Automating ZAP

[agarai craig]

Hi All,

We are trying to automate ZAP scanning for our services to make it easier for the Dev team to include in the Devops lifecycle.

So, was wondering whether it would be possible to automate ZAP as below:

Start the ZAP proxy from command line in listening mode so that requests go through ZAP proxy.

And, tell the developer to login to the remote machine and explore the service using a browser through ZAP.

Finally, run the scan from the commandline again and generate and mail the reports.

This is effectively the structure we follow in our other security services.

Wondering if this architecture is possible or not.

Any suggestions are appreciated.

I referred the slides from here:

http://www.slideshare.net/psiinon/presentations

Thanks,

[agarai craig]

Followed the videos of Automating ZAP by Simon. It works for me now.

Thanks,

[thc...@gmail.com]

Thanks for letting us know.

Best regards.

> <http://www.slideshare.net/psiinon/presentations>
>
> Thanks,
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/07fd9c70-b441-4c5e-9ca0-ed5fbfe9a697%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-users/07fd9c70-b441-4c5e-9ca0-ed5fbfe9a697%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

[agarai craig]

Hi All,

So, we followed the videos and configured our scans as mentioned for ZAP automation.

And, here are the alternatives that we could come up with.

1) Baseline Scan - That provides a basic scan about the security state of the service. Not an in-depth scan.

2)  Also, using the API/Rest Endpoints we get the same results as the baseline scan, nothing more or less.

3) We are not planning to use the extension tools for jenkins as of now.

4) We also configured ZAP as a proxy from browser and explored our service to intercept the requests and scan them.

Alternative (4) provided the best results as expected.

Alternative (1) and (2) gave similar output reports i.e. a basic scan.

So, my query is that would it be possible to 

1. start ZAP as a listening proxy through script and keep it listening

2. Explore our service when ZAP listens and captures the requests.

3. Stop the listening generate the reports again through scripting.

Thats the design we are planning to achieve.

Any suggestions appreciated.

Thanks,

[Simon Bennetts]

Yes :)

Have a look at my DevSecCon workshop: http://www.slideshare.net/psiinon/automating-owasp-zap-devcseccon-talk
The video of the workshop is embedded in the slides.

Cheers,

Simon

[Sivakumar Prakhash]

Hi agarai,

This [1] will be helpful to you, I have written this as I was working on the same task

[1] https://medium.com/@PrakhashS/automating-the-boring-stuffs-using-zap-and-jenkins-continues-integration-d4461a6ace1a

[agarai craig]

Hi Simon,

Let me reframe my question as below:

B) Second, we configured ZAP as a proxy for our browser and captured all the requests and then performed the attack on them.

              This generated a report with 12 critical issues.

I remember you mentioned in the conference that baseline scan is just a basic scan and may not be in-depth.

And, from my understanding the REST API support does not have the option to setup ZAP as a proxy from the browser;

giving the end user the freedom to explore the service and capture the requests. (basically a manual spider)

So, we already have approach (A) setup, but we are planning to move towards approach (B).

What is your suggestion in that regard.

Thanks,

[Simon Bennetts]

Hi Agarai,

Replies inline

On Wednesday, 7 December 2016 20:06:08 UTC, agarai craig wrote:

Hi Simon,

Let me reframe my question as below:

B) Second, we configured ZAP as a proxy for our browser and captured all the requests and then performed the attack on them.

              This generated a report with 12 critical issues.

I remember you mentioned in the conference that baseline scan is just a basic scan and may not be in-depth.

Thats right - the baseline just does spidering and passive scanning.
 

And, from my understanding the REST API support does not have the option to setup ZAP as a proxy from the browser;

giving the end user the freedom to explore the service and capture the requests. (basically a manual spider)

On the contrary, proxying through ZAP while controlling it via the API is one of the key use cases we support. and its one of the ways we use ZAP at Mozilla.
You just need to start ZAP, typically as a daemon. You can then proxy your browsers through ZAP and control it via the API.
We use Selenium application regression tests proxied through ZAP to explore our apps as effectively as possible.
We then use the ZAP API to launch the spidering, scanning and retreive the results.
You can mix and match manual and automated exploration as you like - just start ZAP and then do what ever you want - proxying, API access...

