Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/o...
The Workshop Plan
• Who is this for?
• What are we trying to solve?
• What can you get out of this?
• Introduction to ZAP
...
Who is this for?
• Developers
• QA
• Operations
• Security
• Consultants
• (Managers)
• Whoever is involved in automation ...
What are we trying to solve?
• Find security issues as early as possible
• Integration into the devops pipeline
• Finding ...
What can you get out of this?
• A way to quickly evaluate your apps
• Options for more thorough scanning
• An introduction...
6
ZAP Introduction
• An easy to use webapp pentest tool
• Completely free and open source
• OWASP Flagship project
• Ideal...
7
ZAP Features
• Swing based UI for desktop mode
• Comprehensive REST(ish) API for daemon mode
• Plugin architecture (add-...
Some ZAP use cases
• Point and shoot – the Quick Start tab
• Proxying via ZAP, and then scanning
• Manual pentesting
• Aut...
ZAP Install Options
• Windows .exe
• Linux .tar.gz
• Mac OS .dmg
• Docker Images
• owasp/zap2docker-stable
• owasp/zap2doc...
Where to start?
• The Baseline scan
• Completely safe
• Runs quickly (1-2 minutes?)
• Can be easily integrated into CI/CD
...
Baseline scan
• Uses docker (the only dependency)
• Time limited spider of target (default 1 min)
• Just passive scanning
...
Baseline scan - issues
• All release and beta passive scan rules, eg
• Missing / incorrect security headers
• Cookie probl...
13
Baseline
Demo
Baseline scan – usage
14
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg
Opti...
Baseline scan – output
15
./zap-baseline.py -t https://www.example.com
3 URLs
PASS: Cookie No HttpOnly Flag [10010]
PASS: ...
Baseline scan – in CircleCI
• https://github.com/Securing-
DevOps/invoicer/blob/master/circle.yml#L39-L44
16
# pull down t...
Baseline scan – conf file
• Use -g option to generate, -c or -u to use
17
# zap-baseline rule configuration file
# Change ...
Where next?
• Mass Baseline scan
• Provides a simple dashboard
• Shows the detailed results
• Shows the per service histor...
Mass Baseline scan
• Part of the community-scripts repo:
zaproxy/community-scripts/api/mass-baseline
19
Full Scans
• Packaged options:
• Cmdline quick scan
• Jenkins plugin
• Sdlc-integration scripts
• Daemon mode + API
• (ZAP...
Cmdline Quick Scan
21
./zap.sh -cmd -quickurl 
http://example.com/ -quickprogress
• Spidering
• Active scanning
• [=======...
Jenkins plugin
• Maintained by 3rd
party
• Requires full ZAP install
• Supports authentication
• Supports scan policies
• ...
Sdlc integration scripts
• Part of the community-scripts repo:
zaproxy/community-scripts/api/sdlc-integration
• Spidering,...
Useful cmdline options
• Turn off db recovery (speeds things up)
-config database.recoverylog=false
• Update all add-ons
-...
Using the ZAP API
• Intro to the API
• Exploring
• Scanning
• Reporting
• Authenticating
• Tuning
25
Intro to the API
• RESTish – ok, only uses GET requests
http(s)://zap/<format>/<component>/
<operation>/<op name>[/?<param...
API Pro Tip
1. Experiment with the Desktop UI
2. Export configs from the UI (contexts, scan
policies..)
3. Then reproduce ...
28
API
Demo
Intro – Python API
• Install from pypi:
pip install python-owasp-zap-v2.4
• In your script:
from zapv2 import ZAPv2
zap = ...
Exploring
• Proxy Regression / Unit tests
• Traditional Spider (crawler)
• Ajax Spider (browsers)
• Spider SOAP definition...
31
Spider
API
Demo
Exploring – Trad Spider
32
h
zap.spider.scan(target)
• time.sleep(5)
• while int(zap.spider.status()) < 100:
• print ('Spi...
Exploring – Ajax Spider
33
h
zap.ajaxSpider.scan(target)
• time.sleep(5)
• while zap.ajaxSpider == 'running':
• print ('Aj...
Scanning – Passive Scan
34
while int(zap.pscan.records_to_scan())
> 0:
• print ('Pscan records : ' +
zap.pscan.records_to_...
Scanning – Active Scan
35
h
zap.ascan.scan(target)
• time.sleep(5)
• while int(zap.ascan.status()) < 100:
• print ('Ascan ...
Reporting – HTML + XML
36
h
# HTML Report
• with open ('report.html', 'w') as f:
f.write(zap.core.htmlreport())
# XML Repo...
Reporting – all alert data
37
h
# Use paging for lots of alerts
• offset = 0; page = 100
• alerts = zap.core.alerts('', of...
And dont forget...
38
h
# Your work here is done...
• zap.core.shutdown()
Any questions about the
API?
39
h
Authenticating
• Authentication can be hard :(
• Simple form based auth should be ok
• Authentication scripts should be ab...
41
Auth
API
Demo
Tuning - speed
• Spider time limits
• Data driven content
• Technology
• Active scan
• Scan rules
• Input vectors
• Attack...
Tuning - feedback
• Active scan stats
• Response stats
• Authentication stats (alpha add-on)
• Statsd support
43
Tuning - accuracy
• Attack thresholds
• Rule configuration (post 2.5.0)
– Forms that dont need CSRF tokens
– Increase timi...
Need help?
• Getting Started Guide
• Desktop Help (also online)
• Wiki – FAQ, Docs, Videos …
• ZAP User Group
• irc.mozill...
Workshop Summary
• Use the baseline scan for a quick security
overview
• Use the mass baseline to create a dashboard
• Use...
Now go forth and
automate ZAP :)
http://www.owasp.org/index.php/ZAP
Upcoming SlideShare
Loading in …5
×

