ZAP Baseline scan - feedback wanted
psiinon
The script is here: https://github.com/zaproxy/zaproxy/blob/develop/python/api/src/examples/zap-baseline.py
It performs what we're calling a 'baseline' scan against the specified target, which runs the ZAP spider against the application for just one minute (by default) and then reports which passive rules fail (if any).
This means that the script doesnt perform any actual 'attacks' and will run for a relatively short period of time (a few minutes at most).
By default it reports all alerts as WARNings but you can specify a config file which can change any rules to FAIL or IGNORE.
The idea is that this should be ideal to run in a CI/CD environment, even against production sites.
The script depends on https://pypi.python.org/pypi/python-owasp-zap-v2 and Docker.
It does not require ZAP (or Java) to be installed - we're using one of the ZAP Docker images.
The plan is to include it in python-owasp-zap-v2 but I've not done that yet.
I've only tested it on Linux, no idea if it will run ok on Windows.
Give it a go and let me know what you think.
I'm especially interested in suggestions for improvements and any false positives it finds - to be really useful this should be false positive free ;)
Oh, and it should be more tunable, hence https://groups.google.com/d/msg/zaproxy-develop/i9NnkKdwefo/vwS8Bc6xCwAJ
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg https://www.example.com
Options:
-c config_file config file to use to IGNORE or FAIL warnings
-g gen_file generate default config file (all rules set to WARN)
-m mins the number of minutes to spider for (default 1)
-r report file to write the full ZAP HTML report
-a include the alpha passive scan rules as well
-d show debug messages
-s short output format - dont show PASSes or example URLs
Example run:
python zap-baseline.py -t https://www.example.com
Total of 3 URLs
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Password Autocomplete in Browser [10012]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Sensitive Informations in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Viewstate Scanner [10032]
PASS: Secure Pages Include Mixed Content [10040]
PASS: Weak Authentication Method [10105]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Absence of Anti-CSRF Tokens [40014]
PASS: Script passive scan rules [50001]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: WSDL File Passive Scanner [90030]
PASS: Loosely Scoped Cookie [90033]
WARN: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 3
https://www.example.com
https://www.example.com/robots.txt
https://www.example.com/sitemap.xml
WARN: Web Browser XSS Protection Not Enabled [10016] x 3
https://www.example.com
https://www.example.com/robots.txt
https://www.example.com/sitemap.xml
WARN: X-Frame-Options Header Not Set [10020] x 3
https://www.example.com
https://www.example.com/robots.txt
https://www.example.com/sitemap.xml
WARN: X-Content-Type-Options Header Missing [10021] x 3
https://www.example.com
https://www.example.com/robots.txt
https://www.example.com/sitemap.xml
WARN: Information Disclosure - Debug Error Messages [10023] x 1
https://www.example.com/robots.txt
WARN: Application Error Disclosure [90022] x 1
https://www.example.com/robots.txt
FAIL: 0 WARN: 6 IGNORE: 0 PASS: 20
Cheers,
Simon
johanna curiel curiel
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
psiinon
So I've done that and uploaded a test image here: https://hub.docker.com/r/psiinon/zap2docker-baseline/
-t target target URL including the protocol, eg https://www.example.com
Options:
-c config_file config file to use to IGNORE or FAIL warnings
-g gen_file generate default config file (all rules set to WARN)
-m mins the number of minutes to spider for (default 1)
-r report file to write the full ZAP HTML report
-a include the alpha passive scan rules as well
-d show debug messages
-s short output format - dont show PASSes or example URLs
eg using the 'docker run' option like: '-v $(pwd):/zap/wrk/:rw' for mounting the cwd.
To run it with no 'file' params use:
If you use 'file' params then you need to mount the directory those file are in or will be generated in, eg
Any problems, questions or suggestions, please let me know!
Simon
psiinon
Local sites can be a problem (as docker containers typically cant access host sites).
But we have documented a load of online options here: https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=On-Line_apps
Note that the baseline scan just spiders a site for 1 min (by default) and does not perform any 'attacks'.
On that basis I _think_ you could argue thats its safe to use on any online site ... but IANAL!
Cheers,
Simon
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
psiinon
Any Docker gurus here know of a better approach?
Kevin W. Wall
Johanna,
IANAL either, but I would *NOT* advise scanning any site even in this harmless manner without first carefully reading that site's ToS agreement. One of my former employers did not permit this, in part because they considered it a precursor to a possibly pending attack as an attempt to do reconnaissance. (It was mentioned in their ToS though.)
