A deep dive into OWASP ZAP Automation and Authentication. The slides are from a 3 hour workshop delivered as part of the All Day DevOps Spring Break conference help in April 2020
4. ZAP Overview
●
The worlds most widely used web app scanner
– March 2020
●
> 85,000 Direct downloads
●
> 220,000 Docker pulls
●
> 1 Million Runs
in just that one month!
7. Target Applications
●
BodgeIt Store
– Traditional app, simple, relatively easy
– Not maintained, only good for simple demos ;)
●
OWASP Juice Shop
– Modern, lots of pain points
– Well maintained, very good for manual testing
14. Baseline Options
docker run owasp/zap2docker-stable zap-baseline.py -h
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg
https://www.example.com
Options:
-h print this help message
-c config_file config file to use to INFO, IGNORE or FAIL warnings
-u config_url URL of config file to use to INFO, IGNORE or FAIL
warnings
-g gen_file generate default config file (all rules set to
WARN)
-m mins the number of minutes to spider for (default 1)
-r report_html file to write the full ZAP HTML report
-w report_md file to write the full ZAP Wiki (Markdown) repor
15. Bodgeit Baseline Scan
Scan Time URLs Warnings
Baseline default 1 min 410 13
Baseline default 2nd
1 min 410 13
Baseline -a 1 min 411 17
Baseline -j 2 mins 422 14
Baseline -a -j 2 mins 421 16
Baseline -a -j -m 5 6 mins 422 17
17. Juice Shop Baseline Scan
Scan Time URLs Warnings
Baseline default 1 min 27 5
Baseline default 2nd
1 min 27 5
Baseline -a 2 mins 27 7
Baseline -j 2 mins 75 10
Baseline -a -j 4 mins 72 11
Baseline -a -j -m 5 13 mins 63 11
27. Authentication Overview
●
Web authentication is hard!
●
ZAP should be able to cope with anything
●
But we know its not easy to configure
●
Client based authentication was even harder
than I expected :P
34. Juice Shop Std Authentication
●
Auth header and cookie based session
●
Simple login form, Ajax & JSON
●
Logged in/out indicators NOT available in most
HTTP reqs/resps