SlideShare a Scribd company logo
The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP BUCHAREST
APPSEC CONFERENCE
13 OCTOBER 2017
N different strategies to
automate OWASP ZAP
The OWASP Zed Attack Proxy
Marudhamaran Gunasekaran
Zap Contributor
@gmaran23
Software Security Consultant at DevOn / Prowareness
2
Agenda
• Application Security Program Challenges
• Lightning Introduction to ZAP
• The ZAP API
• The N ways of Automating ZAP
• Scripting for ZAP
• Tips for CI / CD and Case Studies
3
The problems
• Most developers know very little about security
• Some developers care more about feature
development than security
• Most companies have very few application
security folks
• Security testing is done late in the application
development lifecycle (if at all is done)
4
The Software Security
Models
• OWASP SAMM Project -
https://www.owasp.org/index.php/OWASP_SAMM_Project
• BSIMM
https://www.bsimm.com/
• SDOMM from Christian Schneider
https://www.christian-
schneider.net/SecurityDevOpsMaturityModel.html
• CSSMM from Prowareness / DevOn
https://www.devon.nl/secure-software/
5
Part of the Solution
• Use a security tool like ZAP in development
• In addition to security training, secure
development lifecycle, threat modelling, static
source code analysis, secure code reviews,
professional pentesting…
What’s in this talk?
• A way to quickly evaluate your applications
• Options for more thorough scanning
• Introduction to the ZAP API
• “N Different ways to automate Software Security Assurance
with OWASP ZAP”
6
7
Why ZAP?
• An easy to use webapp pentest tool
• Completely free and open source
• Source code updated multiple times a day
• One of the OWASP Flagship projects
• Ideal for beginners, But also used by professionals
• Powerful API - for automated security tests
8
The app sec tool
foundations
• Spider or Crawler
– Gather information about what to attack
• Passive Scan
– Static analysis on the gathered information (HTTP
requests and responses)
• Active Scan
– Send attack (potentially harmful) payloads to
exploit / confirm weakness
9
ZAP API demo
Headless attack!
1
Demo Flow:
1. Open the ZAP GUI on the right of the screen
2. Browse the API from the left of the screen on a browser
3. As we trigger a spider scan, it would be visible in the UI
4. Poll the Spider Status API
5. Get results from passive scan
6. Trigger an Active Scan from the API, the scanning would
start and it would be evident on the ZAP UI
7. Demonstrate a Shutdown
ZAP API demo
[5 minutes]
ZAP Baseline scan
1. Quick and fast
2. No prior ZAP experience required
3. Docker is the only dependency
4. Configurable with Command line Options
5. Quickly baseline the security controls of an application
or many applications (just passive scanning)
ZAP Baseline scan
Finds issues like:
• Missing / incorrect security headers
• Cookie problems
• Information / error disclosure
• Missing CSRF tokens
ZAP Baseline scan - Demo
Demo flow:
1. Pull the zap docker image
2. docker run -t owasp/zap2docker-stable
zap-baseline.py -t http://www.renthoughtsweb.com:8020
2. Interpreting the results of the baseline scan
3. Generating and Using a scan configuration file
4. Mass baseline scan
[5 minutes]
1
The available API Clients
1. Java - https://github.com/zaproxy/zap-api-java
2. Python - https://github.com/zaproxy/zap-api-python
3. DotNet - https://github.com/zaproxy/zap-api-dotnet
4. PHP
5. Node JS
6. GO
7. .
8. .
1
Automating Quick Scan
- via python API client
Flow:
1. Start ZAP programmatically
2. Wait for ZAP to initialize
