SlideShare a Scribd company logo

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 13 2017

G
gmaran23

The presentation focuses on automating application security using OWASP ZAP, highlighting the challenges developers face in security and introducing various strategies to incorporate ZAP into the development lifecycle. It covers the features of the ZAP API, automation techniques including authenticated scans and CI/CD integration, as well as scripting capabilities for customized security tasks. The document emphasizes the importance of integrating security assessments early in development and provides insights on using ZAP effectively.

Technology
1 of 36
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP BUCHAREST APPSEC CONFERENCE 13 OCTOBER 2017 N different strategies to automate OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor @gmaran23 Software Security Consultant at DevOn / Prowareness
2 Agenda • Application Security Program Challenges • Lightning Introduction to ZAP • The ZAP API • The N ways of Automating ZAP • Scripting for ZAP • Tips for CI / CD and Case Studies
3 The problems • Most developers know very little about security • Some developers care more about feature development than security • Most companies have very few application security folks • Security testing is done late in the application development lifecycle (if at all is done)
4 The Software Security Models • OWASP SAMM Project - https://www.owasp.org/index.php/OWASP_SAMM_Project • BSIMM https://www.bsimm.com/ • SDOMM from Christian Schneider https://www.christian- schneider.net/SecurityDevOpsMaturityModel.html • CSSMM from Prowareness / DevOn https://www.devon.nl/secure-software/
5 Part of the Solution • Use a security tool like ZAP in development • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
What’s in this talk? • A way to quickly evaluate your applications • Options for more thorough scanning • Introduction to the ZAP API • “N Different ways to automate Software Security Assurance with OWASP ZAP” 6
7 Why ZAP? • An easy to use webapp pentest tool • Completely free and open source • Source code updated multiple times a day • One of the OWASP Flagship projects • Ideal for beginners, But also used by professionals • Powerful API - for automated security tests
8 The app sec tool foundations • Spider or Crawler – Gather information about what to attack • Passive Scan – Static analysis on the gathered information (HTTP requests and responses) • Active Scan – Send attack (potentially harmful) payloads to exploit / confirm weakness
9 ZAP API demo Headless attack!
1 Demo Flow: 1. Open the ZAP GUI on the right of the screen 2. Browse the API from the left of the screen on a browser 3. As we trigger a spider scan, it would be visible in the UI 4. Poll the Spider Status API 5. Get results from passive scan 6. Trigger an Active Scan from the API, the scanning would start and it would be evident on the ZAP UI 7. Demonstrate a Shutdown ZAP API demo [5 minutes]
ZAP Baseline scan 1. Quick and fast 2. No prior ZAP experience required 3. Docker is the only dependency 4. Configurable with Command line Options 5. Quickly baseline the security controls of an application or many applications (just passive scanning)
ZAP Baseline scan Finds issues like: • Missing / incorrect security headers • Cookie problems • Information / error disclosure • Missing CSRF tokens
ZAP Baseline scan - Demo Demo flow: 1. Pull the zap docker image 2. docker run -t owasp/zap2docker-stable zap-baseline.py -t http://www.renthoughtsweb.com:8020 2. Interpreting the results of the baseline scan 3. Generating and Using a scan configuration file 4. Mass baseline scan [5 minutes]
1 The available API Clients 1. Java - https://github.com/zaproxy/zap-api-java 2. Python - https://github.com/zaproxy/zap-api-python 3. DotNet - https://github.com/zaproxy/zap-api-dotnet 4. PHP 5. Node JS 6. GO 7. . 8. .
1 Automating Quick Scan - via python API client Flow: 1. Start ZAP programmatically 2. Wait for ZAP to initialize 3. zap.spider.scan(targeturl) 4. Wait till zap.spider.status(scanid) is 100 5. zap.ascan.scan(target) 6. Wait till zap.ascan.status(scanid) is 100 7. zap.core.alerts() 8. zap.core.htmlreport(target) [5 minutes]
1 Automating authenticated scans 1. Create a context in the name of the application 2. Choose the mode of authentication (for instance Forms Authentication) 3. Provide Authentication information 4. Spider 5. Scan 6. Extract Results
1 Automating Authenticated Scan - Demo via Dot Net API Client
1 Authenticated Scan Demo Flow: 1. Start ZAP programmatically 2. Wait for ZAP to initialize 3. api.context.newContext 4. api.context.includeInContext 5. api.users.newUser 6. api.forcedUser.setForcedUser 7. api.forcedUser.setForcedUserModeEnabled 8. api.spider.scan 9. api.ascan.scan 10. api.core.htmlreport [5 minutes]
1 Security Regression Testing Well, let me watch you here!
2 Integrating with Selenium Test cases - Demo via Java API Client
2 Selenium Integration Demo Flow: 1. Start ZAP programmatically 2. Wait for ZAP to initialize 3. Set up Selenium web driver with proxy settings 4. Run the selenium test cases 5. api.spider.scan 6. api.ascan.scan 7. api.core.htmlreport A recorded quick demo - https://vimeo.com/222238217 [5 minutes]
Official Jenkins plugin
Tips from the field for CI / CD Integration
Tips from the field for CI / CD Integration 1. Tune the scan policies for faster scans
Tips from the field for CI / CD Integration 2. Try running the scans on Report-Only mode After doing some learning about false positives and application behaviors, break the build
Tips from the field for CI / CD Integration 3. Secure HTTP headers check is trivial yet highly useful (Story about Mixed HTTP/HTTPS content) (Story about missing CSRF protection at some pages)
Tips from the field for CI / CD Integration 4. Timed passive scans (baseline scan) on Continuous Integration 5. Deep Scan on nightly builds
2 Scripting for ZAP Script things that are not supported out of the box Script for automating regular VAPT activities Script to modify request and responses .. And much more Scripting can be done in 1. Python 2. Ruby 3. ZEST 4. Javascript
2 Quick Demo – Python scripting Find insecure HTTP verbs on server
3 Quick Demo – Python scripting Payload Generator Script to use while fuzzing
3 Quick Demo – ZEST Security Regression Scripting Demo flow: 1. Demonstrate an Open Redirect Flaw 2. Add a ZEST Script 3. Add an Assert to ensure the Application doesn’t redirect to other domains
Useful cmdline options • Turn off db recovery (speeds things up) -config database.recoverylog=false • Update all add-ons -addonupdate • Run without the UI -daemon • Listen on a specified host and port -host 127.0.0.1 –port 7070 • Setting the API key -config api.key=j8WdOEq8dhwWE24VGDsreP • Disable API key in a safe environment -config api.disablekey=true 32
ZAP – Need Help? ZAP user group - https://groups.google.com/forum/#!forum/zaproxy -users ZAP Evangelists - https://github.com/zaproxy/zaproxy/wiki/ZapEvang elists ZAP Developers group - https://groups.google.com/forum/#!forum/zaproxy -develop
ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”
Any Questions? gmaran23 @ gmail . com http://www.owasp.org/index.php/ZAP

