in dusty/scanners/dast/zap/scanner.py [0:0]
def _prepare_context(self): # pylint: disable=R0912
# Load or create context
if self.config.get("context_file", None):
log.info("Loading context")
# Load context from file
context_data = self._zap_api.context.import_context(self.config.get("context_file"))
self._zap_context_name = self._zap_api.context.context_list[int(context_data) - 1]
self._zap_context = context_data
else:
log.info("Preparing context")
# Create new context
self._zap_context_name = "dusty"
self._zap_context = self._zap_api.context.new_context(self._zap_context_name)
# Add hostname includsion for newly created context
self._zap_api.context.include_in_context(
self._zap_context_name,
f".*{re.escape(url.parse_url(self.config.get('target')).hostname)}.*"
)
# Setup context inclusions and exclusions
for include_regex in self.config.get("include", list()):
self._zap_api.context.include_in_context(self._zap_context_name, include_regex)
# - exclude from context
if self.config.get("exclude_from_context", True):
for exclude_regex in self.config.get("exclude", list()):
self._zap_api.context.exclude_from_context(self._zap_context_name, exclude_regex)
additional_excludes = self.config.get("exclude_from_context", list())
if isinstance(additional_excludes, list):
for exclude_regex in additional_excludes:
self._zap_api.context.exclude_from_context(
self._zap_context_name, exclude_regex
)
# - exclude from spider
if self.config.get("exclude_from_spider", True):
for exclude_regex in self.config.get("exclude", list()):
self._zap_api.spider.exclude_from_scan(exclude_regex)
additional_excludes = self.config.get("exclude_from_spider", list())
if isinstance(additional_excludes, list):
for exclude_regex in additional_excludes:
self._zap_api.spider.exclude_from_scan(exclude_regex)
# - exclude from ascan
if self.config.get("exclude_from_ascan", True):
for exclude_regex in self.config.get("exclude", list()):
self._zap_api.ascan.exclude_from_scan(exclude_regex)
additional_excludes = self.config.get("exclude_from_ascan", list())
if isinstance(additional_excludes, list):
for exclude_regex in additional_excludes:
self._zap_api.ascan.exclude_from_scan(exclude_regex)
# - exclude from proxy
if self.config.get("exclude_from_proxy", True):
for exclude_regex in self.config.get("exclude", list()):
self._zap_api.core.exclude_from_proxy(exclude_regex)
additional_excludes = self.config.get("exclude_from_proxy", list())
if isinstance(additional_excludes, list):
for exclude_regex in additional_excludes:
self._zap_api.core.exclude_from_proxy(exclude_regex)
# Auth script
if self.config.get("auth_script", None):
# Load our authentication script
self._zap_api.script.load(
scriptname="zap-selenium-login.js",
scripttype="authentication",
scriptengine="Oracle Nashorn",
filename=pkg_resources.resource_filename(
"dusty",
f"{'/'.join(__name__.split('.')[1:-1])}/data/zap-selenium-login.js"
),
scriptdescription="Login via selenium script"
)
# Enable use of loaded script with supplied selenium-like script
self._zap_api.authentication.set_authentication_method(
self._zap_context,
"scriptBasedAuthentication",
urllib.parse.urlencode({
"scriptName": "zap-selenium-login.js",
"Target": self.config.get("target"),
"Script": base64.b64encode(
json.dumps(
self.config.get("auth_script")
).encode("utf-8")
).decode("utf-8")
})
)
# Add user to context
self._zap_user = self._zap_api.users.new_user(self._zap_context, "dusty_user")
self._zap_api.users.set_authentication_credentials(
self._zap_context,
self._zap_user,
urllib.parse.urlencode({
"Username": self.config.get("auth_login", ""),
"Password": self.config.get("auth_password", ""),
"type": "UsernamePasswordAuthenticationCredentials"
})
)
# Enable added user
self._zap_api.users.set_user_enabled(self._zap_context, self._zap_user, True)
# Setup auth indicators
if self.config.get("logged_in_indicator", None):
self._zap_api.authentication.set_logged_in_indicator(
self._zap_context, self.config.get("logged_in_indicator")
)
if self.config.get("logged_out_indicator", None):
self._zap_api.authentication.set_logged_out_indicator(
self._zap_context, self.config.get("logged_out_indicator")
)