3. zap.spider.scan(targeturl)
4. Wait till zap.spider.status(scanid) is 100
5. zap.ascan.scan(target)
6. Wait till zap.ascan.status(scanid) is 100
7. zap.core.alerts()
8. zap.core.htmlreport(target)
[5 minutes]
1
Automating authenticated
scans
1. Create a context in the name of the application
2. Choose the mode of authentication (for instance
Forms Authentication)
3. Provide Authentication information
4. Spider
5. Scan
6. Extract Results
1
Automating Authenticated
Scan
- Demo via Dot Net API
Client
1
Authenticated Scan Demo
Flow:
1. Start ZAP programmatically
2. Wait for ZAP to initialize
3. api.context.newContext
4. api.context.includeInContext
5. api.users.newUser
6. api.forcedUser.setForcedUser
7. api.forcedUser.setForcedUserModeEnabled
8. api.spider.scan
9. api.ascan.scan
10. api.core.htmlreport
[5 minutes]
1
Security Regression Testing
Well, let me
watch you
here!
2
Integrating with Selenium
Test cases
- Demo via Java API Client
2
Selenium Integration Demo
Flow:
1. Start ZAP programmatically
2. Wait for ZAP to initialize
3. Set up Selenium web driver with proxy settings
4. Run the selenium test cases
5. api.spider.scan
6. api.ascan.scan
7. api.core.htmlreport
A recorded quick demo - https://vimeo.com/222238217
[5 minutes]
Official Jenkins plugin
Tips from the field for CI / CD
Integration
Tips from the field for CI / CD
Integration
1. Tune the scan policies for faster scans
Tips from the field for CI / CD
Integration
2. Try running the scans on Report-Only
mode
After doing some learning about false
positives and application behaviors, break
the build
Tips from the field for CI / CD
Integration
3. Secure HTTP headers check is trivial yet
highly useful
(Story about Mixed HTTP/HTTPS content)
(Story about missing CSRF protection at some pages)
Tips from the field for CI / CD
Integration
4. Timed passive scans (baseline scan) on
Continuous Integration
5. Deep Scan on nightly builds
2
Scripting for ZAP
Script things that are not supported out of the box
Script for automating regular VAPT activities
Script to modify request and responses
.. And much more
Scripting can be done in
1. Python
2. Ruby
3. ZEST
4. Javascript
2
Quick Demo – Python
scripting
Find insecure HTTP verbs on server
3
Quick Demo – Python
scripting
Payload Generator Script to use while fuzzing
3
Quick Demo – ZEST
Security Regression
Scripting
Demo flow:
1. Demonstrate an Open Redirect Flaw
2. Add a ZEST Script
3. Add an Assert to ensure the Application doesn’t redirect
to other domains
Useful cmdline options
• Turn off db recovery (speeds things up)
-config database.recoverylog=false
• Update all add-ons
-addonupdate
• Run without the UI
-daemon
• Listen on a specified host and port
-host 127.0.0.1 –port 7070
• Setting the API key
-config api.key=j8WdOEq8dhwWE24VGDsreP
• Disable API key in a safe environment
-config api.disablekey=true
32
ZAP – Need Help?
ZAP user group -
https://groups.google.com/forum/#!forum/zaproxy
-users
ZAP Evangelists -
https://github.com/zaproxy/zaproxy/wiki/ZapEvang
elists
ZAP Developers group -
https://groups.google.com/forum/#!forum/zaproxy
-develop
ZAP - Get Involved
Use the tool
Recommend
Write Add-ons
Write Scanners / Scripts
Report bugs
Conclusion
• Consider security at all stages of development
cycle
• OWASP ZAP is ideal for automating security tests
• It is also a great way to learn about security
“Man is a tool-using animal. Without tools he is
nothing, with “right set of” tools he is all”
Any Questions?
gmaran23 @ gmail . com
http://www.owasp.org/index.php/ZAP

