OWASP Zap - On Openshift 4.6
181 views
Skip to first unread message
Benoit Schipper
Jan 21, 2021, 4:22:21 AM1/21/21
to OWASP ZAP User Group
Hey All,
First time I am posting here, or ever in googel groups. So here goes nothing.
I have been trying to get a deployment of OWASP ZAP to run on Openshift 4.6. I initially altered the docker Image so it would be allowed to run on Openshift: see below.
FROM owasp/zap2docker-stable
USER root
RUN chown -R :0 /home/zap && \
chmod -R g+w /home/zap && \
chown -R :0 /zap && \
chmod -R g+w /zap
USER 1001
After that I was able to run the OWASP ZAP container in Openshift using the following deploymentconfig:
kind: Template
apiVersion: v1
metadata:
name: zap2docker
labels:
template: zap2docker
name: zap2docker
objects:
- kind: DeploymentConfig
apiVersion: apps.openshift.io/v1
metadata:
name: zap2docker
namespace: namespace-development
spec:
template:
metadata:
name: zap2docker
labels:
name: zap2docker
spec:
containers:
- name: zap2docker-myownimage
image: image-registry.openshift-image-registry.svc:5000/namespace-development/zap2docker-myownimage:latest
command: ["zap.sh"]
args:
- -daemon
- -host
- "0.0.0.0"
- -port
- "8080"
- -config
- api.addrs.addr.name=.*
- -config
- api.addrs.addr.regex=true
- -config
- api.disablekey=true
- -silent
- -certfulldump
- /tmp/zap.cert
replicas: 1
selector:
name: zap2docker
strategy:
type: Rolling
- kind: Service
apiVersion: v1
metadata:
name: zap2docker
annotations:
description: Exposes and load balances the application pods
spec:
ports:
- name: zap2docker-port
port: 8080
targetPort: 8080
selector:
name: zap2docker
- kind: Route
apiVersion: v1
metadata:
name: zap2docker
labels:
app: zap2docker
route: ota
spec:
host: ""
to:
kind: Service
name: zap2docker
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
The container starts and I am able to run "curl localhost:8080" within the container itself, and it provides me with the expected result:
$ curl localhost:8080
<head>
<title>ZAP API UI</title>
</head>
<body>
<h1>Welcome to the OWASP Zed Attack Proxy (ZAP)</h1><p>ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.</p><p></p><p>Please be aware that you should only attack applications that you have been specifically been given permission to test.</p><h2>Proxy Configuration</h2><p>To use ZAP effectively it is recommended that you configure your browser to proxy via ZAP.</p><p></p><p>The easiest way to do this is to launch your browser from ZAP via the "Quick Start / Manual Explore" panel - it will be configured to proxy via ZAP and ignore any certificate warnings.<br>Alternatively you can configure your browser manually or use the generated <a href="/OTHER/core/other/proxy.pac/?apinonce=b3996b4a8f505a36">PAC file</a>.</p><h2>Links</h2><li><a href="/UI">Local API</a></li><li><a href="https://www.zaproxy.org/">ZAP Website</a></li><li><a href="https://groups.google.com/group/zaproxy-users">ZAP User Group</a></li><li><a href="https://groups.google.com/group/zaproxy-develop">ZAP Developer Group</a></li><li><a href="https://github.com/zaproxy/zaproxy/issues">Report an issue</a></li></body>
I then tried to connect tot he container from another existing container using the service I created called zap2docker which works fine as well:
sh-4.2$ curl zap2docker:8080
<head>
<title>ZAP API UI</title>
</head>
<body>
<h1>Welcome to the OWASP Zed Attack Proxy (ZAP)</h1><p>ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.</p><p></p><p>Please be aware that you should only attack applications that you have been specifically been given permission to test.</p><h2>Proxy Configuration</h2><p>To use ZAP effectively it is recommended that you configure your browser to proxy via ZAP.</p><p></p><p>The easiest way to do this is to launch your browser from ZAP via the "Quick Start / Manual Explore" panel - it will be configured to proxy via ZAP and ignore any certificate warnings.<br>Alternatively you can configure your browser manually or use the generated <a href="/OTHER/core/other/proxy.pac/?apinonce=b48509037b819842">PAC file</a>.</p><h2>Links</h2><li><a href="/UI">Local API</a></li><li><a href="https://www.zaproxy.org/">ZAP Website</a></li><li><a href="https://groups.google.com/group/zaproxy-users">ZAP User Group</a></li><li><a href="https://groups.google.com/group/zaproxy-develop">ZAP Developer Group</a></li><li><a href="https://github.com/zaproxy/zaproxy/issues">Report an issue</a></li></body>
On both I can also do a curl -k https://localhost:8080 and from the other container through the service curl -k https://zap2docker:8080.