Cheers,

Simon
 

[agarai craig]

Great..now I get the compete workflow.

Was missing some bits in the design.

Thanks for the response..was really helpful.

Let me try it out..Will update you ones done.

Thanks,

[Amit Kulkarni]

Hi All,

I am fairly new to Security testing. I am following on the videos and presentation by Simon. 
I was able to run the baseline passive scan using docker+zap Stable. 

I want to now try active and spidering, can you guide me how to go about it ?

regards,

Amit

[Simon Bennetts]

Have you seen my talk at DevSecCon?
The slides are here http://www.slideshare.net/psiinon/automating-owasp-zap-devcseccon-talk and they contain a video of the talk.

Cheers,

Simon

[Amit Kulkarni]

Hi Simon,

I followed your Video and Slides. I was able to recreate all scans like passive,spidering,active through Desktop UI and then through Web API. Below 1 to 3 steps. 

1.Experiment with the Desktop UI

2.Export configs from the UI (contexts, scan policies..)

3.Then reproduce using the API UI

4.Finally convert to a script

I want to now convert it into scripts-step 4. For that when i try to install python from pip (pip install python-owasp-zap-v2.5), I get below error:

pip: command not found.

Also, Once this is resolved I want to know

1. Where to keep those scripts

2. And the command line to run those scripts

Thanks & Regards,

Amit

[Simon Bennetts]

Hi Amit,

pip is a standard python package manager: https://en.wikipedia.org/wiki/Pip_(package_manager)
How you should install it will depend on your OS but should be easy to search for.
You can keep ZAP API scripts where ever you like - they connect to ZAP to the API so can even be on another machine as long as they can connect to ZAP.
If you are using the python API then just run them using python, eg "python my_zap_api_script.py" :)

Cheers,

Simon

[Amit Kulkarni]

Hi Simon,

Thanks for the detailed reply. I was able to install pip, python and python-owasp-zap-v2.4 in my local machine. Attached is my ActiveScan python script. when I run it it runs into below error. Not sure what's that error is. Can you take a look ?

PS C:\Python27\Scripts> python .\activescan_zap_api_script.py

Traceback (most recent call last):

  File ".\activescan_zap_api_script.py", line 5, in <module>

    zap.ascan.scan('http://localhost:8080')

  File "C:\Program Files\PYTHON27\lib\site-packages\zapv2\ascan.py", line 168, in scan

    return next(self.zap._request(self.zap.base + 'ascan/action/scan/', params).itervalues())

  File "C:\Program Files\PYTHON27\lib\site-packages\zapv2\__init__.py", line 145, in _request

    return json.loads(self.urlopen(url + '?' + urllib.urlencode(get)))

  File "C:\Program Files\PYTHON27\lib\json\__init__.py", line 339, in loads

    return _default_decoder.decode(s)

  File "C:\Program Files\PYTHON27\lib\json\decoder.py", line 364, in decode

    obj, end = self.raw_decode(s, idx=_w(s, 0).end())

  File "C:\Program Files\PYTHON27\lib\json\decoder.py", line 382, in raw_decode

    raise ValueError("No JSON object could be decoded")

ValueError: No JSON object could be decoded

regards,

Amit

[thc...@gmail.com]

Hi.

That error might happen if the ZAP API client is connecting to other
program than ZAP.

In which port is ZAP listening? The ports in the line:
zap =
ZAPv2(proxies={'http':'http://localhost:8080','https':'http://localhost:8080'})


must be changed to match the port being used by ZAP.

Best regards.

