2020 ADDO Spring Break OWASP ZAP Automation
•
3 gefällt mir•616 views
A deep dive into OWASP ZAP Automation and Authentication. The slides are from a 3 hour workshop delivered as part of the All Day DevOps Spring Break conference help in April 2020
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie 2020 ADDO Spring Break OWASP ZAP Automation
Ähnlich wie 2020 ADDO Spring Break OWASP ZAP Automation (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
2020 ADDO Spring Break OWASP ZAP Automation
- 1. ZAP Automation Deepdive Simon Bennetts ZAP Project Lead Mozilla Security Team
- 2. Workshop Overview ● Quick Intro to ZAP ● Packaged Scans ● Authentication ● Daemon and API
- 3. ZAP Overview
- 4. ZAP Overview ● The worlds most widely used web app scanner – March 2020 ● > 85,000 Direct downloads ● > 220,000 Docker pulls ● > 1 Million Runs in just that one month!
- 5. ZAP Runtime Options ● Desktop UI ● Heads Up Display ● Command Line ● Packaged Scans ● Daemon + API
- 6. ZAP Automation ● Command Line ● Packaged Scans – Baseline Scan – API Scan – Full Scan ● Daemon + API
- 7. Target Applications ● BodgeIt Store – Traditional app, simple, relatively easy – Not maintained, only good for simple demos ;) ● OWASP Juice Shop – Modern, lots of pain points – Well maintained, very good for manual testing
- 9. Command Line Demo ● ZAP installed locally ● BodgeIt running Docker docker pull psiinon/bodgeit docker run --rm -p 8080:8080 -i -t psiinon/bodgeit cd 'C:Program FilesOWASPZed Attack Proxy' ./zap.bat -cmd -quickurl http://localhost:8080/bodgeit -quickprogress
- 10. ZAP Packaged Scans ● Baseline Scan ● API Scan ● Full Scan
- 11. Baseline Demo ● ZAP baseline scan (docker) ● BodgeIt running Docker docker pull psiinon/bodgeit docker pull owasp/zap2docker-stable docker run --rm -p 8080:8080 -i -t psiinon/bodgeit docker run -t owasp/zap2docker-stable zap-baseline.py -t http://localhost:8080/bodgeit Fails :(
- 12. Baseline Demo v2 ● ZAP baseline scan (docker) ● BodgeIt running in Docker docker pull psiinon/bodgeit docker pull owasp/zap2docker-stable docker network create zapnet docker run --rm -p 8080:8080 --net zapnet -i -t psiinon/bodgeit docker run -t --net zapnet owasp/zap2docker-stable zap-baseline.py -t http://192.168.0.32:8080/bodgeit
- 13. Baseline Defaults ● Traditional Spider for up to 1 min ● No Ajax Spider ● Passive scan – release and beta quality rules
- 14. Baseline Options docker run owasp/zap2docker-stable zap-baseline.py -h Usage: zap-baseline.py -t <target> [options] -t target target URL including the protocol, eg https://www.example.com Options: -h print this help message -c config_file config file to use to INFO, IGNORE or FAIL warnings -u config_url URL of config file to use to INFO, IGNORE or FAIL warnings -g gen_file generate default config file (all rules set to WARN) -m mins the number of minutes to spider for (default 1) -r report_html file to write the full ZAP HTML report -w report_md file to write the full ZAP Wiki (Markdown) repor
- 15. Bodgeit Baseline Scan Scan Time URLs Warnings Baseline default 1 min 410 13 Baseline default 2nd 1 min 410 13 Baseline -a 1 min 411 17 Baseline -j 2 mins 422 14 Baseline -a -j 2 mins 421 16 Baseline -a -j -m 5 6 mins 422 17
- 16. Baseline Demo – Juice Shop ● ZAP baseline scan (docker) ● JuiceShop running in Docker docker pull bkimminich/juice-shop docker pull owasp/zap2docker-stable docker network create zapnet docker run --rm -p 3000:3000 --net zapnet bkimminich/juice-shop docker run -t --net zapnet owasp/zap2docker-stable zap-baseline.py -t http://192.168.0.32:3000
- 17. Juice Shop Baseline Scan Scan Time URLs Warnings Baseline default 1 min 27 5 Baseline default 2nd 1 min 27 5 Baseline -a 2 mins 27 7 Baseline -j 2 mins 75 10 Baseline -a -j 4 mins 72 11 Baseline -a -j -m 5 13 mins 63 11
- 18. Baseline GitHub Action ● https://github.com/marketplace/actions/owasp-zap-baseline-scan ● Run the baseline on GitHubs infrastructure ● Same ‘command line’ options supported ● Automatically maintains issues
- 20. API Scan ● Tuned for apps with no UI but a defined API ● Definitions supported: – OpenAPI – SOAP
- 21. Full Scan Defaults ● No timelimit ● No Ajax Spider ● Passive scan – release and beta quality rules ● Active scan – release and beta quality rules
- 22. Full Scan GitHub Action ● “Coming soon!”
- 24. Packaged Scan Tuning ● Rule configuration file ● ZAP config options ● Scan hooks
- 26. Authentication
- 27. Authentication Overview ● Web authentication is hard! ● ZAP should be able to cope with anything ● But we know its not easy to configure ● Client based authentication was even harder than I expected :P
- 28. Authentication Plan ● Authenticate vs BodgeIt ● Authenticate vs Juice Shop (form) ● Authenticated vs Juice Shop (SSO) ● Automating authentication
- 29. ZAP Authentication ● Needs to understand: – Session handling – Authentication process – Credentials
- 31. BodgeIt Authentication ● Traditional cookie based session ● Simple login form, POST request ● Logged in/out indicators available in most HTTP reqs/resps
- 34. Juice Shop Std Authentication ● Auth header and cookie based session ● Simple login form, Ajax & JSON ● Logged in/out indicators NOT available in most HTTP reqs/resps
- 36. ZAP Auth related Scripts ● Authentication ● Session Management ● Selenium ● HTTP Sender
- 37. ZAP Authentication Scripts ● Handles authentication :) ● Key methods – authenticate(helper, paramVals, creds)
- 38. ZAP Session Mgmt Scripts ● Handles session management :) ● Key methods – extractWebSession(sessionWrapper) – clearWebSessionIdentifiers(sessionWrapper) – processMessageToMatchSession(sessionWrapper)
- 39. ZAP Selenium Scripts ● Run when ZAP launches a browser ● Key methods – browserLaunched(ssutils)
- 40. ZAP HTTP Sender Scripts ● Run when any req/resp goes through ZAP ● Key methods – sendingRequest(msg, initiator, helper) – responseReceived(msg, initiator, helper)
- 41. ZAP Auth Related Script Questions?
- 43. Juice Shop SSO Authentication ● Session handling as before ● Login via Google SSO ● In practice needs a browser