More Related Content

What's hot (20)

ODP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
ODP
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
ODP
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
ODP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
PDF
Owasp zap
ColdFusionConference
 
ODP
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
ODP
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
PPTX
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Sherif Mansour
 
ODP
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
ODP
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
ODP
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
ODP
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
PDF
2021 ZAP Automation in CI/CD
Simon Bennetts
 
PDF
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
ODP
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
ODP
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
PDF
2020 ADDO Spring Break OWASP ZAP Automation
Simon Bennetts
 
PPTX
Zap vs burp
Tomasz Fajks
 
PDF
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
ODP
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
Owasp zap
ColdFusionConference
 
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Sherif Mansour
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
2021 ZAP Automation in CI/CD
Simon Bennetts
 
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
2020 ADDO Spring Break OWASP ZAP Automation
Simon Bennetts
 
Zap vs burp
Tomasz Fajks
 
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 

Similar to N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 13 2017 (19)

ODP
Simon Bennetts - Automating ZAP
DevSecCon
 
PDF
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Codemotion
 
PPTX
OWASP ZAP API Automation
Thivya Lakshmi
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
PPTX
ZAP @FOSSASIA2015
Sumanth Damarla
 
PPTX
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
PDF
Security Automation using ZAP
Vaibhav Gupta
 
PPTX
OWSAP Zap Tool Execution - API Security Scan
Palani Kumar
 
PPTX
Zap api and scripting - @iprav33nk
Praveen Kumar
 
PPTX
The OWASP Zed Attack Proxy
Aditya Gupta
 
PDF
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Christian Schneider
 
PPTX
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
PPTX
Owasp zap
penetration Tester
 
PDF
Security Testing using ZAP in SFDC
Thinqloud
 
PPTX
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
PDF
Automated Security Testing
seleniumconf
 
ODP
DevSecCon London 2017: zap scripting workshop by Simon Bennetts
DevSecCon
 
ODP
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
PPT
Zap attack proxy
Artem Vasilenko
 
Simon Bennetts - Automating ZAP
DevSecCon
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Codemotion
 