More Related Content

What's hot

OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineScripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Sherif Mansour
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation
Simon Bennetts
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 

What's hot (20)

OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineScripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
 
2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
 

Similar to N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 13 2017

we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
DevSecCon
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Codemotion
 
ZAP @FOSSASIA2015
ZAP @FOSSASIA2015ZAP @FOSSASIA2015
ZAP @FOSSASIA2015
Sumanth Damarla
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
API Testing with Frisby and Mocha
API Testing with Frisby and MochaAPI Testing with Frisby and Mocha
API Testing with Frisby and Mocha
Lyudmila Anisimova
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Christian Schneider
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
rkadayam
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Google App Engine for Java
Google App Engine for JavaGoogle App Engine for Java
Google App Engine for Java
Lars Vogel
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
Amazon Web Services
 
TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012
Ashish Bhasin
 

Similar to N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 13 2017 (20)

we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAP
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
 
ZAP @FOSSASIA2015
ZAP @FOSSASIA2015ZAP @FOSSASIA2015
ZAP @FOSSASIA2015
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
API Testing with Frisby and Mocha
API Testing with Frisby and MochaAPI Testing with Frisby and Mocha
API Testing with Frisby and Mocha
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Google App Engine for Java
Google App Engine for JavaGoogle App Engine for Java
Google App Engine for Java
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
 
TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012
 

More from gmaran23

First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017
gmaran23
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
gmaran23
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
gmaran23
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
gmaran23
 
Performance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh SharmaPerformance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh Sharma
gmaran23
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
gmaran23
 
What Can I Learn From You?
What Can I Learn From You?What Can I Learn From You?
What Can I Learn From You?
gmaran23
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
Six steps for securing offshore development
Six steps for securing offshore developmentSix steps for securing offshore development
Six steps for securing offshore development
gmaran23
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Devouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defences
gmaran23
 
Devouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and PreventionDevouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and Prevention
gmaran23
 

More from gmaran23 (13)

First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
 
Performance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh SharmaPerformance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh Sharma
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
 
What Can I Learn From You?
What Can I Learn From You?What Can I Learn From You?
What Can I Learn From You?
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Six steps for securing offshore development
Six steps for securing offshore developmentSix steps for securing offshore development
Six steps for securing offshore development
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Devouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defences
 
Devouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and PreventionDevouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and Prevention
 

