

  • Source Info

Alert Severity

Include/Exclude Alerts by Severity.

Included by Default

  • High
  • Medium
  • Low
  • Informational

Version 1.0 UI

  • Source Info

Alert Details

Include/Exclude Details of each Alert.

Included by Default

  • CWE ID
  • WASC ID
  • Description
  • Other Info
  • Solution
  • Reference

Excluded by Default

  • Request Header
  • Response Header
  • Request Body
  • Response Body

Version 1.0 UI

  • Source Info

File Chooser Dialog

The dialog only shows folders and accepted filetypes. The 'Files of Type' drop down list will filter to show only folders and files of the specified extension.

Currently Available

  • ASCII 1.0 Strict Compliant XHTML Files (*xhtml)
  • XML Files (*xml)
  • JSON Files (*json)

Version 2.0 Milestone

  • Bootstrap HTML Files(*bootstrap.html)
  • PDF Documents (*pdf)
  • Google Documents (*doc)

Version 1.0 UI

  • Show all accepted files

    Source Info

  • List of accepted file formats

    Source Info

  • Filter by a specific file format

    Source Info

Command Line

The extension can be run from the command line as well and requires the following arguments to be passed in to generate a report.

OWASP ZAP Proxy Command Line Options

  • -session: Opens the given session after starting ZAP
  • -cmd: Runs ZAP 'inline', ie without starting the UI or a daemon

See the Wiki for more details on the natively supported command line options.

Export Report Extension Command Line Options

  • -export_report:

    • Description:

      • Saves to the specified file after loading the given session.

    • Currently Available

      • ASCII 1.0 Strict Compliant XHTML Files (*xhtml)
      • XML Files (*xml)
      • JSON Files (*json)

    • Version 2.0 Milestone

      • Bootstrap HTML Files(*bootstrap.html)
      • PDF Documents (*pdf)
      • Google Documents (*doc)

  • -source_info:

    • Description:

      • Specifies the following details of the report:
        1. Title
        2. By
        3. For
        4. Scan Date
        5. Report Date
        6. Scan Ver
        7. Report Ver
        8. Description

    • Example:

      • -source_info "Vulnerability Report of MyApp.com;JordanGS;Lost Souls;August 15, 2016;August 18, 2016;ZAP_D-2016-08-15;ZAP_D-2016-08-15;Lorem ipsum dolor sit amet, pri corpora ancillae adolescens in. Ea usu atomorum tincidunt, ne munere regione has. Ne sea summo tation, et sed nibh nostrum singulis. Nec causae viderer discere eu."

    • Validation:

      • Content is unchecked, can enter empty fields if you wish, only condition is that all 8 items are in the list.

  • -alert_severity:

    • Description:

      • Specifies which alert severities will be included in the report:
        1. High
        2. Medium
        3. Low
        4. Informational

    • Input format:

      • Only accepts a string list with ';' delimiter

    • Input restriction:

      • Only accepts 't' and 'f' for each item in the list

    • Example:

      • -alert_severity "t;t;f;t"

    • Explanation:

      • In the above example, only High, Medium and Informational Alerts will be included in the generated report.

    • Validation:

      • Validation: Content is validated to be either 't' or 'f' and that all 4 items are in the list.

  • -alert_details:

    • Description:

      • Specifies which alert details will be included in the report:
        1. CWE ID
        2. WASC ID
        3. Description
        4. Other Info
        5. Solution
        6. Reference
        7. Request Header
        8. Response Header
        9. Request Body
        10. Response Body

    • Input format:

      • Only accepts a string list with ';' delimiter

    • Input restriction:

      • Only accepts 't' and 'f' for each item in the list

    • Example:

      • -alert_details "t;t;t;t;t;t;f;f;f;f"

    • Explanation:

      • In the above example, only CWE ID, WASC ID, Description, Other Info, Solution and Reference Alert Details will be included in the generated report.

    • Validation:

      • Content is validated to be either 't' or 'f' and that all 10 items are in the list.

Putting it all together! (Windows)

  1. Open a command prompt
  2. Navigate to location where the zap.bat file is located
  3. execute the following: * zap.bat -export_report "/path/to/save/report.xhtml" -source_info "Vulnerability Report of MyApp.com;JordanGS;Lost Souls;August 15, 2016;August 18, 2016;ZAP_D-2016-08-15;ZAP_D-2016-08-15;Lorem ipsum dolor sit amet, pri corpora ancillae adolescens in. Ea usu atomorum tincidunt, ne munere regione has. Ne sea summo tation, et sed nibh nostrum singulis. Nec causae viderer discere eu." -alert_severity "t;t;f;t" -alert_details "t;t;t;t;t;t;f;f;f;f" -session "/path/to/existing/session" -cmd

(This is work in progress;)

Clone this wiki locally