This document provides an agenda for an OWASP ZAP API automation workshop. It will include an introduction to ZAP, familiarizing with the UI, using ZAP with Selenium for hands-on exercises, exploring key ZAP features like intercepting proxy, spider, passive/active scanners, fuzzing, and report generation using the ZAP API. It will also demonstrate integrating ZAP with CI/CD pipelines for security testing. The document provides details on active scanning, report generation, fuzzing, and accessing ZAP rules and a GitHub repo for hands-on exercises. It concludes with mentioning additional ZAP features like authentication, anti-CSRF, port scanning, and the ZAP marketplace.

1. OWASP ZAP API Automation
Workshop

2. Session Agenda
● Introduction to ZAP
● Familiarize with ZAP UI
● Hands on workshop of using ZAP with selenium
● Hands on some key features of ZAP using ZAP API
● Demo - ZAP Integration with CI/CD

3. What is ZAP ?
● The OWASP ZED Attack proxy (ZAP) is a penetration
testing tool for finding vulnerabilities in the web
applications.
● Designed to be used by people with wide range of
security experience.
● Cross platform.
● Marketplace.
● Released on September 2010.
● Current version 2.7.0

5. Key Features of ZAP
● Intercepting proxy
● Spider
● Passive Scanners
● Active Scanners
● Fuzzing
● Report Generation

6. Active Scan
● Performs attacks on the application
● Run when explicitly invoked by the user
● Scan policy
● Set of pre configured rules
● Attack Strength
○ Low – to be up to 6 requests
○ Medium – to be up to 12 requests
○ High- to be up to 24 requests
○ Insane- to be over 24 requests
● Attack threshold
○ Off - scanner won't run.
○ Low - lead to false positives.
○ High - lead to false negatives
● Cannot identify any logical vulnerability
○ Example - broken access control

7. Report Generation
Alert - Potential vulnerability
Risk - Informational,Low,Medium,High
Beware of false positives
Confidence
● False Positive - for potential issues that you later find are not exploitable
● Low - for unconfirmed issues
● Medium - for issues you are somewhat confident of
● High - for findings you are highly confident in
● Confirmed - for confirmed issues
Tag an alert to be false positive

8. Fuzzing
Automated software testing technique that involves providing
invalid, unexpected, or random data as inputs to a computer
program
ZAP allows you to fuzz any request using:
● A build in set of payloads
● Payloads defined by optional add-ons
● Custom scripts

9. HANDS ON ...

10. https://github.com/sukesh7/ZapWorkshop.git

11. Active Scan
Rules
● Release quality: master/src/org/zaproxy/zap/extension/ascanrules
● Beta quality: branches/beta/src/org/zaproxy/zap/extension/ascanrulesBeta
● Alpha quality: branches/alpha/src/org/zaproxy/zap/extension/ascanrulesAlpha

12. Integration with CI/CD
Security tests in CI pipeline - Early feedback on security vulnerabilities
Steps:
● Start ZAP daemon on 8080 port
● Run tests
● Generate results
● Fail build for HIGH vulnerabilities
● Stop Server
Demo on configuring ZAP in Go CI
Active scan rules mapping page -https://www.owasp.org/index.php/ZAPpingTheTop10

13. More ZAP Features….
● Authentication and session support
● Smartcard and client digital certificate support
● Anti CSRF token handling
● Port scanner
● WebSockets support.
● Marketplace

14. Questions ??

15. Thank you