OWASP ZAP Workshop for QA Testers

1. OWASP ZAP Dynamic Security Testing Workshop for Testers Javan Rasokat, Sage - May 2021

2. OWASP Zed Attack Proxy (ZAP) ● OWASP Flagship Project ● “one of the world's most popular free security tools” ● Web App DAST tool / Vulnerability Scanner ● Integrated into CI/CD (Jenkins, Azure DevOps, GitHub Actions, ...) ● Comprehensive API for daemon mode ● 140+ Contributors ● Marketplace for add-ons ● Highly configurable and scriptable ● Multiple Use Cases (you’ll see later) 2

3. Simple, free, valuable & active 3

4. Secure Development Lifecycle (SDL / S-SDLC) ● What scans should you run? ○ Static - Code analysis (SAST) ○ Dynamic - Live analysis (DAST) ● Dynamic Application Security Testing (DAST) ○ Black box testing ○ Requires a WebApp in staging or prod env ○ Finds environment issues ○ Finds run-time issues 4 Build Test Deploy Shift Left DevSecOps: Faster better feedback, fail fast and safe

5. What are we trying to solve? ● Finding security issues as early as possible ● Integration into the DevOps pipeline ● Finding all of the possible vulnerabilities ● Putting pentesters out of a job :P 5 What are we NOT trying to solve?

6. 1 Tool - 3 Types of Users ● Pentesters ○ information gathering by recording traffic, manual intercepting of traffic and tampering data ● Developers ○ running vulnerability scans as part of their CI/CD pipeline e.g. a “ZAP baseline” scan ● Testers ○ running their testing traffic through ZAP for passive scanning and/or active security testing The ZAP Head-up-Display (HUD) is applicable for all. 6

7. It is a Tool... … start playing with it! zaproxy.org/download 7

8. ZAP as Man-in-the-Middle (MitM) 8

9. Passive Scanning Demo 9

10. Passive Scan Rules ● Missing / incorrect security headers ● Cookie problems ● Information / error disclosure ● Missing CSRF tokens ● ... 10

11. Attack types - Active scanning Vulnerability ● SQL-Injection ● Time based SQL-Injection ● SSRF ● Open Redirect ● Reflected XSS ● Path Traversal ● SSTI ● ... Payload ● api/product/99’ OR 1=1-- ● api/product/99’ AND SLEEP(15000); ● api/ctrl?host=http://mydomain.org:38193/ZapTest ● oauth/login?redirect_uri=https://google.com ● spa/welcome?name=ZAP<script>alert(1)</script> ● file/?name=../../../../etc/passwd ● spa/welcome?name=${{1+2}} ● ... 11

12. Many ways for automation... ● Command-line options ● Pre-build Docker Images ● Python, NodeJs + Java CLI Library ● API ● Plugins (Jenkins, Azure DevOps) ● GitHub Actions ● NEW Automation Framework (YAML) ● ThreadFix Scan Agent ● SecureCodeBox for orchestrating mass-scans 12

13. Active Scanning Automation for Testers 13

14. Test-driven Scanning vs. Baseline scan Benefits by using your existing test framework: ● Take advantage of existing tests ● Better coverage of the tested app ○ If you do have good test coverage all endpoints are already covered. ○ For the Crawler/Spider it is difficult to find all endpoints. Therefore it is better to record or import all API-endpoints. ● The captured traffic is valid. ○ ZAP does not have to guess if a parameter is expected to be a integer or string. Makes it easier for ZAP in the active scan. A request is not blocked because one of the parameters is in the wrong format. 14

15. Using Command-line Options ● Command to start ZAP GUI ● As long as you keep ZAP open => HTTP Proxy and API available at localhost:8080 15 cd /Applications/OWASP ZAP.app/Contents/Java java -jar zap-2.10.0.jar -config scanner.attackOnStart=true -config view.mode=attack -config api.key=secret123 - newsession Latest_WebGoat_Scan.session

