Workshop:
Automating
OWASP ZAP

Simon Bennetts

OWASP ZAP Project LeadMozilla Cloud Security Teampsiinon@gmail.com

DevSecCon

London 2016

The Workshop Plan

Who is this for?

What are we trying to solve?

What can you get out of this?

Introduction to ZAP

Where to start

Where to go from there

Who is this for?

Developers

QA

Operations

Security

Consultants

(Managers)

Whoever is involved in automation ;)

What are we trying to solve?

Find security issues as early as possible

Integration into the devops pipeline

Finding all of the possible vulnerabilities

Putting pentesters out of a job :P

What are we not trying to solve?

What can you get out of this?

A way to quickly evaluate your apps

Options for more thorough scanning

An introduction to the ZAP API

A chance to try things out with me

ZAP Introduction

An easy to use webapp pentest tool

Completely free and open source

OWASP Flagship project

Ideal for beginners

But also used by professionals

Ideal for devs, esp. for automated security tests

Included in all major security distributions

ToolsWatch.org Top Security Tool of 2015

Not a silver bullet!

ZAP Features

Swing based UI for desktop mode

Comprehensive REST(ish) API for daemon mode

Plugin architecture (add-ons)

Online marketplace (all free:)

Release, beta and alpha quality add-ons

Traditional and ajax spiders

Passive and active scanning

Highly configurable, eg scan policies

Highly scriptable

Some ZAP use cases

Point and shoot the Quick Start tab

Proxying via ZAP, and then scanning

Manual pentesting

Automated security regression tests

Debugging

Part of a larger security program

ZAP Install Options

Windows .exe

Linux .tar.gz

Mac OS .dmg

Docker Images owasp/zap2docker-stable

owasp/zap2docker-weekly

Distros like Kali

Where to start?

The Baseline scan

Completely safe

Runs quickly (1-2 minutes?)

Can be easily integrated into CI/CD

Easy to get started just required the target:

docker pull owasp/zap2docker-weeklydocker run -t owasp/zap2docker-weekly zap-baseline.py -t https://www.example.comVery configurable if needed

Baseline scan

Uses docker (the only dependency)

Time limited spider of target (default 1 min)

Just passive scanning

By default warns on all issues

Can change to ignore, info or fail

Can include any ZAP cmdline option

Can ignore any url regex for any rule

Baseline scan - issues

All release and beta passive scan rules, eg Missing / incorrect security headers

Cookie problems

Information / error disclosure

Missing CSRF tokens

...

Can optionally include alpha pscan rules

BaselineDemo

Baseline scan usage

Usage: zap-baseline.py -t [options] -t target target URL including the protocol, eg https://www.example.comOptions: -c config_file config file to use to INFO, IGNORE or FAIL warnings -u config_url URL of config file to use to INFO, IGNORE or FAIL warnings -g gen_file generate default config file (all rules set to WARN) -m mins the number of minutes to spider for (default 1) -r report_html file to write the full ZAP HTML report -w report_md file to write the full ZAP Wiki (Markdown) report -x report_xml file to write the full ZAP XML report -a include the alpha passive scan rules as well -d show debug messages -i default rules not in the config file to INFO -j use the Ajax spider in addition to the traditional one -l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs -s short output format - dont show PASSes or example URLs -z zap_options ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"

Baseline scan output

./zap-baseline.py -t https://www.example.com3 URLsPASS: Cookie No HttpOnly Flag [10010]PASS: Cookie Without Secure Flag [10011]PASS: Password Autocomplete in Browser [10012]

WARN: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 1 https://www.example.comWARN: Web Browser XSS Protection Not Enabled [10016] x 3 https://www.example.comhttps://www.example.com/robots.txthttps://www.example.com/sitemap.xmlWARN: X-Frame-Options Header Not Set [10020] x 1 https://www.example.comWARN: X-Content-Type-Options Header Missing [10021] x 1 https://www.example.comFAIL: 0WARN: 4INFO: 0IGNORE: 0PASS: 22