Automating OWASP ZAP - DevCSecCon talk

5,472 views

Published on

Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.

This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.

Published in: Internet

Automating OWASP ZAP - DevCSecCon talk

  1. 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Workshop: Automating OWASP ZAP Simon Bennetts OWASP ZAP Project Lead Mozilla Cloud Security Team psiinon@gmail.com DevSecCon London 2016
  2. 2. The Workshop Plan • Who is this for? • What are we trying to solve? • What can you get out of this? • Introduction to ZAP • Where to start • Where to go from there 2
  3. 3. Who is this for? • Developers • QA • Operations • Security • Consultants • (Managers) • Whoever is involved in automation ;) 3
  4. 4. What are we trying to solve? • Find security issues as early as possible • Integration into the devops pipeline • Finding all of the possible vulnerabilities • Putting pentesters out of a job :P 4 What are we not trying to solve?
  5. 5. What can you get out of this? • A way to quickly evaluate your apps • Options for more thorough scanning • An introduction to the ZAP API • A chance to try things out with me 5
  6. 6. 6 ZAP Introduction • An easy to use webapp pentest tool • Completely free and open source • OWASP Flagship project • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Included in all major security distributions • ToolsWatch.org Top Security Tool of 2015 • Not a silver bullet!
  7. 7. 7 ZAP Features • Swing based UI for desktop mode • Comprehensive REST(ish) API for daemon mode • Plugin architecture (add-ons) • Online ‘marketplace’ (all free:) • Release, beta and alpha quality add-ons • Traditional and ajax spiders • Passive and active scanning • Highly configurable, eg scan policies • Highly scriptable
  8. 8. Some ZAP use cases • Point and shoot – the Quick Start tab • Proxying via ZAP, and then scanning • Manual pentesting • Automated security regression tests • Debugging • Part of a larger security program 8
  9. 9. ZAP Install Options • Windows .exe • Linux .tar.gz • Mac OS .dmg • Docker Images • owasp/zap2docker-stable • owasp/zap2docker-weekly • Distros like Kali 9
  10. 10. Where to start? • The Baseline scan • Completely safe • Runs quickly (1-2 minutes?) • Can be easily integrated into CI/CD • Easy to get started – just required the target: docker pull owasp/zap2docker-weekly docker run -t owasp/zap2docker-weekly zap-baseline.py -t https://www.example.com • Very configurable if needed 10
  11. 11. Baseline scan • Uses docker (the only dependency) • Time limited spider of target (default 1 min) • Just passive scanning • By default warns on all issues • Can change to ignore, info or fail • Can include any ZAP cmdline option • Can ignore any url regex for any rule 11
  12. 12. Baseline scan - issues • All release and beta passive scan rules, eg • Missing / incorrect security headers • Cookie problems • Information / error disclosure • Missing CSRF tokens •... • Can optionally include alpha pscan rules 12
  13. 13. 13 Baseline Demo
  14. 14. Baseline scan – usage 14 Usage: zap-baseline.py -t <target> [options] -t target target URL including the protocol, eg Options: -c config_file config file to use to INFO, IGNORE or -u config_url URL of config file to use to INFO, IG -g gen_file generate default config file (all rul -m mins the number of minutes to spider for ( -r report_html file to write the full ZAP HTML repor -w report_md file to write the full ZAP Wiki (Mark -x report_xml file to write the full ZAP XML report -a include the alpha passive scan rules -d show debug messages -i default rules not in the config file -j use the Ajax spider in addition to th -l level minimum level to show: PASS, IGNORE, -s short output format - dont show PASSe -z zap_options ZAP command line options e.g. -z "-co
