На сегодняшний день такие популярные анализаторы, как OWASP ZAP и Burp Suite, не всегда хорошо справляются с задачей автоматического сканирования приложений. Нередко они не могут найти какие-то специфические директории, автоматически отправить запрос без участия человека. И чаще данные инструменты запускаются локально. При этом, если в компании хорошо работает команда по автоматизации тестирования, их работу можно взять за основу динамического анализа и фазинга.
Как бонус, обсудим разницу Burp Suite Professional и Burp Suite Enterprise с точки зрения CI/CD и подключения автоматизированных тестов.
2. WHOAMI
Olga Sviridova, ECOMMPAY Security Team
Telegram: @turbobarsuchiha
DAST in CI/CD
Olga Sviridova, Application Security Engineer
3. DAST in CI/CD
Olga Sviridova, Application Security Engineer
DAST
A dynamic application security testing (DAST) tool is a program which
communicates with a web application through the web front-end in order to
identify potential security vulnerabilities in the web application and
architectural weaknesses. It performs a black-box test.
4. Problems
• Security testing is a bottleneck for SDL
• Security scan starts manually
• Security and automated testing guys do similar work
• Finding simple security bugs can be automated
DAST in CI/CD
Olga Sviridova, Application Security Engineer
5. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Most
Popular
Solutions
6. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Typical Workflow
Developers team
QA team
Product
owner
Security team
Check a staging
report back
7. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Developers team
QA team
Product
owner
Security team
sharing automated tests
for a simple security check
from deployment to deployment
Check a staging
report back
report back
Our Workflow
8. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Architecture of DAST in CI/CD
CI
Automated
Testing
WEB
APP
run
Ok
1step
POST /login HTTP/1.1
host: example.com
{email: "a@test.com", pass:»qwer"}
Ok
9. DAST in CI/CD
Olga Sviridova, Application Security Engineer
CI
WEB
APP
Architecture of DAST in CI/CD
run with
set proxy
DAST with Proxy
Automated
testing
Ok
scope is being
formed
1step2step
POST /login HTTP/1.1
host: example.com
{email: "a@test.com", pass:»qwer"}
DAST in CI/CD
Olga Sviridova, Application Security Engineer
CI
10. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Architecture of DAST in CI/CD
run security
scan with
config
DAST with
Proxy
WEB
APP
CI
are done?
report
3step
POST /login HTTP/1.1
host: example.com
{email: «a@test.com1' or ‘1'='1'--", pass:»qwer"}
HTTP/1.1 200 OK
11. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Architecture of DAST in CI/CD
run
ok QA tests
run with set
proxy
ok
run security scan with config
are done?
report
1step2step3step
CI
Automated
testing
WEB
APP
Automated
testing
DAST with
Proxy
scope is being
formed
12. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Burp Suite Pro in CI/CD
3 solutions
Burp Rest API
Burp molly scanner
Burp API
13. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Burp Suite Pro 1.7.x
Burp-rest-api
Burp molly scaner
Burp Suite Pro 2.x
Burp API
Can run "active scan" Can run Crawler and Audit
Burp Suite Pro in CI/CD
14. DAST in CI/CD
Olga Sviridova, Application Security Engineer
How it works?
doActiveScan (java.lang.String host, int port, boolean use Https, byte[] request)
This method can be used to send an HTTP request to the Burp Scanner tool to perform an active vulnerability scan.
15. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Burp Rest Api
• Doyensec LLC (github.com/doyensec/burp-rest-api)
• Easy Swagger UI for REST
• Run burp-rest-api with headless Burp Suite Professional (1.7.x)
• If you like, you can add Burp extensions similar to Burp-Molly-Pack or Active Scan++, etc.
16. DAST in CI/CD
Olga Sviridova, Application Security Engineer
• Create a virtual machine or docker container with Burp Pro and Burp-Rest-Api.
• HTTP-proxy and REST server should be available for automated tests and CI system.
• If you want to use extensions, add them to user configuration before starting.
• You can create project config on your local instance Burp Suite Pro.
Burp Rest Api
17. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Project config for Burp Rest API
• Use Burp Pro on your PC
• Set and save your project options, such as:
• Session handling rules
• Burp Collaborator server
• Scope
• etc.
• Set and save your User options, such as:
• extensions
18. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Verification of Session Validity
19. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Verification of Session Validity
20. DAST in CI/CD
Olga Sviridova, Application Security Engineer
UI Burp Rest API
21. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Reports from Burp Rest API
HTML
or
XML
22. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Molly Scanner from Yandex
• Burp Suite Professional (1.7.x)
• No UI
• Burp molly pack
• Deduplication mechanism
• XML-report
23. DAST in CI/CD
Olga Sviridova, Application Security Engineer
OWASP ZAP and API
• Open-source DAST with API
• Extensive documentation for integration https://www.zaproxy.org/docs/api/
• Easy to understand manual for local regression testing.
24. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Docker for OWASP ZAP with API
• docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host
0.0.0.0 -port 8080 -config api.key=MY_SECRET_KEY -config api.addrs.addr.name=.* -
config api.addrs.addr.regex=true
• Or -config api.disablekey=true (use the options in private network only)
25. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Config OWASP ZAP
• Use OWASP ZAP on your PC
• Set and save your context options, such as:
• Auth Scripts
• Include/Exclude in context
• Technology
• Upload your context with the ZAP API
26. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Run OWASP ZAP Through the API
• Check Context ID
• If you like, configure scanning policies
• Run the active scan with ContextId (if you like, you can run spider or ajax-spider before the active scan)
27. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Get the report in a file format you
like (xml, html, json)
28. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Two different realizations
A small speech about the search of simple sql-injections by DAST
29. DAST in CI/CD
Olga Sviridova, Application Security Engineer
How Burp Pro detects an SQL-injection
#2 Request
#1 Request
30. DAST in CI/CD
Olga Sviridova, Application Security Engineer
How ZAP detects an SQL-injection
#1 Request
#2 Request
ZAP detected a sql-injection, because we used an invalid email in the request
31. DAST in CI/CD
Olga Sviridova, Application Security Engineer
How ZAP doesn’t detect a SQL-injection
#2 Request#1 Request
ZAP could not detect a sql-injection, because we used a valid email in the request
33. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Also…
If you are test application deployed on a local machine, you can also use
DAST after an automated tests.
34. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Bonus
A little speech about Burp Suite Enterprise
35. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Burp Suite Enterprise
• No proxy, No macros, No insertion Point
• It’s easy to add config from Burp Suite Professional
• Create Jira ticket, CI integrations, Scalable agents
• Nice dashboard
40. DAST in CI/CD
Olga Sviridova, Application Security Engineer
–portswigger
“Enterprise is aimed at an entirely different
audience that requires more of an all-in-one
solution for their testing needs and are not
professional testers themselves.”
41. DAST in CI/CD
Olga Sviridova, Application Security Engineer
Links
https://github.com/yandex/burp-molly-scanner
https://github.com/vmware/burp-rest-api
https://www.zaproxy.org/docs/api/
https://www.youtube.com/watch?v=pQ4v4H7bHLE
https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Zaitov_Automation of Web Application Scanning with Burp Suite.pdf