How to run OWASP ZAP Docker Image

Deshani Geethika
Jul 23, 2017 · 2 min read

Installation Instructions

You can install Docker image with OWASP ZAP pre-installed, using following command. Note that there are 3 versions called stable, weekly and live. Following will install the stable version.

docker pull owasp/zap2docker-stable

ZAP GUI in Web Browser

Starting from ZAP 2.5.0, you can run the ZAP desktop GUI in a web browser, using following command.

docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh

Then point the browser at http://localhost:8080/?anonym=true&app=ZAP You can view the usual desktop GUI of ZAP, in your browser.

Run ZAP in Headless Mode

Use following command to run ZAP in headless mode.

docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080

Accessing the API from outside of the Docker container:

By running the following command, the ZAP API is accessible in http://0.0.0.0:8090/ But Docker seems to be assigning random IP addresses to the container.

First run the following command to listen to the port 0.0.0.0:8090

docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0

Next, run the following command to check the running container id/ name

docker ps

Then, use the following command to check the IP address of the container

docker inspect <CONTAINER ID/ NAME> | grep IPAddress

Now you will be able to point the browser at the specified IP address with port 8090 (eg: http://172.17.0.2:8090/ )

[IMPORTANT] Required Configurations to run ZAP Docker Image

API Key

As a new security feature, new ZAP releases (ex-ZAP 2.6.0) require an API key by default in order to invoke API operations. This is included to prevent malicious sites from invoking ZAP API.

You can add the API key manually as follows.

-config api.key=change-me-9203935709

However you can disable the API key. This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API.

-config api.disablekey=true

Allowed IP Addresses

Moreover, ZAP doesn’t allow IP addresses to connect to the ZAP API, other than the IP address of the local machine. You can allow a specific IP address to connect by using:

-config api.addrs.addr.name=172.143.652.123

However, if you use ZAP in completely isolated environment, you can allow all the IP addresses to connect to ZAP API.

-config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

As an example, the final command to run ZAP in headless mode might look like this:

docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

Resources

Deshani Geethika

Written by

Software Engineer @Sysco LABS | Apache Committer and PMC Member @Apache Allura | Former Software Engineering Intern @WSO2 | CSE | UoM | SL

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade