Transcription
Driving OWASP ZAP with Selenium
About Me Mark Torrens-Recently moved into Cyber SecurityBased in LondonCompleting MSc Cyber Security @ University of YorkSecurity Architect for Kainos Mateusz Kalinowski- Java research
OWASP Zed Attack Proxy (ZAP)“The OWASP Zed Attack Proxy (ZAP) is one of the world’smost popular free security tools and is actively maintained byhundreds of international volunteers. It can help youautomatically find security vulnerabilities in your webapplications while you are developing and testing yourapplications. Its also a great tool for experienced pentestersto use for manual security testing.”https://www.owasp.org/index.php/OWASP Zed Attack Proxy Project
Selenium“Selenium automates browsers. That's it! What you do withthat power is entirely up to you. Primarily, it is for automatingweb applications for testing purposes, but is certainly notlimited to just that. Boring web-based administration taskscan (and should!) be automated as well.”https://www.seleniumhq.org/
ObjectiveTo use OWASP ZAP, to detect web applicationvulnerabilities in a CI/CD pipeline ProblemWeb applications have Basic Authentication, UserLogins and Form Validation which stops ZAP in itstracks
SolutionUse Selenium scripts to drive ZAPA project may already have Selenium scriptsZAP does have Zest scripts but Selenium is more widelyknown and may already be being maintained on aproject
ZAP’s Passive and Active ScansPassive scans record the requests and responsessent to a web app and creates alerts for detectedvulnerabilitiesActive scans actively modify the recorded requestsand responses to determine further vulnerabilities
Pipeline Steps1.2.3.4.5.6.Start ZAPRun Selenium Scripts (Passive Scan)Wait for Passive scan to completeStart Active ScanWait for Active scan to completeRetrieve alerts and report
Start ZAPzap.sh \-daemon \-host some-host \-port some-port \-config api.addrs.addr.regex true-config api.disablekey truezap.sh - A start up script provided by ZAP-daemon - Start in a headless configuration-host - The ZAP host-port – The ZAP port-config api.addrs.addr.regex true - Allow any source IP to connect-config api.disablekey true - Execute ZAP API endpoints without the needfor an API keyA Docker image called owasp/zap2docker-bare exists which can be used to start ZAP
Selenium Driver Settings// Set Chrome OptionsChromeOptions chromeOptions new re-certificate-errors");// Set proxyString proxyAddress ”ZAP-HOST:8888";Proxy proxy new xy(proxyAddress);// Set Desired CapabilitiesDesiredCapabilities capabilities ility(CapabilityType.PROXY, CCEPT SSL CERTS, CEPT INSECURE ns.CAPABILITY, chromeOptions);
Security Response HeadersIf the target web application has security response headersin place, specifically Strict-Transport-Security the web drivershould be configured as tyType.ACCEPT SSL CERTS, CEPT INSECURE CERTS, true);
Passive ScanA passive scan is run when Selenium drives the WebDriver through the ZAP proxyThe passive scan creates the scan tree and allows ZAPto be knowledgeable enough about the web applicationto perform the active scan
Wait for Passive ScanThere will always be a short delay for ZAP to completethe passive scan, before alerts and reports are availableThe status of a passive active scan is determined byrunning endpoint JSON/pscan/view/recordsToScanThe passive scan is complete when 0 is returned
wait for passive scan to complete() {STATUS URL "http:// 1: 2/"STATUS URL "JSON/pscan/view/recordsToScan/?"STATUS URL "zapapiformat JSON&"STATUS URL "formMethod GET&"SCAN STATUS 0until [ SCAN STATUS -eq 0 ]; dosleep 10# Get Scan statusSCAN STATUS RES (curl -s STATUS URL)# Parse scan statusSCAN STATUS (echo SCAN STATUS RES jq -r '.recordsToScan')# Display statusecho Scan SCAN STATUS% completedoneecho Passive Scan Complete}wait for passive scan to complete ZAP HOST ZAP PORT
Start Active ScanAn active scan is started by running endpointJSON/ascan/action/scanIf ZAP is reachable, this endpoint returns a new Scan ID
start active scan() {SCAN URL "http:// 1: 2/"SCAN URL "JSON/ascan/action/scan/?"SCAN URL "zapapiformat JSON&"SCAN URL "formMethod GET&"SCAN URL "url https:// 3&"# Start Active ZAP ScanSCAN ID RES (curl -s SCAN URL)# Parse for scan IDSCAN ID (echo SCAN ID RES jq -r '.scan')# Display scan IDecho Scan ID: SCAN ID}ZAP HOST "localhost"ZAP PORT "8080"TARGET "my-app.azurewebsites.net"start active scan ZAP HOST ZAP PORT TARGET
Wait for Active ScanThe status of an active scan is determined by runningendpoint JSON/ascan/view/statusIf the scan exists, a value between 0 and 100 isreturned, representing the percentage of the scanwhich has completed
wait for active scan to complete() {STATUS URL "http:// 1: 2/"STATUS URL "JSON/ascan/view/status/?"STATUS URL "zapapiformat JSON&"STATUS URL "apikey &"STATUS URL "formMethod GET&"STATUS URL "scanId SCAN ID"SCAN STATUS 0until [ SCAN STATUS -eq 100 ]; dosleep 10# Get Scan statusSCAN STATUS RES (curl -s STATUS URL)# Parse scan statusSCAN STATUS (echo SCAN STATUS RES jq -r '.status')# Display statusecho Scan SCAN STATUS% completedoneecho Active Scan Complete}wait for active scan to complete ZAP HOST ZAP PORT
Get Scan ResultsOnce the active scan is complete, the alerts in the formof a JSON file and an HTML report can be retrievedfrom ZAPAlerts: JSON/core/view/alertsReport: OTHER/core/other/htmlreport
Get Alertsget alerts() {ALERTS URL "http:// 1: 2/"ALERTS URL "JSON/core/view/alerts/?"ALERTS URL "zapapiformat JSON&"ALERTS URL "formMethod GET&"ALERTS URL "baseurl https:// 3&"curl -s ALERTS URL alerts.json}get alerts ZAP HOST ZAP PORT TARGET
Get Reportget report() {REPORT URL "http:// 1: 2/"REPORT URL "OTHER/core/other/htmlreport/?"REPORT URL "formMethod GET"curl -s REPORT URL report.html}get report ZAP HOST ZAP PORT
BonusIf you are targeting a web application with Strict-Transport-Security andyou are using a browser, you will need to add ZAP’s Dynamic SSLCertificate to your browser.To retrieve the ZAP’s SSL certificate do either:1. ZAP - Preferences - Options - Dynamic SSL Certificate2. HTTP GET ZAP HOST:ZAP PORT://OTHER/core/other/rootcertTo import the ZAP SSL Certificate into Firefox:Settings - Privacy & Security - View Certificates - Authorities - Import
Thank You
Aug 30, 2018 · Selenium “Selenium automates browsers.That's it! What you do with that power is entirely up to yo
