The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. This talk by the ZAP project lead will focus on embedding ZAP in continuous integration / delivery pipelines in order to automate security tests. Simon will cover the range of integration options available and explain how ZAP is being integrated into the Mozilla Cloud Services CD pipeline. He will also explain and demonstrate how to drive the ZAP API, which gives complete control over the ZAP daemon.

1. Security Testing with
OWASP ZAP in CI/CD
Simon Bennetts - @psiinon
AMSTERDAM 16 - 17 MAY 2017

2. The Plan
• What are we trying to solve?
• What can you get out of this?
• Introduction to ZAP
• Where to start
• Where to go from there
2

3. What are we trying to solve?
• Find security issues as early as possible
• Integration into the devops pipeline
• Finding all of the possible vulnerabilities
• Putting pentesters out of a job :P
3
What are we not trying to solve?

4. What can you get out of this?
• A way to quickly evaluate your apps
• Options for more thorough scanning
• An introduction to the ZAP API
4

5. 5
ZAP Introduction
• A tool for finding web app vulnerabilities
• One of the worlds most popular free security tools
• Completely free and open source
• OWASP Flagship project
• Ideal for people new to security
• But also used by security professionals
• Ideal for devs, esp. for automated security tests
• Not a silver bullet!

6. 6
ZAP Features
• Swing based UI for desktop mode
• Comprehensive API for daemon mode
• Plugin architecture (add-ons)
• Online ‘marketplace’ (all free:)
• Release, beta and alpha quality add-ons
• Traditional and ajax spiders
• Passive and active scanning
• Highly configurable, eg scan policies
• Highly scriptable

7. Some ZAP use cases
• Point and shoot – the Quick Start tab
• Proxying via ZAP, and then scanning
• Manual pentesting
• Automated security regression tests
• Debugging
• Part of a larger security program
7

8. ZAP Install Options
• Windows, Linux and Mac OS Installers
• Linux packages, Mac OS Homebrew Cask
• Cross Platform zip
• Docker Images
• owasp/zap2docker-stable
• owasp/zap2docker-weekly
• owasp/zap2docker-live
• Distros like Kali
8

9. Where to start?
• The Baseline scan
• Completely safe
• Runs quickly (1-2 minutes?)
• Can be easily integrated into CI/CD
• Easy to get started – just required the target:
• Very configurable if needed
9
• docker pull owasp/zap2docker-weekly
• docker run -t owasp/zap2docker-weekly
zap-baseline.py -t https://www.example.com

10. Baseline scan
• Uses docker (the only dependency)
• Time limited spider of target (default 1 min)
• Just passive scanning
• By default warns on all issues
• Can change to ignore, info or fail
• Can include any ZAP cmdline option
• Can ignore any url regex for any rule
1

11. Baseline scan - issues
• All release and beta passive scan rules, eg
• Missing / incorrect security headers
• Cookie problems
• Information / error disclosure
• Missing CSRF tokens
•...
• Can optionally include alpha pscan rules
1

12. Baseline scan – usage
1
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg https://www
Options:
-c config_file config file to use to INFO, IGNORE or FAIL warnin
-u config_url URL of config file to use to INFO, IGNORE or FAIL
-g gen_file generate default config file (all rules set to WA
-m mins the number of minutes to spider for (default 1)
-r report_html file to write the full ZAP HTML report
-w report_md file to write the full ZAP Wiki (Markdown) report
-x report_xml file to write the full ZAP XML report
-a include the alpha passive scan rules as well
-d show debug messages
-i default rules not in the config file to INFO
-j use the Ajax spider in addition to the traditiona
-l level minimum level to show: PASS, IGNORE, INFO, WARN o
-s short output format - dont show PASSes or example
-z zap_options ZAP command line options e.g. -z "-config aaa=bbb