16. Other useful commands: ● Setting the api key ○ -config api.key=secret123 ● Disable API key in a safe environment ○ -config api.disablekey=true ● Tun of db recovery (speeds things up) ○ -config database.recoverylog=false ● Update all add-ons ○ -addonupdate ● Install a non default add-on ○ -addoninstall addonname ● The ZAP Port ○ -port 8080 ● Starts ZAP in daemon mode, ie without a UI ○ -daemon ● Allow any source IP to connect ○ -config api.addrs.addr.regex=true 16

17. Using ZAP API Two API calls to start active Scans: 1. creating a Context 2. add a URL (the target) to the Scope 17 curl 'http://localhost:8080/JSON/context/action/newContext/?zapapiformat=JSON&apikey=s ecret123&formmethod=GET&contextName=My+Context' curl 'http://localhost:8080/JSON/context/action/includeInContext/?apikey=secret123&con textName=My+Context&regex=http://localhost/WebGoat.*'

18. Webdriver.io ● “WebdriverIO lets you control a browser or a mobile application with just a few lines of code.” ● Simple Selenium binding for JS ● Very popular framework for automation testing Setting proxy: https://webdriver.io/docs/proxy/ 18

19. Selenium Driver Settings // Set Chrome Options ChromeOptions chromeOptions = new ChromeOptions(); chromeOptions.addArguments("-- ignore-certificate-errors"); // Set proxy String proxyAddress = "localhost:8080"; Proxy proxy = new Proxy();proxy.setHttpProxy(proxyAddress).setSslProxy(proxyAddress); // Set Desired Capabilities DesiredCapabilities capabilities = DesiredCapabilities.chrome(); capabilities.setCapability(CapabilityType.PROXY, proxy); capabilities.setCapability(CapabilityType.ACCEPT_SSL_CERTS, true); capabilities.setCapability(CapabilityType.ACCEPT_INSECURE_CERTS, true); capabilities.setCapability(ChromeOptions.CAPABILITY, chromeOptions); 19

20. Different ways to become MitM There is always a way to set a HTTP Proxy... ● Using Browser Settings ● Using a Browser Add-On like FoxyProxy ● Using Java Network Properties ○ jmeter -Dhttp.proxyHost=localhost - Dhttp.proxyPort=8080 - Dhttps.proxyHost=localhost - Dhttps.proxyPort=8080 ● Using system-wide OS settings 20 var proxy = "http://localhost:8080"; ... capabilities: [{ browserName: 'chrome', proxy: { httpProxy: proxy, sslProxy: proxy, ftpProxy: proxy, proxyType: "MANUAL", autodetect: false }, 'chrome.switches': [ '--ignore-certificate-errors' ] }],

21. Solve Strict-Transport-Security Certificate Errors If you are targeting a web application with Strict-Transport-Security and you are using a browser, you will need to add ZAP’s Dynamic SSL Certificate to your browser. To retrieve the ZAP’s SSL certificate you can download the CA from ● ZAP -> Preferences -> Options -> Dynamic SSL Certificate To import the ZAP SSL Certificate into Firefox: ● Preferences -> Privacy & Security -> View Certificates -> Authorities -> Import PS: Of course you can call the ZAP API to download the cert ;-) 21

22. Report ● HTML File - default ● XML File - default ○ Upload file to ThreadFix, a vulnerability management solution ○ Allows to synchronice with Jira ● JSON Format - a zap-baseline.py option ● Markdown Format - a zap-baseline.py option ● API ○ curl -s 'http://localhost:8080/OTHER/core/other/htmlreport/?apikey=secret123' > report.html 22

23. More Resources ● https://www.zaproxy.org/ - Getting started guide ● https://www.zaproxy.org/zap-in-ten/ - Series of short videos ● https://twitter.com/zaproxy - Official Twitter 23

24. 24 Q&A

OWASP ZAP Workshop for QA Testers

OWASP ZAP Workshop for QA Testers

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente(20)

Similar a OWASP ZAP Workshop for QA Testers

Similar a OWASP ZAP Workshop for QA Testers(20)

Último

Último(20)

OWASP ZAP Workshop for QA Testers

Notas del editor