Downloaded 18 times
Uploaded byThivya Lakshmi
OWASP ZAP API Automation
This document provides an agenda for an OWASP ZAP API automation workshop. It will include an introduction to ZAP, familiarizing with the UI, using ZAP with Selenium for hands-on exercises, exploring key ZAP features like intercepting proxy, spider, passive/active scanners, fuzzing, and report generation using the ZAP API. It will also demonstrate integrating ZAP with CI/CD pipelines for security testing. The document provides details on active scanning, report generation, fuzzing, and accessing ZAP rules and a GitHub repo for hands-on exercises. It concludes with mentioning additional ZAP features like authentication, anti-CSRF, port scanning, and the ZAP marketplace.
![Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]](https://cdn.slidesharecdn.com/ss_thumbnails/zedattackproxy-171001165040-thumbnail.jpg?width=640&height=640&fit=bounds)
OWASP ZAP API Automation
- 1. OWASP ZAP APIAutomation Workshop
- 2. Session Agenda ● Introductionto ZAP ● Familiarize with ZAP UI ● Hands on workshop of using ZAP with selenium ● Hands on some key features of ZAP using ZAP API ● Demo - ZAP Integration with CI/CD
- 3. What is ZAP? ● The OWASP ZED Attack proxy (ZAP) is a penetration testing tool for finding vulnerabilities in the web applications. ● Designed to be used by people with wide range of security experience. ● Cross platform. ● Marketplace. ● Released on September 2010. ● Current version 2.7.0
- 5. Key Features ofZAP ● Intercepting proxy ● Spider ● Passive Scanners ● Active Scanners ● Fuzzing ● Report Generation
- 6. Active Scan ● Performsattacks on the application ● Run when explicitly invoked by the user ● Scan policy ● Set of pre configured rules ● Attack Strength ○ Low – to be up to 6 requests ○ Medium – to be up to 12 requests ○ High- to be up to 24 requests ○ Insane- to be over 24 requests ● Attack threshold ○ Off - scanner won't run. ○ Low - lead to false positives. ○ High - lead to false negatives ● Cannot identify any logical vulnerability ○ Example - broken access control
- 7. Report Generation Alert -Potential vulnerability Risk - Informational,Low,Medium,High Beware of false positives Confidence ● False Positive - for potential issues that you later find are not exploitable ● Low - for unconfirmed issues ● Medium - for issues you are somewhat confident of ● High - for findings you are highly confident in ● Confirmed - for confirmed issues Tag an alert to be false positive
- 8. Fuzzing Automated software testingtechnique that involves providing invalid, unexpected, or random data as inputs to a computer program ZAP allows you to fuzz any request using: ● A build in set of payloads ● Payloads defined by optional add-ons ● Custom scripts
- 9.
- 10.
- 11. Active Scan Rules ● Releasequality: master/src/org/zaproxy/zap/extension/ascanrules ● Beta quality: branches/beta/src/org/zaproxy/zap/extension/ascanrulesBeta ● Alpha quality: branches/alpha/src/org/zaproxy/zap/extension/ascanrulesAlpha
- 12. Integration with CI/CD Securitytests in CI pipeline - Early feedback on security vulnerabilities Steps: ● Start ZAP daemon on 8080 port ● Run tests ● Generate results ● Fail build for HIGH vulnerabilities ● Stop Server Demo on configuring ZAP in Go CI Active scan rules mapping page -https://www.owasp.org/index.php/ZAPpingTheTop10
- 13. More ZAP Features…. ●Authentication and session support ● Smartcard and client digital certificate support ● Anti CSRF token handling ● Port scanner ● WebSockets support. ● Marketplace
- 14.
- 15.