-kevin
Sent from my Droid; please excuse typos.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Johanna CurielOWASP Volunteer
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
johanna curiel curiel
johanna curiel curiel
docker pull owasp/zap2docker-weekly
psiinon
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Johanna CurielOWASP Volunteer
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.
--Johanna CurielOWASP Volunteer
johanna curiel curiel
docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://testasp.vulnweb.com
May 17, 2016 4:15:53 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Total of 20 URLs
PASS: Cookie Without Secure Flag [10011]
PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Informations in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Viewstate Scanner [10032]
PASS: Secure Pages Include Mixed Content [10040]
PASS: Weak Authentication Method [10105]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script passive scan rules [50001]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: WSDL File Passive Scanner [90030]
WARN: Cookie No HttpOnly Flag [10010] x 140
http://testasp.vulnweb.com/Templatize.asp?item=html/about.html
http://testasp.vulnweb.com/Default.asp
http://testasp.vulnweb.com/Search.asp
WARN: Password Autocomplete in Browser [10012] x 92
http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F
http://testasp.vulnweb.com/Register.asp?RetURL=%2FDefault%2Easp%3F
http://testasp.vulnweb.com/Login.asp?RetURL=%2FTemplatize%2Easp%3Fitem%3Dhtml%2Fabout%2Ehtml
http://testasp.vulnweb.com/Register.asp?RetURL=%2FTemplatize%2Easp%3Fitem%3Dhtml%2Fabout%2Ehtml
http://testasp.vulnweb.com/Login.asp?RetURL=%2FSearch%2Easp%3F
WARN: Web Browser XSS Protection Not Enabled [10016] x 145
http://testasp.vulnweb.com/robots.txt
http://testasp.vulnweb.com/sitemap.xml
http://testasp.vulnweb.com/Templatize.asp?item=html/about.html
WARN: X-Frame-Options Header Not Set [10020] x 145
http://testasp.vulnweb.com/robots.txt
http://testasp.vulnweb.com/sitemap.xml
http://testasp.vulnweb.com/Templatize.asp?item=html/about.html
WARN: X-Content-Type-Options Header Missing [10021] x 145
http://testasp.vulnweb.com/robots.txt
http://testasp.vulnweb.com/sitemap.xml
http://testasp.vulnweb.com/Templatize.asp?item=html/about.html
WARN: HTTP Parameter Override [10026] x 94
http://testasp.vulnweb.com/Search.asp
http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F
http://testasp.vulnweb.com/Register.asp?RetURL=%2FDefault%2Easp%3F
http://testasp.vulnweb.com/Login.asp?RetURL=%2FTemplatize%2Easp%3Fitem%3Dhtml%2Fabout%2Ehtml
http://testasp.vulnweb.com/Register.asp?RetURL=%2FTemplatize%2Easp%3Fitem%3Dhtml%2Fabout%2Ehtml
WARN: Absence of Anti-CSRF Tokens [40014] x 94
http://testasp.vulnweb.com/Search.asp
http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F
http://testasp.vulnweb.com/Register.asp?RetURL=%2FDefault%2Easp%3F
http://testasp.vulnweb.com/Login.asp?RetURL=%2FTemplatize%2Easp%3Fitem%3Dhtml%2Fabout%2Ehtml
http://testasp.vulnweb.com/Register.asp?RetURL=%2FTemplatize%2Easp%3Fitem%3Dhtml%2Fabout%2Ehtml
WARN: Application Error Disclosure [90022] x 47
http://testasp.vulnweb.com/Search.asp?tfSearch=ZAP
http://testasp.vulnweb.com/Register.asp?RetURL=%2FDefault%2Easp%3F
http://testasp.vulnweb.com/Register.asp?RetURL=%2FTemplatize%2Easp%3Fitem%3Dhtml%2Fabout%2Ehtml
http://testasp.vulnweb.com/Register.asp?RetURL=%2FSearch%2Easp%3F
http://testasp.vulnweb.com/Register.asp?RetURL=%2Fshowforum%2Easp%3Fid%3D1
WARN: Loosely Scoped Cookie [90033] x 233
http://testasp.vulnweb.com/Templatize.asp?item=html/about.html
http://testasp.vulnweb.com/Default.asp
FAIL: 0 WARN: 9 IGNORE: 0 PASS: 17
Yep, thats it :)
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Johanna CurielOWASP Volunteer
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
--Johanna CurielOWASP Volunteer
--Johanna CurielOWASP Volunteer
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.