13. Baseline scan – output
1
./zap-baseline.py -t https://www.example.com
3 URLs
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Password Autocomplete in Browser [10012]
<snip>
WARN: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
https://www.example.com
WARN: Web Browser XSS Protection Not Enabled [10016] x 3
https://www.example.com
https://www.example.com/robots.txt
https://www.example.com/sitemap.xml
WARN: X-Frame-Options Header Not Set [10020] x 1
https://www.example.com
WARN: X-Content-Type-Options Header Missing [10021] x 1
https://www.example.com
FAIL: 0 WARN: 4 INFO: 0 IGNORE: 0 PASS: 22

14. Baseline scan – conf file
• Use -g option to generate, -c or -u to use
1
# zap-baseline rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a
10010 WARN(Cookie No HttpOnly Flag)
10011 WARN(Cookie Without Secure Flag)
10012 WARN(Password Autocomplete in Browser)
10015 WARN(Incomplete or No Cache-control and Pragma HTTP Header Set)
10016 WARN(Web Browser XSS Protection Not Enabled)
10017 WARN(Cross-Domain JavaScript Source File Inclusion)
10019 WARN(Content-Type Header Missing)
10020 WARN(X-Frame-Options Header Scanner)
10021 WARN(X-Content-Type-Options Header Missing)
10023 WARN(Information Disclosure - Debug Error Messages)
10024 WARN(Information Disclosure - Sensitive Information in URL)
10025 WARN(Information Disclosure - Sensitive Information in HTTP Refer

15. Where next?
• Mass Baseline scan
• Provides a simple dashboard
• Shows the detailed results
• Shows the per service history
1

16. Mass Baseline scan
• Part of the community-scripts repo:
zaproxy/community-scripts/api/mass-baseline
1

17. Full Scans
• Packaged options:
• Cmdline quick scan
• Jenkins plugin
• Sdlc-integration scripts
• Scripted API scan (coming soon)
• Daemon mode + API
• (ZAP as a Service – in development)
1

18. Cmdline Quick Scan
1
./zap.sh -cmd -quickurl
http://example.com/ -quickprogress
• Spidering
• Active scanning
• [====================] 100%
• Attack complete
• <?xml version="1.0"?><OWASPZAPReport
version="2.5.0" generated="Tue, 4 Oct 2016
09:31:53">
• <site name="http://example.com" ...

19. Official Jenkins plugin

20. Official Jenkins plugin
• https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin
• Maintained by the ZAP core team
• Supports authentication, scan policies, Jira integration
• Dedicated User Group:
https://groups.google.com/group/zaproxy-jenkins
• Supports ZAP 2.6.0 +
2

21. Sdlc integration scripts
• Part of the community-scripts repo:
zaproxy/community-scripts/api/sdlc-integration
• Spidering, passive and active scanning
• Supports authentication
• Supports JIRA integration
• Linux only, requires some file editing
2

22. Useful cmdline options
• Turn off db recovery (speeds things up)
-config database.recoverylog=false
• Update all add-ons
-addonupdate
• Install a non default add-on
-addoninstall addonname
• Setting the API key
-config api.key=j8WdOEq8dhwWE24VGDsreP
• Disable API key in a safe environment
-config api.disablekey=true
2

23. Using the ZAP API
• Intro to the API
• Exploring
• Scanning
• Reporting
• Authenticating
• Tuning
2

24. Intro to the API
• RESTish – ok, only uses GET/POST requests
http(s)://zap/<format>/<component>/
<operation>/<op name>[/?<params>]
• Maps closely to the UI / code
• Theres a v basic (but complete) web UI for it
• And clients in various langs:
Java, Python, Node JS, .Net, PHP, Go …
• Clients are generated from the code
2

25. API UI – Top Level

26. API Pro Tips
1. Experiment with the Desktop UI
2. Export configs from the UI (contexts, scan policies..)
3. Then reproduce using the API UI
4. Finally convert to a script
2

