https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017#tab=Conference_0101_talks In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges. This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example.

1. The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP BUCHAREST
APPSEC CONFERENCE
13 OCTOBER 2017
N different strategies to
automate OWASP ZAP
The OWASP Zed Attack Proxy
Marudhamaran Gunasekaran
Zap Contributor
@gmaran23
Software Security Consultant at DevOn / Prowareness

2. 2
Agenda
• Application Security Program Challenges
• Lightning Introduction to ZAP
• The ZAP API
• The N ways of Automating ZAP
• Scripting for ZAP
• Tips for CI / CD and Case Studies

3. 3
The problems
• Most developers know very little about security
• Some developers care more about feature
development than security
• Most companies have very few application
security folks
• Security testing is done late in the application
development lifecycle (if at all is done)

4. 4
The Software Security
Models
• OWASP SAMM Project -
https://www.owasp.org/index.php/OWASP_SAMM_Project
• BSIMM
https://www.bsimm.com/
• SDOMM from Christian Schneider
https://www.christian-
schneider.net/SecurityDevOpsMaturityModel.html
• CSSMM from Prowareness / DevOn
https://www.devon.nl/secure-software/

5. 5
Part of the Solution
• Use a security tool like ZAP in development
• In addition to security training, secure
development lifecycle, threat modelling, static
source code analysis, secure code reviews,
professional pentesting…

6. What’s in this talk?
• A way to quickly evaluate your applications
• Options for more thorough scanning
• Introduction to the ZAP API
• “N Different ways to automate Software Security Assurance
with OWASP ZAP”
6

7. 7
Why ZAP?
• An easy to use webapp pentest tool
• Completely free and open source
• Source code updated multiple times a day
• One of the OWASP Flagship projects
• Ideal for beginners, But also used by professionals
• Powerful API - for automated security tests

8. 8
The app sec tool
foundations
• Spider or Crawler
– Gather information about what to attack
• Passive Scan
– Static analysis on the gathered information (HTTP
requests and responses)
• Active Scan
– Send attack (potentially harmful) payloads to
exploit / confirm weakness

9. 9
ZAP API demo
Headless attack!

10. 1
Demo Flow:
1. Open the ZAP GUI on the right of the screen
2. Browse the API from the left of the screen on a browser
3. As we trigger a spider scan, it would be visible in the UI
4. Poll the Spider Status API
5. Get results from passive scan
6. Trigger an Active Scan from the API, the scanning would
start and it would be evident on the ZAP UI
7. Demonstrate a Shutdown
ZAP API demo
[5 minutes]

11. ZAP Baseline scan
1. Quick and fast
2. No prior ZAP experience required
3. Docker is the only dependency
4. Configurable with Command line Options
5. Quickly baseline the security controls of an application
or many applications (just passive scanning)

12. ZAP Baseline scan
Finds issues like:
• Missing / incorrect security headers
• Cookie problems
• Information / error disclosure
• Missing CSRF tokens

13. ZAP Baseline scan - Demo
Demo flow:
1. Pull the zap docker image
2. docker run -t owasp/zap2docker-stable
zap-baseline.py -t http://www.renthoughtsweb.com:8020
2. Interpreting the results of the baseline scan
3. Generating and Using a scan configuration file
4. Mass baseline scan
[5 minutes]

14. 1
The available API Clients
1. Java - https://github.com/zaproxy/zap-api-java
2. Python - https://github.com/zaproxy/zap-api-python
3. DotNet - https://github.com/zaproxy/zap-api-dotnet
4. PHP
5. Node JS
6. GO
7. .
8. .

15. 1
Automating Quick Scan
- via python API client
Flow:
1. Start ZAP programmatically
2. Wait for ZAP to initialize
3. zap.spider.scan(targeturl)
4. Wait till zap.spider.status(scanid) is 100
5. zap.ascan.scan(target)
6. Wait till zap.ascan.status(scanid) is 100
7. zap.core.alerts()
8. zap.core.htmlreport(target)
[5 minutes]

16. 1
Automating authenticated
scans
1. Create a context in the name of the application
2. Choose the mode of authentication (for instance
Forms Authentication)
3. Provide Authentication information
4. Spider
5. Scan
6. Extract Results

17. 1
Automating Authenticated
Scan
- Demo via Dot Net API
Client

18. 1
Authenticated Scan Demo
Flow:
1. Start ZAP programmatically
2. Wait for ZAP to initialize
3. api.context.newContext
4. api.context.includeInContext
5. api.users.newUser
6. api.forcedUser.setForcedUser
7. api.forcedUser.setForcedUserModeEnabled
8. api.spider.scan
9. api.ascan.scan
10. api.core.htmlreport
[5 minutes]

19. 1
Security Regression Testing
Well, let me
watch you
here!

20. 2
Integrating with Selenium
Test cases
- Demo via Java API Client

21. 2
Selenium Integration Demo
Flow:
1. Start ZAP programmatically
2. Wait for ZAP to initialize
3. Set up Selenium web driver with proxy settings
4. Run the selenium test cases
5. api.spider.scan
6. api.ascan.scan
7. api.core.htmlreport
A recorded quick demo - https://vimeo.com/222238217
[5 minutes]

22. Official Jenkins plugin

23. Tips from the field for CI / CD
Integration

24. Tips from the field for CI / CD
Integration
1. Tune the scan policies for faster scans

25. Tips from the field for CI / CD
Integration
2. Try running the scans on Report-Only
mode
After doing some learning about false
positives and application behaviors, break
the build

26. Tips from the field for CI / CD
Integration
3. Secure HTTP headers check is trivial yet
highly useful
(Story about Mixed HTTP/HTTPS content)
(Story about missing CSRF protection at some pages)

27. Tips from the field for CI / CD
Integration
4. Timed passive scans (baseline scan) on
Continuous Integration
5. Deep Scan on nightly builds

28. 2
Scripting for ZAP
Script things that are not supported out of the box
Script for automating regular VAPT activities
Script to modify request and responses
.. And much more
Scripting can be done in
1. Python
2. Ruby
3. ZEST
4. Javascript

29. 2
Quick Demo – Python
scripting
Find insecure HTTP verbs on server

30. 3
Quick Demo – Python
scripting
Payload Generator Script to use while fuzzing

31. 3
Quick Demo – ZEST
Security Regression
Scripting
Demo flow:
1. Demonstrate an Open Redirect Flaw
2. Add a ZEST Script
3. Add an Assert to ensure the Application doesn’t redirect
to other domains

32. Useful cmdline options
• Turn off db recovery (speeds things up)
-config database.recoverylog=false
• Update all add-ons
-addonupdate
• Run without the UI
-daemon
• Listen on a specified host and port
-host 127.0.0.1 –port 7070
• Setting the API key
-config api.key=j8WdOEq8dhwWE24VGDsreP
• Disable API key in a safe environment
-config api.disablekey=true
32

33. ZAP – Need Help?
ZAP user group -
https://groups.google.com/forum/#!forum/zaproxy
-users
ZAP Evangelists -
https://github.com/zaproxy/zaproxy/wiki/ZapEvang
elists
ZAP Developers group -
https://groups.google.com/forum/#!forum/zaproxy
-develop

34. ZAP - Get Involved
Use the tool
Recommend
Write Add-ons
Write Scanners / Scripts
Report bugs

35. Conclusion
• Consider security at all stages of development
cycle
• OWASP ZAP is ideal for automating security tests
• It is also a great way to learn about security
“Man is a tool-using animal. Without tools he is
nothing, with “right set of” tools he is all”

36. Any Questions?
gmaran23 @ gmail . com
http://www.owasp.org/index.php/ZAP