Running ZAP against AWS

[JammasterJ]

Hello,

I'm looking to run a pen test against an application hosted on Amazon Web Services (AWS). 

You have to request permission from AWS to run a pen test, and they basically say you can do anything other than DoS. They specifically say:

"You are prohibited from utilizing any tools or services in a manner that perform Denial-of-Service (DoS) attacks or simulations of such against ANY AWS asset, yours or otherwise. Prohibited activities include, but may not be limited to:

- Protocol flooding (eg SYN flooding, ICMP flooding, UDP flooding)

- Resource request flooding (eg HTTP request flooding, Login request flooding, API request flooding)."

Does this mean running an active scan in OWASP ZAP would be be prohibited? As I'm not sure when it is testing for injections with multiple HTTP requests would be classed as API or HTTP request flooding?

Thanks for any help!

[Simon Bennetts]

I dont think that ZAP would be classified as a DoS tool. It does perform a significant number of attacks as part of an active scan but they are not intended to flood a system.
It would be worth avoiding the Brute Force and manual Fuzzing tools, they might be a bit more of a grey area, depending how they are used.
You should definitely get permission from AWS and also say that you are planning on using the ZAP active scanner.
I'm happy to be called upon to confirm at a high level what ZAP will or wont do :)

Cheers,

Simon

[JammasterJ]

Hi Simon,

Thanks very much for the reply.

I agree, just the wording seemed to be quite loose so wasn't 100%. I'll contact AWS to see what they say and report back what they say.

Thanks again,

[JammasterJ]

Hi Simon,

As an update, I've just finished a pen test on AWS where I told them I would be using ZAP and detailed its functionality. No one explicitly said not to use it at any point. Not ideal but seems to indicate it is fine to use.

Kind regards,