Lead Image © Maxim Maksutov, 123RF.com
Application security testing with ZAP in a Docker container
Dynamic Duo
The Internet has seemingly endless security concerns. The treasures that lie behind some organizations' websites are not only valuable commercially but can genuinely influence the economic development of whole countries if trade or military secrets are stolen. As a result, the number of both automated and expertly targeted online attacks has risen significantly over the last decade or so.
Security professionals have upped their efforts, striving to help create new tools, processes, and procedures to mitigate ever-evolving attacks. As for many items that hold value, seemingly as soon as an innovative defense is created, it is invariably defeated, and its treasures are plundered.
As each new defense formerly thought to be robust is exposed to be otherwise, new attack vectors appear, and offensive security testing professionals adapt their attacks and test their own systems and websites against these vulnerabilities.
The OWASP Top 10 project [1], an "… open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted," has "injection" as the number one issue in their latest Top 10 report.
In this article, I walk through automating Structured Query Language (SQL) injection attacks in a test laboratory. As with all self-respecting DevOps environments, it's much better to containerize applications for portability and predictability, so I use Docker containers, which also means you can be up and running in a matter of minutes.
SQL injection attacks, or SQLi, are a very popular way to break into websites through badly written applications. OWASP describes such attacks as resulting "… in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. Injection can sometimes lead to complete host takeover." In cybersecurity parlance, the type of
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Hacking Mutillidae II
Ethical hacking against the Mutillidae II vulnerable application can improve your security knowledge. -
ZAP provides automated security tests in continuous integration pipelines
Despite the abundance of tools that test code and help improve the effectiveness of a continuous integration pipeline, automated security testing is much more difficult to get right than it might appear. -
Scanning servers with Nikto
The Nikto scanner performs multiple comprehensive tests against web servers. -
Dockerizing Legacy Applications
Sooner or later, you'll want to convert your legacy application to a containerized environment. Docker offers the tools for a smooth and efficient transition. -
Security risks from insufficient logging and monitoring
Although inadequate logging and monitoring cannot generally be exploited for attacks, it nevertheless significantly affects the level of security.