Zap with Cucumber/Ruby
364 views
Skip to first unread message
Craig Despeaux
Sep 3, 2015, 4:53:35 PM9/3/15
to OWASP ZAP User Group
Hello all,
I am just getting started with ZAP and have no penetration testing experience. I'm looking to include ZAP in our continuous integration suite so we identify issues ahead of submitting the product to our security group. It's all a little overwhelming and I'm not sure where or if you can cut ties with the UI and run completely headless, but that's what I want to do.
I need to test a REST API that has many endpoints. I want to setup passive scanning while running my existing Cucumber regression test as well as an active scan. Is spider something that's effective for REST API? I would think not, but I don't know for sure.
Can I do all of this without ever doing anything with the UI? I've installed the owasp_zap ruby gem/client and have started playing around with that, but it's a little confusing. I'm assuming my REST API calls need to talk to ZAP which is then forwarding them to our REST API host, so I suppose I need to override the host and possibly port in my URIs to point to ZAP, but does ZAP then know how to reach our REST API based on the target I pass when I initialize Zap (i.e., Zap.new) ? Does that also mean that I need to define every endpoint to ZAP?
Does anyone have a working example of a Ruby script they are willing to share so I can take a look at it? With an example, I think I could write some Cucumber step definitions to do that same.
Thanks much,
Craig
Simon Bennetts
Sep 4, 2015, 4:14:37 AM9/4/15
to OWASP ZAP User Group
Hi Craig,
Welcome aboard :)
You should be able to do everything you need to do via the API. If you cant then we'll change the code so you can (which goes for everyone of course, not just you;)
However its probably easier to start with the UI and then move to the API as you get things working the way you want.
To get the hang of the API I recommend using the API HTML UI, which you can access via the host:port that your ZAP instance is listening on, eg: http://localhost:8080/UI
You can use that (very simple;) UI to explore all of the ZAP API endpoints and also to invoke them.
If you have problems understanding it then just ask here :)
The spider can only follow links, so if you're endpoints arent linked from anywhere then the spider wont find them :(
If thats the case then the best option is probably to proxy your existing Cucumber regression tests through ZAP. Hopefully you can do this in just the same way you would configure a corporate proxy in your tests?
If they exercise your endpoints effectively then you're good.
Anything proxied through ZAP will be passively scanned.
We dont currently have an officially supported Ruby client I'm afraid :(
There are a couple of unofficial ones on GitHub, but I'm not sure if they are up to date (I suspect not):
Welcome aboard :)
You should be able to do everything you need to do via the API. If you cant then we'll change the code so you can (which goes for everyone of course, not just you;)
However its probably easier to start with the UI and then move to the API as you get things working the way you want.
To get the hang of the API I recommend using the API HTML UI, which you can access via the host:port that your ZAP instance is listening on, eg: http://localhost:8080/UI
You can use that (very simple;) UI to explore all of the ZAP API endpoints and also to invoke them.
If you have problems understanding it then just ask here :)
The spider can only follow links, so if you're endpoints arent linked from anywhere then the spider wont find them :(
If thats the case then the best option is probably to proxy your existing Cucumber regression tests through ZAP. Hopefully you can do this in just the same way you would configure a corporate proxy in your tests?
If they exercise your endpoints effectively then you're good.
Anything proxied through ZAP will be passively scanned.
We dont currently have an officially supported Ruby client I'm afraid :(
There are a couple of unofficial ones on GitHub, but I'm not sure if they are up to date (I suspect not):
Note that you dont actually have to use a client, you can invoke the API endpoints directly - just get them working via the API UI and then copy the URLs that it generates.
But that will be messy if you need to make a load of calls :/
Does that help?
Anyone else know of a better maintained Ruby client?
Note that the existing ZAP clients are all created using code generation - if anyone fancies creating an 'official' Ruby client then we can help you with that :)
Cheers,
Simon
Victor Pereira
Sep 7, 2015, 7:53:43 AM9/7/15
to OWASP ZAP User Group
Hi sorry I think I can help you on that :)
At SUSE we are using it with cucumber to test some of our products. For example, the SUSE Manager - our downstream version from spacewalk, has a open source test suite, located here https://github.com/SUSE/spacewalk-testsuite-base. If you want to see more details, please check https://github.com/SUSE/spacewalk-testsuite-base/blob/master/features/security_regressions.feature and the step definitions file.
Our "pre-work" was basically run once Zap, use the generated report as baseline and after each commit we run it again and compare the new report against the baseline report. If there is any diff, probably it is a security issue introduced by the previous commit.
Note that I did submit a presentation about it to some european ruby conferences, but looks like it wasn't colourful/cool enough for them..
p.s: the upstream is on https://github.com/vpereira/owasp_zap
best regards
VP
At SUSE we are using it with cucumber to test some of our products. For example, the SUSE Manager - our downstream version from spacewalk, has a open source test suite, located here https://github.com/SUSE/spacewalk-testsuite-base. If you want to see more details, please check https://github.com/SUSE/spacewalk-testsuite-base/blob/master/features/security_regressions.feature and the step definitions file.
Our "pre-work" was basically run once Zap, use the generated report as baseline and after each commit we run it again and compare the new report against the baseline report. If there is any diff, probably it is a security issue introduced by the previous commit.
Note that I did submit a presentation about it to some european ruby conferences, but looks like it wasn't colourful/cool enough for them..
p.s: the upstream is on https://github.com/vpereira/owasp_zap
best regards
VP
Craig Despeaux
Sep 7, 2015, 9:26:35 PM9/7/15
to zaprox...@googlegroups.com
Thanks much. That looks right along the lines of what I need.
Craig
Sent from my iPad
Sent from my iPad
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/eBX4rPnrdZ0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Raghuveer Reddy Bathini
Nov 24, 2016, 11:02:29 PM11/24/16
to OWASP ZAP User Group
Hi Vicor, I'm unable to browse through the repository. Could you point me to the right source?
Reply all
Reply to author
Forward
0 new messages