OWASP ZAP API Automation
Thivya Lakshmi
 
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
ZAP @FOSSASIA2015
Sumanth Damarla
 
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Security Automation using ZAP
Vaibhav Gupta
 
OWSAP Zap Tool Execution - API Security Scan
Palani Kumar
 
Zap api and scripting - @iprav33nk
Praveen Kumar
 
The OWASP Zed Attack Proxy
Aditya Gupta
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Christian Schneider
 
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Owasp zap
penetration Tester
 
Security Testing using ZAP in SFDC
Thinqloud
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Automated Security Testing
seleniumconf
 
DevSecCon London 2017: zap scripting workshop by Simon Bennetts
DevSecCon
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
Zap attack proxy
Artem Vasilenko
 
Ad

More from gmaran23 (13)

PDF
First Software Security Netherlands Meet Up - Delft - 18 May 2017
gmaran23
 
PPTX
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
gmaran23
 
PDF
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
gmaran23
 
PDF
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
gmaran23
 
PDF
Performance Appraisals in Agile Environment Nagesh Sharma
gmaran23
 
PPTX
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
gmaran23
 
PPTX
What Can I Learn From You?
gmaran23
 
PPTX
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
PPTX
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
PPTX
Six steps for securing offshore development
gmaran23
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
PPTX
Devouring Security XML Attack surface and Defences
gmaran23
 
PPT
Devouring Security Sqli Exploitation and Prevention
gmaran23
 
First Software Security Netherlands Meet Up - Delft - 18 May 2017
gmaran23
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
gmaran23
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
gmaran23
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
gmaran23
 
Performance Appraisals in Agile Environment Nagesh Sharma
gmaran23
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
gmaran23
 
What Can I Learn From You?
gmaran23
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
Six steps for securing offshore development
gmaran23
 
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Devouring Security XML Attack surface and Defences
gmaran23
 
Devouring Security Sqli Exploitation and Prevention
gmaran23
 
Ad

Recently uploaded (20)

PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
Learn Computer Forensics, Second Edition
AnuraShantha7
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
July Patch Tuesday
Ivanti
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Learn Computer Forensics, Second Edition
AnuraShantha7
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
July Patch Tuesday
Ivanti
 

