Dynamic application security testing (DAST) workshop with OWASP zed attack proxy (ZAP)

1. OWASP ZAP
Dynamic Security Testing Workshop for Testers
Javan Rasokat, Sage - May 2021

2. OWASP Zed Attack Proxy (ZAP)
● OWASP Flagship Project
● “one of the world's most popular free
security tools”
● Web App DAST tool / Vulnerability
Scanner
● Integrated into CI/CD (Jenkins, Azure
DevOps, GitHub Actions, ...)
● Comprehensive API for daemon mode
● 140+ Contributors
● Marketplace for add-ons
● Highly configurable and scriptable
● Multiple Use Cases (you’ll see later)
2

3. Simple, free, valuable & active
3

4. Secure Development Lifecycle (SDL / S-SDLC)
● What scans should you run?
○ Static - Code analysis (SAST)
○ Dynamic - Live analysis (DAST)
● Dynamic Application Security Testing (DAST)
○ Black box testing
○ Requires a WebApp in staging or prod env
○ Finds environment issues
○ Finds run-time issues
4
Build Test Deploy
Shift Left
DevSecOps: Faster better feedback, fail fast and safe

5. What are we trying to solve?
● Finding security issues as early as possible
● Integration into the DevOps pipeline
● Finding all of the possible vulnerabilities
● Putting pentesters out of a job :P
5
What are we NOT trying to solve?

6. 1 Tool - 3 Types of Users
● Pentesters
○ information gathering by recording traffic, manual intercepting of traffic and tampering
data
● Developers
○ running vulnerability scans as part of their CI/CD pipeline e.g. a “ZAP baseline” scan
● Testers
○ running their testing traffic through ZAP for passive scanning and/or active security
testing
The ZAP Head-up-Display (HUD) is applicable for all.
6

7. It is a Tool...
… start playing with it!
zaproxy.org/download
7

8. ZAP as Man-in-the-Middle (MitM)
8

9. Passive Scanning
Demo
9

10. Passive Scan Rules
● Missing / incorrect security headers
● Cookie problems
● Information / error disclosure
● Missing CSRF tokens
● ...
10

11. Attack types - Active scanning
Vulnerability
● SQL-Injection
● Time based SQL-Injection
● SSRF
● Open Redirect
● Reflected XSS
● Path Traversal
● SSTI
● ...
Payload
● api/product/99’ OR 1=1--
● api/product/99’ AND SLEEP(15000);
● api/ctrl?host=http://mydomain.org:38193/ZapTest
● oauth/login?redirect_uri=https://google.com
● spa/welcome?name=ZAP<script>alert(1)</script>
● file/?name=../../../../etc/passwd
● spa/welcome?name=${{1+2}}
● ...
11

12. Many ways for automation...
● Command-line options
● Pre-build Docker Images
● Python, NodeJs + Java CLI Library
● API
● Plugins (Jenkins, Azure DevOps)
● GitHub Actions
● NEW Automation Framework (YAML)
● ThreadFix Scan Agent
● SecureCodeBox for orchestrating mass-scans
12

13. Active Scanning
Automation for
Testers
13

14. Test-driven Scanning vs. Baseline scan
Benefits by using your existing test framework:
● Take advantage of existing tests
● Better coverage of the tested app
○ If you do have good test coverage all endpoints are already covered.
○ For the Crawler/Spider it is difficult to find all endpoints. Therefore it is better to record or
import all API-endpoints.
● The captured traffic is valid.
○ ZAP does not have to guess if a parameter is expected to be a integer or string. Makes it
easier for ZAP in the active scan. A request is not blocked because one of the parameters
is in the wrong format.
14

15. Using Command-line Options
● Command to start ZAP GUI
● As long as you keep ZAP open => HTTP Proxy and API available at localhost:8080
15
cd /Applications/OWASP ZAP.app/Contents/Java
java -jar zap-2.10.0.jar -config scanner.attackOnStart=true
-config view.mode=attack -config api.key=secret123 -
newsession Latest_WebGoat_Scan.session

