« Previous 1 2 3 4
ZAP provides automated security tests in continuous integration pipelines
Always On
The Client Is Always Right
If you need to make any complex changes to your configuration files, you should consider making changes like adding credentials for a login in the fully blown GUI (over VNC or otherwise) and then exporting them to a file so you can use them in the API afterward.
To install the Python client, run the pip
command:
$ pip install python-owasp-zap-v2.4
Don't be too put off if a search within your distribution's package manager (e.g., Apt or Yum) for the pip
package offers unusual results. My results reported in the package description that v2.4 was version 2.6, which confused me about the possibility of API versus client version incompatibilities.
After you've started a set of tests, you can return to the browser user interface that's offered by the API and enter a scanID, which then returns JSON-style output giving a percentage of the scan under the key status. Take note that the AJAX spider is different and only reports a running status, as opposed to a percentage, until it's completed.
Markups
Once you've grasped the API, you can produce some shiny, useful reports to complement your testing strategy, and there's certainly no harm in compressing and archiving them for future reference. The marvel that is ZAP offers XML and HTML output with simple scripting examples to add to your arsenal.
Additionally, you can produce alert-only reports that boil down the results to display just the salient details. In addition to paging through alerts, the API lets you stop ZAP dead in its tracks if it's hit a fatal error, should it ever find something too nasty to continue.
ZAP is a potentially destructive tool, so choose your target URLs with great care, unless you want to find out how good you look in an orange jumpsuit.
Other reports include status responses from the API for logins and logouts, scan statistics, and active scan results. You can even tune your timeouts meticulously and make sure any problematic tests don't prevent other tests from completing.
The End
The deeper you delve into your application with ZAP tests, the richer the results you receive. ZAP encourages you to run unit tests proxied through ZAP for best results. As mentioned, over time, the eventual maturity of your tests will provide greater efficacy.
If you want to continue learning about ZAP, refer to the OWASP page with video help [1]. The User Guide link on that page jumps to the GitHub page [12], which is the official site and the most useful starter page, for beginners.
For up-to-date images, you can swap stable
in the image name with weekly
for a newer, slightly unstable version of ZAP for your automation needs; you would then run the owasp/zap2docker-weekly
image instead. Not only do ZAP's developers recommend doing this for automated testing, they have a good historical failure rate on weekly releases, so they're probably quite safe.
Used internally and integrated with your pipeline, ZAP is a genuinely powerful addition to any CI setup. At the risk of sounding like a stuck record, you should pay close attention to how you're using ZAP and only aim it at systems you own. As you continue to use it, pay heed to the fact that the maturity of tests are what counts.
I'm looking forward to learning more about ZAP. It's a relatively safe bet that your organization will thank you for deploying ZAP today and then again at some point in the future when it keeps a potentially expensive mistake from making it into production.
Special Thanks
This article was made possible by support from Linux Professional Institute
Infos
- ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
- OWASP: https://www.owasp.org
- WebGoat: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
- TightVNC: http://www.tightvnc.com
- "Zap" Your App's Vulnerabilities: https://www.owasp.org/images/3/32/Owasp_zap_flyer_v2.pdf
- OSI Layer 7: https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer
- ZAP extensions: https://github.com/zaproxy/zap-extensions
- Docker image with ZAP pre-installed: https://github.com/zaproxy/zaproxy/wiki/Docker
- Community Scripts: https://github.com/zaproxy/community-scripts
- ZAP issues: https://github.com/zaproxy/zaproxy/issues/3796
- ELinks: http://elinks.or.cz
- User Guide: https://github.com/zaproxy/zap-core-help/wiki
« Previous 1 2 3 4