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 13 2017

  • 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP BUCHAREST APPSEC CONFERENCE 13 OCTOBER 2017 N different strategies to automate OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor @gmaran23 Software Security Consultant at DevOn / Prowareness
  • 2. 2 Agenda • Application Security Program Challenges • Lightning Introduction to ZAP • The ZAP API • The N ways of Automating ZAP • Scripting for ZAP • Tips for CI / CD and Case Studies
  • 3. 3 The problems • Most developers know very little about security • Some developers care more about feature development than security • Most companies have very few application security folks • Security testing is done late in the application development lifecycle (if at all is done)
  • 4. 4 The Software Security Models • OWASP SAMM Project - https://www.owasp.org/index.php/OWASP_SAMM_Project • BSIMM https://www.bsimm.com/ • SDOMM from Christian Schneider https://www.christian- schneider.net/SecurityDevOpsMaturityModel.html • CSSMM from Prowareness / DevOn https://www.devon.nl/secure-software/
  • 5. 5 Part of the Solution • Use a security tool like ZAP in development • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
  • 6. What’s in this talk? • A way to quickly evaluate your applications • Options for more thorough scanning • Introduction to the ZAP API • “N Different ways to automate Software Security Assurance with OWASP ZAP” 6
  • 7. 7 Why ZAP? • An easy to use webapp pentest tool • Completely free and open source • Source code updated multiple times a day • One of the OWASP Flagship projects • Ideal for beginners, But also used by professionals • Powerful API - for automated security tests
  • 8. 8 The app sec tool foundations • Spider or Crawler – Gather information about what to attack • Passive Scan – Static analysis on the gathered information (HTTP requests and responses) • Active Scan – Send attack (potentially harmful) payloads to exploit / confirm weakness
  • 10. 1 Demo Flow: 1. Open the ZAP GUI on the right of the screen 2. Browse the API from the left of the screen on a browser 3. As we trigger a spider scan, it would be visible in the UI 4. Poll the Spider Status API 5. Get results from passive scan 6. Trigger an Active Scan from the API, the scanning would start and it would be evident on the ZAP UI 7. Demonstrate a Shutdown ZAP API demo [5 minutes]
  • 11. ZAP Baseline scan 1. Quick and fast 2. No prior ZAP experience required 3. Docker is the only dependency 4. Configurable with Command line Options 5. Quickly baseline the security controls of an application or many applications (just passive scanning)
  • 12. ZAP Baseline scan Finds issues like: • Missing / incorrect security headers • Cookie problems • Information / error disclosure • Missing CSRF tokens
  • 13. ZAP Baseline scan - Demo Demo flow: 1. Pull the zap docker image 2. docker run -t owasp/zap2docker-stable zap-baseline.py -t http://www.renthoughtsweb.com:8020 2. Interpreting the results of the baseline scan 3. Generating and Using a scan configuration file 4. Mass baseline scan [5 minutes]
  • 14. 1 The available API Clients 1. Java - https://github.com/zaproxy/zap-api-java 2. Python - https://github.com/zaproxy/zap-api-python 3. DotNet - https://github.com/zaproxy/zap-api-dotnet 4. PHP 5. Node JS 6. GO 7. . 8. .
  • 15. 1 Automating Quick Scan - via python API client Flow: 1. Start ZAP programmatically 2. Wait for ZAP to initialize 3. zap.spider.scan(targeturl) 4. Wait till zap.spider.status(scanid) is 100 5. zap.ascan.scan(target) 6. Wait till zap.ascan.status(scanid) is 100 7. zap.core.alerts() 8. zap.core.htmlreport(target) [5 minutes]
  • 16. 1 Automating authenticated scans 1. Create a context in the name of the application 2. Choose the mode of authentication (for instance Forms Authentication) 3. Provide Authentication information 4. Spider 5. Scan 6. Extract Results
  • 17. 1 Automating Authenticated Scan - Demo via Dot Net API Client
  • 18. 1 Authenticated Scan Demo Flow: 1. Start ZAP programmatically 2. Wait for ZAP to initialize 3. api.context.newContext 4. api.context.includeInContext 5. api.users.newUser 6. api.forcedUser.setForcedUser 7. api.forcedUser.setForcedUserModeEnabled 8. api.spider.scan 9. api.ascan.scan 10. api.core.htmlreport [5 minutes]
  • 19. 1 Security Regression Testing Well, let me watch you here!
  • 20. 2 Integrating with Selenium Test cases - Demo via Java API Client
  • 21. 2 Selenium Integration Demo Flow: 1. Start ZAP programmatically 2. Wait for ZAP to initialize 3. Set up Selenium web driver with proxy settings 4. Run the selenium test cases 5. api.spider.scan 6. api.ascan.scan 7. api.core.htmlreport A recorded quick demo - https://vimeo.com/222238217 [5 minutes]
  • 23. Tips from the field for CI / CD Integration
  • 24. Tips from the field for CI / CD Integration 1. Tune the scan policies for faster scans
  • 25. Tips from the field for CI / CD Integration 2. Try running the scans on Report-Only mode After doing some learning about false positives and application behaviors, break the build
  • 26. Tips from the field for CI / CD Integration 3. Secure HTTP headers check is trivial yet highly useful (Story about Mixed HTTP/HTTPS content) (Story about missing CSRF protection at some pages)
  • 27. Tips from the field for CI / CD Integration 4. Timed passive scans (baseline scan) on Continuous Integration 5. Deep Scan on nightly builds
  • 28. 2 Scripting for ZAP Script things that are not supported out of the box Script for automating regular VAPT activities Script to modify request and responses .. And much more Scripting can be done in 1. Python 2. Ruby 3. ZEST 4. Javascript
  • 29. 2 Quick Demo – Python scripting Find insecure HTTP verbs on server
  • 30. 3 Quick Demo – Python scripting Payload Generator Script to use while fuzzing
  • 31. 3 Quick Demo – ZEST Security Regression Scripting Demo flow: 1. Demonstrate an Open Redirect Flaw 2. Add a ZEST Script 3. Add an Assert to ensure the Application doesn’t redirect to other domains
  • 32. Useful cmdline options • Turn off db recovery (speeds things up) -config database.recoverylog=false • Update all add-ons -addonupdate • Run without the UI -daemon • Listen on a specified host and port -host 127.0.0.1 –port 7070 • Setting the API key -config api.key=j8WdOEq8dhwWE24VGDsreP • Disable API key in a safe environment -config api.disablekey=true 32
  • 33. ZAP – Need Help? ZAP user group - https://groups.google.com/forum/#!forum/zaproxy -users ZAP Evangelists - https://github.com/zaproxy/zaproxy/wiki/ZapEvang elists ZAP Developers group - https://groups.google.com/forum/#!forum/zaproxy -develop
  • 34. ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
  • 35. Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”
  • 36. Any Questions? gmaran23 @ gmail . com http://www.owasp.org/index.php/ZAP