Baseline scan in CircleCI

https://github.com/Securing-DevOps/invoicer/blob/master/circle.yml#L39-L44

# pull down the Zap baseline scanner- docker pull owasp/zap2docker-weekly

# Run zap against the invoicer- docker run ${DOCKER_REPO}/${CIRCLE_PROJECT_REPONAME} &- docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://172.17.0.2:8080/

Baseline scan conf file

Use -g option to generate, -c or -u to use

# zap-baseline rule configuration file# Change WARN to IGNORE to ignore rule or FAIL to fail if# Only the rule identifiers are used - the names are just# You can add your own messages to each rule by appending10010WARN(Cookie No HttpOnly Flag)10011WARN(Cookie Without Secure Flag)10012WARN(Password Autocomplete in Browser)10015WARN(Incomplete or No Cache-control and Pragma HTTP10016WARN(Web Browser XSS Protection Not Enabled)10017WARN(Cross-Domain JavaScript Source File Inclusion)10019WARN(Content-Type Header Missing)10020WARN(X-Frame-Options Header Scanner)10021WARN(X-Content-Type-Options Header Missing)10023WARN(Information Disclosure - Debug Error Messages)10024WARN(Information Disclosure - Sensitive Information

Where next?

Mass Baseline scan

Provides a simple dashboard

Shows the detailed results

Shows the per service history

Mass Baseline scan

Part of the community-scripts repo:
zaproxy/community-scripts/api/mass-baseline

Full Scans

Packaged options: Cmdline quick scan

Jenkins plugin

Sdlc-integration scripts

Daemon mode + API

(ZAP as a Service in development)

Cmdline Quick Scan

./zap.sh -cmd -quickurl \
http://example.com/ -quickprogressSpidering

Active scanning

[====================] 100%

Attack complete

0: print ('Pscan records : ' +
zap.pscan.records_to_scan())

time.sleep(5)

print ('Pscan completed')

h

Passive scanning happens automatically when proxying

To tell when its finished:

Scanning Active Scan

h

zap.ascan.scan(target)time.sleep(5)

while int(zap.ascan.status()) < 100:

print ('Ascan progress %: ' +
zap.ascan.status())

time.sleep(5)

print ('Ascan completed')

Reporting HTML + XML

h

# HTML Reportwith open ('report.html', 'w') as f:
f.write(zap.core.htmlreport())# XML Report

with open ('report.xml', 'w') as f:
f.write(zap.core.xmlreport())

Reporting all alert data

h

# Use paging for lots of alertsoffset = 0; page = 100

alerts = zap.core.alerts('', offset, page)

while len(alerts) > 0:

for alert in alerts:

# Do whatever you want with alert

offset += page

alerts = zap.core.alerts('', offset,
page)

And dont forget...

h

# Your work here is done...zap.core.shutdown()

Any questions about the API?

h

Authenticating

Authentication can be hard :(

Simple form based auth should be ok

Authentication scripts should be able to handle anything

But if you have complex SSO or equiv you may want a simpler option in your test env

Pro Top: use the UI to set authentication up!

AuthAPIDemo

Tuning - speed

Spider time limits

Data driven content

Technology

Active scan Scan rules

Input vectors

Attack strength

Tuning - feedback

Active scan stats

Response stats

Authentication stats (alpha add-on)

Statsd support

Tuning - accuracy

Attack thresholds

Rule configuration (post 2.5.0) Forms that dont need CSRF tokens

Increase timing attacks from 5 seconds

Need help?

Getting Started Guide

Desktop Help (also online)

Wiki FAQ, Docs, Videos

ZAP User Group

irc.mozilla.org #websectools

Workshop Summary

Use the baseline scan for a quick security overview

Use the mass baseline to create a dashboard

Use full ZAP scans for more depth

Configure ZAP to authenticate for even better results

If you need help, just ask!

Now go forth and
automate ZAP :)

http://www.owasp.org/index.php/ZAP

The OWASP Foundationhttp://www.owasp.org

Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.