  15. 15. Baseline scan – output 15 ./zap-baseline.py -t https://www.example.com 3 URLs PASS: Cookie No HttpOnly Flag [10010] PASS: Cookie Without Secure Flag [10011] PASS: Password Autocomplete in Browser [10012] <snip> WARN: Incomplete or No Cache-control and Pragma HTTP Header https://www.example.com WARN: Web Browser XSS Protection Not Enabled [10016] x 3 https://www.example.com https://www.example.com/robots.txt https://www.example.com/sitemap.xml WARN: X-Frame-Options Header Not Set [10020] x 1 https://www.example.com WARN: X-Content-Type-Options Header Missing [10021] x 1 https://www.example.com FAIL: 0 WARN: 4 INFO: 0 IGNORE: 0 PASS: 22
  16. 16. Baseline scan – in CircleCI • https://github.com/Securing- DevOps/invoicer/blob/master/circle.yml#L39-L44 16 # pull down the Zap baseline scanner - docker pull owasp/zap2docker-weekly # Run zap against the invoicer - docker run ${DOCKER_REPO}/${CIRCLE_PROJECT_REPONAME} & - docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://172.17.0.2:8080/
  17. 17. Baseline scan – conf file • Use -g option to generate, -c or -u to use 17 # zap-baseline rule configuration file # Change WARN to IGNORE to ignore rule or FAIL to fail if # Only the rule identifiers are used - the names are just # You can add your own messages to each rule by appending 10010 WARN(Cookie No HttpOnly Flag) 10011 WARN(Cookie Without Secure Flag) 10012 WARN(Password Autocomplete in Browser) 10015 WARN(Incomplete or No Cache-control and Pragma HTTP 10016 WARN(Web Browser XSS Protection Not Enabled) 10017 WARN(Cross-Domain JavaScript Source File Inclusion) 10019 WARN(Content-Type Header Missing) 10020 WARN(X-Frame-Options Header Scanner) 10021 WARN(X-Content-Type-Options Header Missing) 10023 WARN(Information Disclosure - Debug Error Messages) 10024 WARN(Information Disclosure - Sensitive Information
  18. 18. Where next? • Mass Baseline scan • Provides a simple dashboard • Shows the detailed results • Shows the per service history 18
  19. 19. Mass Baseline scan • Part of the community-scripts repo: zaproxy/community-scripts/api/mass-baseline 19
  20. 20. Full Scans • Packaged options: • Cmdline quick scan • Jenkins plugin • Sdlc-integration scripts • Daemon mode + API • (ZAP as a Service – in development) 20
  21. 21. Cmdline Quick Scan 21 ./zap.sh -cmd -quickurl http://example.com/ -quickprogress • Spidering • Active scanning • [====================] 100% • Attack complete • <?xml version="1.0"?><OWASPZAPReport version="2.5.0" generated="Tue, 4 Oct 2016 09:31:53"> • <site name="http://example.com" ...
  22. 22. Jenkins plugin • Maintained by 3rd party • Requires full ZAP install • Supports authentication • Supports scan policies • Not as flexible as driving the API 22
  23. 23. Sdlc integration scripts • Part of the community-scripts repo: zaproxy/community-scripts/api/sdlc-integration • Spidering, passive and active scanning • Supports authentication • Supports JIRA integration • Linux only, requires some file editing 23
  24. 24. Useful cmdline options • Turn off db recovery (speeds things up) -config database.recoverylog=false • Update all add-ons -addonupdate • Install a non default add-on -addoninstall addonname • Setting the API key -config api.key=j8WdOEq8dhwWE24VGDsreP • Disable API key in a safe environment -config api.disablekey=true 24
  25. 25. Using the ZAP API • Intro to the API • Exploring • Scanning • Reporting • Authenticating • Tuning 25
  26. 26. Intro to the API • RESTish – ok, only uses GET requests http(s)://zap/<format>/<component>/ <operation>/<op name>[/?<params>] • Maps closely to the UI / code • Theres a v basic web UI for it • And clients in various langs: Java, Python, Node JS, .Net, PHP, Go … • Clients are generated from the code 26