16. Other useful commands:
● Setting the api key
○ -config api.key=secret123
● Disable API key in a safe environment
○ -config api.disablekey=true
● Tun of db recovery (speeds things up)
○ -config database.recoverylog=false
● Update all add-ons
○ -addonupdate
● Install a non default add-on
○ -addoninstall addonname
● The ZAP Port
○ -port 8080
● Starts ZAP in daemon mode, ie without a UI
○ -daemon
● Allow any source IP to connect
○ -config api.addrs.addr.regex=true
16

17. Using ZAP API
Two API calls to start active Scans:
1. creating a Context
2. add a URL (the target) to the Scope
17
curl
'http://localhost:8080/JSON/context/action/newContext/?zapapiformat=JSON&apikey=s
ecret123&formmethod=GET&contextName=My+Context'
curl
'http://localhost:8080/JSON/context/action/includeInContext/?apikey=secret123&con
textName=My+Context&regex=http://localhost/WebGoat.*'

18. Webdriver.io
● “WebdriverIO lets you control a browser or a mobile application with just
a few lines of code.”
● Simple Selenium binding for JS
● Very popular framework for automation testing
Setting proxy: https://webdriver.io/docs/proxy/
18

19. Selenium Driver Settings
// Set Chrome Options
ChromeOptions chromeOptions = new ChromeOptions(); chromeOptions.addArguments("--
ignore-certificate-errors");
// Set proxy
String proxyAddress = "localhost:8080";
Proxy proxy = new
Proxy();proxy.setHttpProxy(proxyAddress).setSslProxy(proxyAddress);
// Set Desired Capabilities
DesiredCapabilities capabilities = DesiredCapabilities.chrome();
capabilities.setCapability(CapabilityType.PROXY, proxy);
capabilities.setCapability(CapabilityType.ACCEPT_SSL_CERTS, true);
capabilities.setCapability(CapabilityType.ACCEPT_INSECURE_CERTS, true);
capabilities.setCapability(ChromeOptions.CAPABILITY, chromeOptions);
19

20. Different ways to become MitM
There is always a way to set a HTTP Proxy...
● Using Browser Settings
● Using a Browser Add-On like FoxyProxy
● Using Java Network Properties
○ jmeter -Dhttp.proxyHost=localhost -
Dhttp.proxyPort=8080 -
Dhttps.proxyHost=localhost -
Dhttps.proxyPort=8080
● Using system-wide OS settings
20
var proxy = "http://localhost:8080";
...
capabilities: [{
browserName: 'chrome',
proxy: {
httpProxy: proxy,
sslProxy: proxy,
ftpProxy: proxy,
proxyType: "MANUAL",
autodetect: false
},
'chrome.switches': [
'--ignore-certificate-errors'
]
}],

21. Solve Strict-Transport-Security Certificate Errors
If you are targeting a web application with Strict-Transport-Security and you
are using a browser, you will need to add ZAP’s Dynamic SSL Certificate to
your browser.
To retrieve the ZAP’s SSL certificate you can download the CA from
● ZAP -> Preferences -> Options -> Dynamic SSL Certificate
To import the ZAP SSL Certificate into Firefox:
● Preferences -> Privacy & Security -> View Certificates -> Authorities ->
Import
PS: Of course you can call the ZAP API to download the cert ;-)
21

22. Report
● HTML File - default
● XML File - default
○ Upload file to ThreadFix, a vulnerability management solution
○ Allows to synchronice with Jira
● JSON Format - a zap-baseline.py option
● Markdown Format - a zap-baseline.py option
● API
○ curl -s 'http://localhost:8080/OTHER/core/other/htmlreport/?apikey=secret123' > report.html
22

23. More Resources
● https://www.zaproxy.org/ - Getting started guide
● https://www.zaproxy.org/zap-in-ten/ - Series of short videos
● https://twitter.com/zaproxy - Official Twitter
23

24. 24
Q&A