OWASP ZAP API Automation
Download as PPTX, PDF0 likes719 views
This document provides an agenda for an OWASP ZAP API automation workshop. It will include an introduction to ZAP, familiarizing with the UI, using ZAP with Selenium for hands-on exercises, exploring key ZAP features like intercepting proxy, spider, passive/active scanners, fuzzing, and report generation using the ZAP API. It will also demonstrate integrating ZAP with CI/CD pipelines for security testing. The document provides details on active scanning, report generation, fuzzing, and accessing ZAP rules and a GitHub repo for hands-on exercises. It concludes with mentioning additional ZAP features like authentication, anti-CSRF, port scanning, and the ZAP marketplace.
OWASP ZAP API Automation
- 1. OWASP ZAP API Automation Workshop
- 2. Session Agenda ● Introduction to ZAP ● Familiarize with ZAP UI ● Hands on workshop of using ZAP with selenium ● Hands on some key features of ZAP using ZAP API ● Demo - ZAP Integration with CI/CD
- 3. What is ZAP ? ● The OWASP ZED Attack proxy (ZAP) is a penetration testing tool for finding vulnerabilities in the web applications. ● Designed to be used by people with wide range of security experience. ● Cross platform. ● Marketplace. ● Released on September 2010. ● Current version 2.7.0
- 5. Key Features of ZAP ● Intercepting proxy ● Spider ● Passive Scanners ● Active Scanners ● Fuzzing ● Report Generation
- 6. Active Scan ● Performs attacks on the application ● Run when explicitly invoked by the user ● Scan policy ● Set of pre configured rules ● Attack Strength ○ Low – to be up to 6 requests ○ Medium – to be up to 12 requests ○ High- to be up to 24 requests ○ Insane- to be over 24 requests ● Attack threshold ○ Off - scanner won't run. ○ Low - lead to false positives. ○ High - lead to false negatives ● Cannot identify any logical vulnerability ○ Example - broken access control
- 7. Report Generation Alert - Potential vulnerability Risk - Informational,Low,Medium,High Beware of false positives Confidence ● False Positive - for potential issues that you later find are not exploitable ● Low - for unconfirmed issues ● Medium - for issues you are somewhat confident of ● High - for findings you are highly confident in ● Confirmed - for confirmed issues Tag an alert to be false positive
- 8. Fuzzing Automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program ZAP allows you to fuzz any request using: ● A build in set of payloads ● Payloads defined by optional add-ons ● Custom scripts
- 9. HANDS ON ...
- 11. Active Scan Rules ● Release quality: master/src/org/zaproxy/zap/extension/ascanrules ● Beta quality: branches/beta/src/org/zaproxy/zap/extension/ascanrulesBeta ● Alpha quality: branches/alpha/src/org/zaproxy/zap/extension/ascanrulesAlpha
- 12. Integration with CI/CD Security tests in CI pipeline - Early feedback on security vulnerabilities Steps: ● Start ZAP daemon on 8080 port ● Run tests ● Generate results ● Fail build for HIGH vulnerabilities ● Stop Server Demo on configuring ZAP in Go CI Active scan rules mapping page -https://www.owasp.org/index.php/ZAPpingTheTop10
- 13. More ZAP Features…. ● Authentication and session support ● Smartcard and client digital certificate support ● Anti CSRF token handling ● Port scanner ● WebSockets support. ● Marketplace
- 14. Questions ??
- 15. Thank you