Now I found out that the OWASP-ZAP container might redirect to https meaning that when I try to make a route using Edge termination and connect from outside the platform on 443 to the zap2docker service on 8080 it will result in a 302 loop as both parties keep trying to redirect to 443.
However, even when I create a route using RE-Encrypt termination (which should then work as both the container and the openshift paltform expect encrypted traffic) it also does not allow me to get to the welcome OWASP/ZAP welcome page from outside the openshift platform.
Additionally, passthrough also does not work, and no secure traffic at all (port 80) does not work either.
I also tried using a different port than 8080, but OWASP ZAP did not really enjoy that :).
Is there anyone that might have an idea on what I am doing wrong?
- Is the container forcing https over 8080? If so, can I turn it off with a parameter so I can let Openshift handle the https encryption?
- Is there possibly an Openshift termination I did not try yet?
Any help would be much appreciated :)
The goal for me is to be able to get to the hosted OWASP zap container to be able to run it in pipelines hosted outside of the Openshift platform. If there is no solution I might think about creating an API that connects to the OWASP ZAP container for me (using it as a bridge to allow me to connect from outside.
Thanks in advance,
Kind regards,
Ben
Simon Bennetts
Jan 21, 2021, 4:24:54 AM1/21/21
to OWASP ZAP User Group
Hiya Ben,
Welcome to the group :)
By default (and for security reasons) ZAP only allows local connections, not remote ones.
You can of course change that - see this FAQ: https://www.zaproxy.org/faq/how-can-i-connect-to-zap-remotely/
ZAP can listen on any port that it has permission to use, just set that via the '-port' parameter.
ZAP
intercepts HTTPS traffic using its own Root CA certificate. You cant
just let another product handle HTTPS for ZAP - it then wouldnt be able
to decrypt HTTPS. If you dont want/need ZAP to handle HTTPS then dont
proxy HTTPS requests through ZAP :)
You will typically need to
import the ZAP Root CA cert into your browser / program thats
generating HTTP traffic as a trusted Root CA cert.
I'd recommend focussing on one problem at a time rather than trying to solve everything all at once ;)
How about trying to access ZAP remotely and then when thats working go onto the next problem?
Cheers,
Simon
Benoit Schipper
Jan 21, 2021, 5:04:20 AM1/21/21
to OWASP ZAP User Group
Hey Simon,
Thanks for you reply :) , I believe I have tried both. When the ZAP Application runs I see the following in the logs:
Logs
org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null
org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null
org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null
.....(cut out parts to reduce logs)
org.parosproxy.paros.CommandLine - Root CA certificate written to /tmp/zap.cert
org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:8080
- Above you can see I setup ZAP for remote access on port 8080.
- I also tried extracting the cert and using that cert in the chain for route determination.
My starting Parameters when I start zap.sh:
command: ["zap.sh"]
args:
- -daemon
- -host
- "0.0.0.0"
- -port
- "8080"
- -config
- api.addrs.addr.name=.*
- -config
- api.addrs.addr.regex=true
- -config
- api.disablekey=true
- -silent
- -certfulldump
- /tmp/zap.cert
---------------
I am able to get to ZAP via 8080 within it's own container and via the service I created from another (not related) container. The only thing I cannot do is setup a route allowing me to access the container via ROUTE (443) -> ZAPService (8080) -> ZapContainer (8080).
I understand that if the container itself also does HTTPS I should be able to setup the route to instead of Redirecting to https to again RE-Encrypt the traffic, reading: Openshift 4.6 Documentation
So I am able to reach it within Openshift, just not outside. And I believe you are right: it has something to do with the fact that ZAP does HTTPS with a Certificate, making it hard for Openshift to redirect or route the traffic.
Is there anyway to turn off https at all within the container? Maybe a startup zap.sh parameter?
From a security standpoint I trust Openshift to encrypt it via HTTPS as well. So Either/or is fine for me :P
Thanks for your help btw! Appreciate it!
Regards,
Ben
Alexander Buss
Mar 30, 2021, 10:47:29 AM3/30/21
to OWASP ZAP User Group
Hi,
I am facing the same issue as Ben described. (using OpenShift 3.11.x)
I am able to start the container and accessing the API via localhost:8080 but I am not able to access it via the openshift route from outside openshift
Is there already any sollution to this?
My goal is just to run a zap API container to proxy my Selenium tests accessing it via the openshift route.
@Ben did you find a sollution?
Thanks for your helping!
Regards,
Alex
Reply all
Reply to author
Forward
0 new messages