  27. 27. API Pro Tip 1. Experiment with the Desktop UI 2. Export configs from the UI (contexts, scan policies..) 3. Then reproduce using the API UI 4. Finally convert to a script 27
  28. 28. 28 API Demo
  29. 29. Intro – Python API • Install from pypi: pip install python-owasp-zap-v2.4 • In your script: from zapv2 import ZAPv2 zap = ZAPv2() zap = ZAPv2(proxies={ 'http': 'http://localhost:8080', 'https': 'http://localhost:8090'}) 29 h from zapv2 import ZAPv2 zap = ZAPv2() zap = ZAPv2(proxies={ 'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}) • zap.urlopen(target) • pip install python-owasp-zap-v2.4
  30. 30. Exploring • Proxy Regression / Unit tests • Traditional Spider (crawler) • Ajax Spider (browsers) • Spider SOAP definition (via alpha add-on) • Import ModSecurity2 logs (via alpha add-on) 30
  31. 31. 31 Spider API Demo
  32. 32. Exploring – Trad Spider 32 h zap.spider.scan(target) • time.sleep(5) • while int(zap.spider.status()) < 100: • print ('Spider progress %: ' + zap.spider.status()) • time.sleep(5) • print ('Spider completed')
  33. 33. Exploring – Ajax Spider 33 h zap.ajaxSpider.scan(target) • time.sleep(5) • while zap.ajaxSpider == 'running': • print ('Ajax Spider # results: ' + zap.ajaxSpider.number_of_results()) • time.sleep(5) • print ('Ajax Spider completed')
  34. 34. Scanning – Passive Scan 34 while int(zap.pscan.records_to_scan()) > 0: • print ('Pscan records : ' + zap.pscan.records_to_scan()) • time.sleep(5) • print ('Pscan completed') h • Passive scanning happens automatically when proxying • To tell when its finished:
  35. 35. Scanning – Active Scan 35 h zap.ascan.scan(target) • time.sleep(5) • while int(zap.ascan.status()) < 100: • print ('Ascan progress %: ' + zap.ascan.status()) • time.sleep(5) • print ('Ascan completed')
  36. 36. Reporting – HTML + XML 36 h # HTML Report • with open ('report.html', 'w') as f: f.write(zap.core.htmlreport()) # XML Report • with open ('report.xml', 'w') as f: f.write(zap.core.xmlreport())
  37. 37. Reporting – all alert data 37 h # Use paging for lots of alerts • offset = 0; page = 100 • alerts = zap.core.alerts('', offset, page) • while len(alerts) > 0: • for alert in alerts: • # Do whatever you want with alert • offset += page • alerts = zap.core.alerts('', offset, page)
  38. 38. And dont forget... 38 h # Your work here is done... • zap.core.shutdown()
  39. 39. Any questions about the API? 39 h
  40. 40. Authenticating • Authentication can be hard :( • Simple form based auth should be ok • Authentication scripts should be able to handle anything • But if you have complex SSO or equiv you may want a simpler option in your test env • Pro Top: use the UI to set authentication up! 40
  41. 41. 41 Auth API Demo
  42. 42. Tuning - speed • Spider time limits • Data driven content • Technology • Active scan • Scan rules • Input vectors • Attack strength 42
  43. 43. Tuning - feedback • Active scan stats • Response stats • Authentication stats (alpha add-on) • Statsd support 43
  44. 44. Tuning - accuracy • Attack thresholds • Rule configuration (post 2.5.0) – Forms that dont need CSRF tokens – Increase timing attacks from 5 seconds 44
  45. 45. Need help? • Getting Started Guide • Desktop Help (also online) • Wiki – FAQ, Docs, Videos … • ZAP User Group • irc.mozilla.org #websectools 45
  46. 46. Workshop Summary • Use the baseline scan for a quick security overview • Use the mass baseline to create a dashboard • Use full ZAP scans for more depth • Configure ZAP to authenticate for even better results • If you need help, just ask! 46
  47. 47. Now go forth and automate ZAP :) http://www.owasp.org/index.php/ZAP

×