使用zap-cli生成HTML报告

Question

我想从zap-cli获取HTML报告。我能够运行这些命令，但是有一种方法可以在单个命令中同时运行这两者

[sb@company.local@sb-test-vm ~]$ zap-cli quick-scan -s xss,sqli --spider -r -e "some_regex_pattern" http://demo.testfire.net/
[INFO]            Running a quick scan for http://demo.testfire.net/
[INFO]            Issues found: 6
+----------------------------------+--------+----------+------------------------------------------------------------------------------------------------------------------+
| Alert                            | Risk   |   CWE ID | URL                                                                                                              |
+==================================+========+==========+==================================================================================================================+
| Cross Site Scripting (Reflected) | High   |       79 | http://demo.testfire.net/bank/login.aspx                                                                         |
+----------------------------------+--------+----------+------------------------------------------------------------------------------------------------------------------+
| Cross Site Scripting (Reflected) | High   |       79 | http://demo.testfire.net/comment.aspx                                                                            |
+----------------------------------+--------+----------+------------------------------------------------------------------------------------------------------------------+
| Cross Site Scripting (Reflected) | High   |       79 | http://demo.testfire.net/notfound.aspx?aspxerrorpath=%3C%2Fb%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cb%3E |
+----------------------------------+--------+----------+------------------------------------------------------------------------------------------------------------------+
| Cross Site Scripting (Reflected) | High   |       79 | http://demo.testfire.net/search.aspx?txtSearch=%3C%2Fspan%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cspan%3E |
+----------------------------------+--------+----------+------------------------------------------------------------------------------------------------------------------+
| SQL Injection                    | High   |       89 | http://demo.testfire.net/bank/login.aspx                                                                         |
+----------------------------------+--------+----------+------------------------------------------------------------------------------------------------------------------+
| SQL Injection                    | High   |       89 | http://demo.testfire.net/bank/login.aspx                                                                         |
+----------------------------------+--------+----------+------------------------------------------------------------------------------------------------------------------+
[sb@company.local@sb-test-vm ~]$ zap-cli report -o abc.html -f html
[INFO]            Report saved to "abc.html"
[sb@company.local@sb-test-vm ~]$ ls -l abc.html
-rw-rw-r--. 1 sb@company.local sb@company.local 58659 Sep 25 16:39 abc.html
[sb@company.local@sb-test-vm ~]$ date
Tue Sep 25 16:39:16 EDT 2018
[sb@company.local@sb-test-vm ~]$

我尝试了提供的开关，但是无法执行扫描，并且无法在单个衬纸中获得报告。我愿意使用zap.sh，尽管我没有看到生成HTML格式的报告的选项，只有XML。对此有任何见识表示赞赏

zap-cli --help
Usage: zap-cli [OPTIONS] COMMAND [ARGS]...

ZAP CLI v0.9.0 - A simple commandline tool for OWASP ZAP.

Options:
  --boring            Remove color from console output.
  -v, --verbose       Add more verbose debugging output.
  --zap-path TEXT     Path to the ZAP daemon. Defaults to /zap or the value 
 of
                      the environment variable ZAP_PATH.
  -p, --port INTEGER  Port of the ZAP proxy. Defaults to 8090 or the value 
of
                      the environment variable ZAP_PORT.
  --zap-url TEXT      The URL of the ZAP proxy. Defaults to http://127.0.0.1
                      or the value of the environment variable ZAP_URL.
  --api-key TEXT      The API key for using the ZAP API if required. Defaults
                      to the value of the environment variable ZAP_API_KEY.
  --help              Show this message and exit.

Commands:
  active-scan  Run an Active Scan.
  ajax-spider  Run the AJAX Spider against a URL.
  alerts       Show alerts at the given alert level.
  context      Manage contexts for the current session.
  exclude      Exclude a pattern from all scanners.
  open-url     Open a URL using the ZAP proxy.
  policies     Enable or list a set of policies.
  quick-scan   Run a quick scan.
  report       Generate XML, MD or HTML report.
  scanners     Enable, disable, or list a set of scanners.
  scripts      Manage scripts.
  session      Manage sessions.
  shutdown     Shutdown the ZAP daemon.
  spider       Run the spider against a URL.
  start        Start the ZAP daemon.
  status       Check if ZAP is running.

编辑：

我尝试了此命令，但是当前目录中没有abc.html文件。我找到了，但是在任何地方都找不到abc.html

 zap-cli quick-scan -s xss,sqli --spider -r -e "some_regex_pattern" http://demo.testfire.net/ && zap-cli report -o abc.html -f html

因此，接下来，我尝试在zap-run.sh脚本中输出这2个命令，并使用chmod + x脚本并运行它，以 DID 创建abc.html文件。所以，谢谢你

Answer 1

如果主要目标是“单一班轮”，为什么不直接链接命令？

zap-cli quick-scan -s xss,sqli --spider -r -e "some_regex_pattern" http://demo.testfire.net/ && zap-cli report -o abc.html -f html

如果不合适，则将两个命令都放入批处理文件（或shell脚本）中，然后调用它。