Recently uploaded

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 13 2017

  • 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP BUCHAREST APPSEC CONFERENCE 13 OCTOBER 2017 N different strategies to automate OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor @gmaran23 Software Security Consultant at DevOn / Prowareness
  • 2. 2 Agenda • Application Security Program Challenges • Lightning Introduction to ZAP • The ZAP API • The N ways of Automating ZAP • Scripting for ZAP • Tips for CI / CD and Case Studies
  • 3. 3 The problems • Most developers know very little about security • Some developers care more about feature development than security • Most companies have very few application security folks • Security testing is done late in the application development lifecycle (if at all is done)
  • 4. 4 The Software Security Models • OWASP SAMM Project - https://www.owasp.org/index.php/OWASP_SAMM_Project • BSIMM https://www.bsimm.com/ • SDOMM from Christian Schneider https://www.christian- schneider.net/SecurityDevOpsMaturityModel.html • CSSMM from Prowareness / DevOn https://www.devon.nl/secure-software/
  • 5. 5 Part of the Solution • Use a security tool like ZAP in development • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
  • 6. What’s in this talk? • A way to quickly evaluate your applications • Options for more thorough scanning • Introduction to the ZAP API • “N Different ways to automate Software Security Assurance with OWASP ZAP” 6
  • 7. 7 Why ZAP? • An easy to use webapp pentest tool • Completely free and open source • Source code updated multiple times a day • One of the OWASP Flagship projects • Ideal for beginners, But also used by professionals • Powerful API - for automated security tests
  • 8. 8 The app sec tool foundations • Spider or Crawler – Gather information about what to attack • Passive Scan – Static analysis on the gathered information (HTTP requests and responses) • Active Scan – Send attack (potentially harmful) payloads to exploit / confirm weakness
  • 10. 1 Demo Flow: 1. Open the ZAP GUI on the right of the screen 2. Browse the API from the left of the screen on a browser 3. As we trigger a spider scan, it would be visible in the UI 4. Poll the Spider Status API 5. Get results from passive scan 6. Trigger an Active Scan from the API, the scanning would start and it would be evident on the ZAP UI 7. Demonstrate a Shutdown ZAP API demo [5 minutes]
  • 11. ZAP Baseline scan 1. Quick and fast 2. No prior ZAP experience required 3. Docker is the only dependency 4. Configurable with Command line Options 5. Quickly baseline the security controls of an application or many applications (just passive scanning)
  • 12. ZAP Baseline scan Finds issues like: • Missing / incorrect security headers • Cookie problems • Information / error disclosure • Missing CSRF tokens
  • 13. ZAP Baseline scan - Demo Demo flow: 1. Pull the zap docker image 2. docker run -t owasp/zap2docker-stable zap-baseline.py -t http://www.renthoughtsweb.com:8020 2. Interpreting the results of the baseline scan 3. Generating and Using a scan configuration file 4. Mass baseline scan [5 minutes]
  • 14. 1 The available API Clients 1. Java - https://github.com/zaproxy/zap-api-java 2. Python - https://github.com/zaproxy/zap-api-python 3. DotNet - https://github.com/zaproxy/zap-api-dotnet 4. PHP 5. Node JS 6. GO 7. . 8. .
  • 15. 1 Automating Quick Scan - via python API client Flow: 1. Start ZAP programmatically 2. Wait for ZAP to initialize 3. zap.spider.scan(targeturl) 4. Wait till zap.spider.status(scanid) is 100 5. zap.ascan.scan(target) 6. Wait till zap.ascan.status(scanid) is 100 7. zap.core.alerts() 8. zap.core.htmlreport(target) [5 minutes]
  • 16. 1 Automating authenticated scans 1. Create a context in the name of the application 2. Choose the mode of authentication (for instance Forms Authentication) 3. Provide Authentication information 4. Spider 5. Scan 6. Extract Results
  • 17. 1 Automating Authenticated Scan - Demo via Dot Net API Client
  • 18. 1 Authenticated Scan Demo Flow: 1. Start ZAP programmatically 2. Wait for ZAP to initialize 3. api.context.newContext 4. api.context.includeInContext 5. api.users.newUser 6. api.forcedUser.setForcedUser 7. api.forcedUser.setForcedUserModeEnabled 8. api.spider.scan 9. api.ascan.scan 10. api.core.htmlreport [5 minutes]
  • 19. 1 Security Regression Testing Well, let me watch you here!
  • 20. 2 Integrating with Selenium Test cases - Demo via Java API Client
  • 21. 2 Selenium Integration Demo Flow: 1. Start ZAP programmatically 2. Wait for ZAP to initialize 3. Set up Selenium web driver with proxy settings 4. Run the selenium test cases 5. api.spider.scan 6. api.ascan.scan 7. api.core.htmlreport A recorded quick demo - https://vimeo.com/222238217 [5 minutes]
  • 23. Tips from the field for CI / CD Integration
  • 24. Tips from the field for CI / CD Integration 1. Tune the scan policies for faster scans
  • 25. Tips from the field for CI / CD Integration 2. Try running the scans on Report-Only mode After doing some learning about false positives and application behaviors, break the build
  • 26. Tips from the field for CI / CD Integration 3. Secure HTTP headers check is trivial yet highly useful (Story about Mixed HTTP/HTTPS content) (Story about missing CSRF protection at some pages)
  • 27. Tips from the field for CI / CD Integration 4. Timed passive scans (baseline scan) on Continuous Integration 5. Deep Scan on nightly builds
  • 28. 2 Scripting for ZAP Script things that are not supported out of the box Script for automating regular VAPT activities Script to modify request and responses .. And much more Scripting can be done in 1. Python 2. Ruby 3. ZEST 4. Javascript
  • 29. 2 Quick Demo – Python scripting Find insecure HTTP verbs on server
  • 30. 3 Quick Demo – Python scripting Payload Generator Script to use while fuzzing
  • 31. 3 Quick Demo – ZEST Security Regression Scripting Demo flow: 1. Demonstrate an Open Redirect Flaw 2. Add a ZEST Script 3. Add an Assert to ensure the Application doesn’t redirect to other domains
  • 32. Useful cmdline options • Turn off db recovery (speeds things up) -config database.recoverylog=false • Update all add-ons -addonupdate • Run without the UI -daemon • Listen on a specified host and port -host 127.0.0.1 –port 7070 • Setting the API key -config api.key=j8WdOEq8dhwWE24VGDsreP • Disable API key in a safe environment -config api.disablekey=true 32
  • 33. ZAP – Need Help? ZAP user group - https://groups.google.com/forum/#!forum/zaproxy -users ZAP Evangelists - https://github.com/zaproxy/zaproxy/wiki/ZapEvang elists ZAP Developers group - https://groups.google.com/forum/#!forum/zaproxy -develop
  • 34. ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
  • 35. Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”
  • 36. Any Questions? gmaran23 @ gmail . com http://www.owasp.org/index.php/ZAP