OWASP ZAP: Active Scanner in Continuos Integration

754 views
Skip to first unread message

Andrea Arcuri

unread,
Jan 8, 2016, 6:48:15 AM1/8/16
to OWASP ZAP User Group
Hi,
  this topic was first posted on StackOverflow at:


I m reposting it here to continue the discussion here instead of StackOverflow


-----------------------------------------------------------
Trying to use ZAP (2.4.3) in a continuos integration (CI) setting. I can run ZAP as a daemon, run all my Selenium tests (in Java) by using ZAP as a proxy, and then being able to use the REST api calling htmlreport to get a final report of the Passive Scanner. This works fine, but I would like to also use the Active Scanner. Using the Active Scanner in CI is mentioned several times in ZAP's documentation, but haven't found any working example or tutorial about it... does any exist?


What I would like to achieve is something like: Run Active Scanner on all the pages visited by the Selenium regression suite, once it is finished to run.


Trying to look at ZAP's REST api, but is mostly undocumented:

https://github.com/zaproxy/zaproxy/wiki/ApiGen_Index



Ideally, it would be great to have something like:

  • - Start Active Scan asynchronously on all visited urls
  • - Poll to check if Active Scan run is completed


In the REST api it seems there is something related, but:

  • ascan/scan needs an url as input. Could call core/urls to see what the Selenium tests have visited, but then how to set the right authentication (logging credential)? What if the order in which the urls are visited is important? What if a page is only accessable with a specific credential?
  • there is an ascan/scanAsUser, but it is unclear how contextId and userId can be retrieved from ZAP. A cumbersome workaround would be to modify the Selenium tests to write on disk the urls they visit and which logging/password credentials they are using, and then, once all tests are finished, to read from disk such info to call ZAP. Is there any simpler way?
  • -----------------------------------------------------------


Simon (ZAP Project Lead) response was: 


  • -----------------------------------------------------------

OK, so theres a lot of questions here:)

ZAP typically scans hierarchies of URLs, eg everything under https://www.example.com/app the top level url of your application. We kind of assume you know what that will be ;)

Authentication is non trivial to handle, see https://github.com/zaproxy/zaproxy/wiki/FAQformauth

The ascan/status call returns the completed %

You may find the ZAP User Group http://groups.google.com/group/zaproxy-users better for these sort of questions. But yes, we do need to improve the API documentation :/


Cheers,

Simon (ZAP Project Lead)

  • -----------------------------------------------------------

My (new) comments:




Thanks Simon for the clarification and very quick response. I have still some doubts though.



I do understand that I can use the REST api to directly control the Active Scanner, by providing URL and loggin info. However, my point was on whether ZAP can automatically re-use all information (urls and logging information) of the Selenium tests that were run with ZAP as proxy. 

The Getting Started Guide states:



     A high level approach could be:

     1. Proxy browser based regression tests (eg using Selenium) through ZAP in order to explore

         the application in a realistic way

     2. Use the spiders to discover content not covered by regression tests

     3. Run the active scanner to attack the application

     4. Read the alerts found and report any new vulnerabilities




In particular, I thought that point (3) could be automatically run based on the information of the previous two points. At the end of the day, if ZAP was used as a proxy, it could have stored such info (it does for visited urls, but maybe it is not possible for logging credentials?). If it cannot, then that high level approach sketch is a bit misleading: points (1) and (3) would be independent, and one could do (3) before (1), with constraint of doing (4) at the end. Or am I completely misunderstanding it?


cheers


Andrea    




kingthorin+owaspzap

unread,
Jan 8, 2016, 8:04:18 AM1/8/16
to OWASP ZAP User Group
Hi Andrea hopefully I can answer or provide clarification on a few points.

  • Yes you can use your selenium tests to build up the site tree and ZAP will scan what's there. You could also skip #2 in Simon's "approach could be" list.
  • As for credentials and login information you'd have to set that programmatically. There's no AI in ZAP you have to tell it what's what, it can't intuit your login components and specific details. If you don't train it or configure it as to what those are you'll probably just endup DoSing your test by locking out whatever account is in use due to failed logins (as the password field is tested with a valid username).
  • You could do #3 before #1 but probably wouldn't get very useful results on an app that requires auth. Plus how would ZAP "know" what to test? (You have to provide at least a starting URL, and if you're going to skip #2 then you'd only be testing a single URL as you haven't Spidered (discovered) any further content.

Andrea Arcuri

unread,
Jan 8, 2016, 8:26:42 AM1/8/16
to OWASP ZAP User Group
Hi,

  thanks, now things are getting much clearer :)   However, that means that in step (1) all tests should have had the same user (as some url might exist only for some specific user), which is usually not the case in large regression suites. So, 1-3 could rather be seen as a cycle: for each user in the regression suite, only run the Selenium tests for that user in (1), followed by (2) and (3). Repeat cycle for each user, and then finally do (4).  But when you have thousands of tests, determine which one is using which user might get tricky. Another option could be to still do 1-2, and then a (3) for each user credential: this might be less efficient, but likely much easier to implement and integrate in an existing CI process

cheers

Andrea

kingthorin+owaspzap

unread,
Jan 8, 2016, 8:27:36 AM1/8/16
to OWASP ZAP User Group

kingthorin+owaspzap

unread,
Jan 8, 2016, 9:34:05 AM1/8/16
to OWASP ZAP User Group
It sounds like your Selenium tests are already broken up by user type, so I'd suggest the following:
Here's what I'd suggest:

1) Get ZAP setup to both passively and actively scan your app without authentication. (Likely a landing page, a Terms and Conditions, etc. Findings will hopefully be sparse, but this will at least give you a starting point.)
2) Move on to getting ZAP working with a standard basic user. (This is likely your most bang for buck as it represents testing of functionality exposed to the majority of your user base.)
3) Move on to getting ZAP working with a higher permission user. (Perhaps you have support personnel that aren't admins or you have some kind of group co-ordinator role.)
4) Move on to getting ZAP working with a administrative user type.

5) Consider either manually or automatically doing Access Control testing. [I haven't used it yet but we do have an extension for this: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts]

This allows you to slowly get familiar with how to do things in ZAP, gives you opportunity to show progress to management, and gives you the option of making and back porting choices/configs/code as things get more complicated but doing so in smaller bits.

Also keep in mind that you may need to leverage the AJAX Spider, if some of  your controls are purely javascript based.

Barath Subramaniam

unread,
Jun 28, 2018, 2:30:02 PM6/28/18
to OWASP ZAP User Group
Hi @Andrea,
 I am starting with ZAP JAVA and pretty new to this..  Can you please guide me with any working git projects or reference links 

Thank you
Reply all
Reply to author
Forward
0 new messages