OWASP ZAP CLI - generating PDF report using Export Report add-on and WkHTMLtoPDF

hakobyansen

Senik Hakobyan

Posted on June 9, 2020

OWASP ZAP CLI - generating PDF report using Export Report add-on and WkHTMLtoPDF

Hello community.

Intro

In the last post I described the web application scanning with Zaproxy CLI installed on Kali Linux.

Zaproxy by default generates an output in XML format. It's cool, but I want a PDF report.

I've installed the Export Report add-on that provides an ability to generate nice reports in different formats (.xhtml, .pdf, .json, .xml).

Scan & Export

Now, let's put together a simple bash script.



#!/bin/bash

# Getting the host passed as an argument to the script
host="$1"

# Getting current timestamp to use it in the session name
timestamp=$(date '+%s');

# Exit if host is not specified
if [ -z "$host" ]; then
    echo -e "Please pass the host argument.\r"
    exit 1
fi

# Launching the scan
/usr/share/zaproxy/zap.sh -quickurl "$host" -newsession "$timestamp" -cmd;

# Defining variables that contain metadata for the report
report_name="Vulnerability Report - $host"
prepared_by="h4x0r"
prepared_for="X Corp"
scan_date=$(date -d @$timestamp)
report_date=$(date -d @$timestamp)
scan_version="N/A"
report_version="N/A"
report_description="Home page vulnerability report of the Example project."
file_name="$timestamp"

# Getting the report generated in XHTML format
/usr/share/zaproxy/zap.sh -export_report "$HOME"/"$file_name".xhtml -source_info "$report_title;$prepared_by;$prepared_for;$scan_date;$report_date;$scan_version;$report_version;$report_description" -alert_severity "t;t;f;t" -alert_details "t;t;t;t;t;t;f;f;f;f" -session "$timestamp.session" -cmd


Enter fullscreen mode Exit fullscreen mode

Here you can read about "Export Report" command line options.

PDF is not supported

Unfortunately the 2.9.0 version I've installed, does not support output in .pdf format. There was an issue and PR for that, so future releases probably will include that fix.

ExportReport addon PDF Output #2177

JFM9 avatar
JFM9 posted on

Ported AlertReport's PDF export functionality into ExportReport.

The ported functionality uses AlertReport's method of obtaining the alerts, not the XML dump. This could be standardized to use the XML dump already generated by ExportReport if desired.

This functionality is accessible through ExportReport's menu item by selecting PDF as export format.

Fixes: #5535

At this point I don't want to upgrade anything, just because I want to have "Latest release" instead of "Pre-release", so I have a workaround - WkHTMLtoPDF.

The Workaround

If you're from the future - you're probably able to generate PDF report without this workaround.

The idea is to get the report in XHTML format and convert it to PDF programmatically.

Installation

Because I'm using Kali, which is based on Debian, I need to download the deb package (check the Downloads section if you need something else).

wget https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-rc/wkhtmltox_0.12.6-0.20200605.30.rc.faa06fa.stretch_amd64.deb

Now install the package.

sudo dpkg -i wkhtmltox_0.12.6-0.20200605.30.rc.faa06fa.stretch_amd64.deb

Usage

To convert html/xhtml to pdf, simply run a command:

wkhtmltopdf file.xhtml file.pdf

Updating the bash script

Now let's convert the XHTML report to PDF using the wkhtmltopdf tool. We just need to include single line to the end of the script.



#!/bin/bash

# Get the host passed as an argument to the script
host="$1"

# Getting current timestamp to use it in the session name
timestamp=$(date '+%s');

# Exit if host is not specified
if [ -z "$host" ]; then
    echo -e "Please pass the host argument.\r"
    exit 1
fi

# Launching the scan
/usr/share/zaproxy/zap.sh -quickurl "$host" -newsession "$timestamp" -cmd;

# Defining variables that contain metadata for the report
report_name="Vulnerability Report - $host"
prepared_by="h4x0r"
prepared_for="X Corp"
scan_date=$(date -d @$timestamp)
report_date=$(date -d @$timestamp)
scan_version="N/A"
report_version="N/A"
report_description="Home page vulnerability report of the Example project."
file_name="$timestamp"

# Getting the report generated in XHTML format
/usr/share/zaproxy/zap.sh -export_report "$HOME"/"$file_name".xhtml -source_info "$report_title;$prepared_by;$prepared_for;$scan_date;$report_date;$scan_version;$report_version;$report_description" -alert_severity "t;t;f;t" -alert_details "t;t;t;t;t;t;f;f;f;f" -session "$timestamp.session" -cmd

# Converting XHTML report to PDF
wkhtmltopdf "$HOME"/"$file_name".xhtml "$HOME"/"$file_name".pdf


Enter fullscreen mode Exit fullscreen mode

Hopefully my comments in the script are clear enough.

Here is the Gist

Though you can download it using wget.

wget https://gist.githubusercontent.com/c0d3b0t/5139c61104f232206c49897701811b0d/raw/3de6356df81ed0a34310a095463e4c03ce2ee62a/run-zap.sh

You can launch that script by running bash run-zap.sh http://example.com where "example.com" is your target.

The generated report looks like this.

Export Report

So, now I've got same report in 2 different formats - XHTML and PDF. I've got XHTML exported by zap, and PDF converted using wkhtmltopdf.

Not bad... maybe.

What's next?

I need to think more about the automation process I want to implement. The process I have currently is:

1) run the bash script
2) download the report using scp or FileZilla

Have a cool idea about that? Write a comment!

See you in the next post. Peace 👋

💖 💪 🙅 🚩
hakobyansen
Senik Hakobyan

Posted on June 9, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related