Using ZAP as an intercepting proxy in CI
136 views
Skip to first unread message
Abhishek Jha
Feb 27, 2023, 8:38:38 AM2/27/23
to OWASP ZAP User Group
Hi ,
I have some usecase that I am looking to accomplish The usecase is as follows:
To use ZAP as an intercepting proxy and that can run along with any existing test suites. so that we can use this with any api test suite and it should be able to scan endpoints that do not have an openapi spec.
The process it follows should be similar to this:
1. Requests flow through zap (web proxy)
2. ZAP modifies requests to include Vulnerability Tests
3. API sends Response back through ZAP
4. ZAP generates a report based on the response
1. Requests flow through zap (web proxy)
2. ZAP modifies requests to include Vulnerability Tests
3. API sends Response back through ZAP
4. ZAP generates a report based on the response
Which module of ZAP should I consult in order to accomplish this task? Or What can be the possible configs that we might need to do in order to accomplish this task?
Thanks
Simon Bennetts
Feb 28, 2023, 4:16:39 AM2/28/23
to OWASP ZAP User Group
I'd recommend using the Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/
You will need to ensure that your tests can be proxied through the ZAP instance you start.
Use the delay job to ensure that ZAP waits until your tests have completed: https://www.zaproxy.org/docs/desktop/addons/automation-framework/job-delay/
You can either get it to wait for a fixed time, create a specified file when yout tests and or call the ZAP endpoint.
Start by just making sure your tests are successfully poxied through ZAP by using the jobs:
- delay
- passiveScan-wait
- report
If no alerts are included in the report then you didnt successfully proxy your tests.
Once those are working you can add the activeScan job and potentially other like the passiveScan-config one to tune ZAP to match your requirements.
Cheers,
Simon
Abhishek Jha
Mar 2, 2023, 2:03:50 AM3/2/23
to OWASP ZAP User Group
Got your point Simon , But I have one follow up question , In ZAP desktop when we make our requests to pass through zap, then under the sites section all the sites intercepted by zap is shown . And we can then simply go to Report >> Generate Report and we get the report through this ,without even defining the context. But in case of Automation Framework the env job is the very first job and It throws an error when there is no url included in the context and further steps are never executed.
So what I want to know is how can we generate the report in automation framework , using only the sites and without having to define our context. Since the urls will vary depending upon the test suites.
Thanks.
Simon Bennetts
Mar 2, 2023, 4:22:23 AM3/2/23
to OWASP ZAP User Group
A URL is mandatory for the AF.
However you can define this as an env var which you set before invoking ZAP.
Cheers,
Simon
Abhishek Jha
Mar 2, 2023, 6:16:44 AM3/2/23
to OWASP ZAP User Group
Thank for the suggestion Simon.
But I really want to manipulate the behavior in zap desktop where we start a new session and then we run our apis test suite (which is more than 100s) and then the apis when passes through zap shows up in the sites tree. And then without having to run any tests apart from that , we can generate the report by clicking generate report button .
(I guess it is more of Zap analysing the request-response and generates report based on that. And the report includes all the APIs that were proxied.
Is it possible to manipulate same behaviour somehow in CI ,Be It through AF or Docker Packaged Scans or some scripts?
P.S: We don't want to run any tests explicitly ,just want to proxy requests through ZAP and Generate the report , It is easily doable in Desktop But how to achieve same in CI.
Thanks.
Abhishek Jha
Mar 2, 2023, 6:58:35 AM3/2/23
to OWASP ZAP User Group
Although I have created a context specifying some dummy url in it seem to work , As the report included all the api groups that are proxied through
ZAP , But I am not sure if it will also include the alerts of those endpoints as well.
ZAP , But I am not sure if it will also include the alerts of those endpoints as well.
I need your thoughts or suggestions on this.
Thanks
Simon Bennetts
Mar 3, 2023, 4:27:43 AM3/3/23
to OWASP ZAP User Group
Sorry, I'm not sure exactly what your requirements are.
Can you explain them in bullet points?
Are you looking for something like this:
- Proxy API tests through ZAP
- Passively scan the requests and responses
- Generate a report including only specific sites
Cheers,
Simon
Abhishek Jha
Mar 3, 2023, 5:20:41 AM3/3/23
to OWASP ZAP User Group
Yes Exactly so my flow is as follows:
1. Run the test suites ,e.g karate test suite which has a set of apis which we are testing for request and responses.
2.Proxy these requests through ZAP
3. Then Passively scan the request and responses .
4 . Then finally generate the report based upon that passive scan .
I am successfully doing it for zap desktop , But I want to do It in some CI ,maybe jenkins or gitlab.
so I am thinking of doing it this way,
1. Running both docker container and make them talk to each other using the docker-compose
2. Once both container are up and running .
3. Originate request from the test suite container and make it to pass through zap container (proxy)
and then generate the report .
One more thing I need to confirm ZAP listens on port 8080 right?
Thanks
Reply all
Reply to author
Forward
0 new messages