On 06/01/17 03:03, Amit Kulkarni wrote:
> Hi Simon,
>

> Thanks for the detailed reply. I was able to install pip, python and
> python-owasp-zap-v2.4 in my local machine. Attached is my ActiveScan python
> script. when I run it it runs into below error. Not sure what's that error
> is. Can you take a look ?
>
> PS C:\Python27\Scripts> python .\activescan_zap_api_script.py
>
> Traceback (most recent call last):
>
> File ".\activescan_zap_api_script.py", line 5, in <module>
>
> zap.ascan.scan('http://localhost:8080')
>
> File "C:\Program Files\PYTHON27\lib\site-packages\zapv2\ascan.py", line
> 168, in scan
>
> return next(self.zap._request(self.zap.base + 'ascan/action/scan/',
> params).itervalues())
>
> File "C:\Program Files\PYTHON27\lib\site-packages\zapv2\__init__.py",
> line 145, in _request
>
> return json.loads(self.urlopen(url + '?' + urllib.urlencode(get)))
>
> File "C:\Program Files\PYTHON27\lib\json\__init__.py", line 339, in loads
>
> return _default_decoder.decode(s)
>
> File "C:\Program Files\PYTHON27\lib\json\decoder.py", line 364, in decode
>
> obj, end = self.raw_decode(s, idx=_w(s, 0).end())
>
> File "C:\Program Files\PYTHON27\lib\json\decoder.py", line 382, in
> raw_decode
>
> raise ValueError("No JSON object could be decoded")
>

> *ValueError: No JSON object could be decoded*

[Amit Kulkarni]

Hi thc202, Simon,

Thanks for the prompt reply. By changing below code to 

zap = ZAPv2(proxies={'http':'http://localhost:8090','https':'http://localhost:8090'}) 

it worked.

Now, my next question is how can I use it in daemon or CI or in docker ?

My basic understanding and from the above threads, what I think is:

1. Start ZAP in daemon mode (need to know the command to start zap in daemon mode ?)

2. Kick-off regression tests (I have regression tests in Nightwatch.js, can I use them ?)

3. Run python script which will capture the result/report

Let me know if I am missing something.

Thanks & regards,

Amit

[Simon Bennetts]

Hi Amit,

Thats right :)
FYI we do this for testing ZAP against apps like wavsep:

• http://zapbot.github.io/zap-mgmt-scripts/index.html (the zapbot home page)
  
• https://github.com/zapbot/zap-mgmt-scripts/tree/master/wavsep (the scripts used for testing cs wavsep)
  

We use the ZAP docker images (https://github.com/zaproxy/zaproxy/wiki/Docker) which I think are really useful for automating ZAP:)

Cheers,

Simon

[kingthorin+owaspzap]

The proxy failed to bind to 0.0.0.0:8090 because it was already in use ("Failed: port already in use."). Which means you probably have something hung, or you already have another process using that port.

[Amit Kulkarni]

Hi Simon,kingthorin,

Running my regression tests in docker seems complicated right now. So I am trying to run it locally by starting ZAP in daemon mode locally and it starts (ZAP is now listening on localhost:8090). Also my tests run but the Scan script fails.

Error is as per below. Also, when ZAP starts in daemon mode the cursor doesnt return or in other words next command is not executed. So I am manually in another terminal starting tests and zap scripts.  

Accessing target http://localhost:8080

Traceback (most recent call last):

  File ".\ccare_zap_spider_scan.py", line 11, in <module>

    zap.urlopen(target)

  File "C:\Program Files\PYTHON27\lib\site-packages\zapv2\__init__.py", line 124, in urlopen

    return urllib.urlopen(*args, **kwargs).read()

  File "C:\Program Files\PYTHON27\lib\urllib.py", line 87, in urlopen

    return opener.open(url)

  File "C:\Program Files\PYTHON27\lib\urllib.py", line 213, in open

    return getattr(self, name)(url)

  File "C:\Program Files\PYTHON27\lib\urllib.py", line 350, in open_http

    h.endheaders(data)

  File "C:\Program Files\PYTHON27\lib\httplib.py", line 1053, in endheaders

    self._send_output(message_body)

  File "C:\Program Files\PYTHON27\lib\httplib.py", line 897, in _send_output

    self.send(msg)

  File "C:\Program Files\PYTHON27\lib\httplib.py", line 859, in send

    self.connect()

  File "C:\Program Files\PYTHON27\lib\httplib.py", line 836, in connect

    self.timeout, self.source_address)

  File "C:\Program Files\PYTHON27\lib\socket.py", line 575, in create_connection

    raise err

IOError: [Errno socket error] [Errno 10061] No connection could be made because the target machine actively refused it

Regards,

Amit