27. Intro – Python API
• Install from pypi:
pip install python-owasp-zap-v2.4
• In your script:
from zapv2 import ZAPv2
zap = ZAPv2()
zap = ZAPv2(proxies={
'http': 'http://localhost:8080',
'https': 'http://localhost:8090'})
2
h
from zapv2 import ZAPv2
zap = ZAPv2(
apikey='mysupersecretkey',
proxies={
'http': 'http://localhost:8090',
'https': 'http://localhost:8090'})
• zap.urlopen(target)
• pip install python-owasp-zap-v2.4

28. Exploring
• Proxy Regression / Unit tests
• Traditional Spider (crawler)
• Ajax Spider (browsers)
• Spider SOAP definition (via alpha add-on)
• Spider Swagger/ OpenAPI definition (via alpha add-on)
• Import ModSecurity2 logs (via alpha add-on)
2

29. Spider Desktop and API UIs

30. Spider Desktop and API UIs

31. Exploring – Trad Spider
3
h
id = zap.spider.scan(target)
• time.sleep(5)
• while int(zap.spider.status(id)) < 100:
• print ('Spider progress %: ' +
zap.spider.status(id))
• time.sleep(5)
• print ('Spider completed')

32. Exploring – Ajax Spider
3
h
id = zap.ajaxSpider.scan(target)
• time.sleep(5)
• while zap.ajaxSpider.status(id) == 'running':
• print ('Ajax Spider # results: ' +
zap.ajaxSpider.number_of_results(id))
• time.sleep(5)
• print ('Ajax Spider completed')

33. Scanning – Passive Scan
3
while int(zap.pscan.records_to_scan) > 0:
• print ('Pscan records : ' +
zap.pscan.records_to_scan)
• time.sleep(5)
• print ('Pscan completed')
h
• Passive scanning happens automatically when proxying
• To tell when its finished:

34. Scanning – Active Scan
3
h
id = zap.ascan.scan(target)
• time.sleep(5)
• while int(zap.ascan.status(id)) < 100:
• print ('Ascan progress %: ' +
zap.ascan.status(id))
• time.sleep(5)
• print ('Ascan completed')

35. Reporting – HTML + XML
3
h
# HTML Report
• with open ('report.html', 'w') as f:
f.write(zap.core.htmlreport())
# XML Report
• with open ('report.xml', 'w') as f:
f.write(zap.core.xmlreport())

36. Reporting – all alert data
3
h
# Use paging for lots of alerts
• offset = 0; page = 5000
• alerts = zap.core.alerts('', offset, page)
• while len(alerts) > 0:
• for alert in alerts:
• # Do whatever you want with alert
• offset += page
• alerts = zap.core.alerts('', offset, page)

37. And dont forget...
3
h
# Your work here is done...
• zap.core.shutdown()

38. Authenticating
• Authentication can be hard :(
• Simple form based auth should be ok
• Authentication scripts should be able to handle anything
• But if you have complex SSO or equiv you may want a
simpler option in your test env
• Pro Top: use the UI to set authentication up!
3

39. Tuning - speed
• Spider time limits
• Data driven content
• Technology
• Active scan
• Scan rules
• Input vectors
• Attack strength
4

40. Tuning - feedback
• Active scan stats
• Response stats
• Authentication stats (alpha add-on)
• Statsd support
4

41. Tuning - accuracy
• Attack thresholds
• Rule configuration
– Forms that dont need CSRF tokens
– Increase timing attacks from 5 seconds
4

42. And if you need help...
• ZAP Getting Started Guide
• ZAP User Guide
• ZAP User Group
• ZAP Developer Group
• ZAP wiki, includes links to videos
• irc.mozilla.com #websectools
4

43. Talk Summary
• Use the baseline scan for a quick security overview
• Use the mass baseline to create a dashboard
• Use the new Jenkins plugin for more depth
• Use the ZAP API for even more control
• If you need help, just ask :)
4

44. Question Time
http://www.owasp.org/index.php/ZAP
AMSTERDAM 16 - 17 MAY 2017