If you can't read please download the document
Upload
devseccon-limited
View
329
Download
10
Embed Size (px)
Citation preview
Workshop:
Automating
OWASP ZAP
Simon Bennetts
OWASP ZAP Project LeadMozilla Cloud Security
[email protected]
DevSecCon
London 2016
The Workshop Plan
Who is this for?
What are we trying to solve?
What can you get out of this?
Introduction to ZAP
Where to start
Where to go from there
Who is this for?
Developers
QA
Operations
Security
Consultants
(Managers)
Whoever is involved in automation ;)
What are we trying to solve?
Find security issues as early as possible
Integration into the devops pipeline
Finding all of the possible vulnerabilities
Putting pentesters out of a job :P
What are we not trying to solve?
What can you get out of this?
A way to quickly evaluate your apps
Options for more thorough scanning
An introduction to the ZAP API
A chance to try things out with me
ZAP Introduction
An easy to use webapp pentest tool
Completely free and open source
OWASP Flagship project
Ideal for beginners
But also used by professionals
Ideal for devs, esp. for automated security tests
Included in all major security distributions
ToolsWatch.org Top Security Tool of 2015
Not a silver bullet!
ZAP Features
Swing based UI for desktop mode
Comprehensive REST(ish) API for daemon mode
Plugin architecture (add-ons)
Online marketplace (all free:)
Release, beta and alpha quality add-ons
Traditional and ajax spiders
Passive and active scanning
Highly configurable, eg scan policies
Highly scriptable
Some ZAP use cases
Point and shoot the Quick Start tab
Proxying via ZAP, and then scanning
Manual pentesting
Automated security regression tests
Debugging
Part of a larger security program
ZAP Install Options
Windows .exe
Linux .tar.gz
Mac OS .dmg
Docker Images owasp/zap2docker-stable
owasp/zap2docker-weekly
Distros like Kali
Where to start?
The Baseline scan
Completely safe
Runs quickly (1-2 minutes?)
Can be easily integrated into CI/CD
Easy to get started just required the target:
docker pull owasp/zap2docker-weeklydocker run -t owasp/zap2docker-weekly zap-baseline.py -t https://www.example.comVery configurable if needed
Baseline scan
Uses docker (the only dependency)
Time limited spider of target (default 1 min)
Just passive scanning
By default warns on all issues
Can change to ignore, info or fail
Can include any ZAP cmdline option
Can ignore any url regex for any rule
Baseline scan - issues
All release and beta passive scan rules, eg Missing / incorrect security headers
Cookie problems
Information / error disclosure
Missing CSRF tokens
...
Can optionally include alpha pscan rules
BaselineDemo
Baseline scan usage
Usage: zap-baseline.py -t [options] -t target target URL including the protocol, eg https://www.example.comOptions: -c config_file config file to use to INFO, IGNORE or FAIL warnings -u config_url URL of config file to use to INFO, IGNORE or FAIL warnings -g gen_file generate default config file (all rules set to WARN) -m mins the number of minutes to spider for (default 1) -r report_html file to write the full ZAP HTML report -w report_md file to write the full ZAP Wiki (Markdown) report -x report_xml file to write the full ZAP XML report -a include the alpha passive scan rules as well -d show debug messages -i default rules not in the config file to INFO -j use the Ajax spider in addition to the traditional one -l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs -s short output format - dont show PASSes or example URLs -z zap_options ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"
Baseline scan output
./zap-baseline.py -t https://www.example.com3 URLsPASS: Cookie No HttpOnly Flag [10010]PASS: Cookie Without Secure Flag [10011]PASS: Password Autocomplete in Browser [10012]
WARN: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 1 https://www.example.comWARN: Web Browser XSS Protection Not Enabled [10016] x 3 https://www.example.comhttps://www.example.com/robots.txthttps://www.example.com/sitemap.xmlWARN: X-Frame-Options Header Not Set [10020] x 1 https://www.example.comWARN: X-Content-Type-Options Header Missing [10021] x 1 https://www.example.comFAIL: 0WARN: 4INFO: 0IGNORE: 0PASS: 22
Baseline scan in CircleCI
https://github.com/Securing-DevOps/invoicer/blob/master/circle.yml#L39-L44
# pull down the Zap baseline scanner- docker pull owasp/zap2docker-weekly
# Run zap against the invoicer- docker run ${DOCKER_REPO}/${CIRCLE_PROJECT_REPONAME} &- docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://172.17.0.2:8080/
Baseline scan conf file
Use -g option to generate, -c or -u to use
# zap-baseline rule configuration file# Change WARN to IGNORE to ignore rule or FAIL to fail if# Only the rule identifiers are used - the names are just# You can add your own messages to each rule by appending10010WARN(Cookie No HttpOnly Flag)10011WARN(Cookie Without Secure Flag)10012WARN(Password Autocomplete in Browser)10015WARN(Incomplete or No Cache-control and Pragma HTTP10016WARN(Web Browser XSS Protection Not Enabled)10017WARN(Cross-Domain JavaScript Source File Inclusion)10019WARN(Content-Type Header Missing)10020WARN(X-Frame-Options Header Scanner)10021WARN(X-Content-Type-Options Header Missing)10023WARN(Information Disclosure - Debug Error Messages)10024WARN(Information Disclosure - Sensitive Information
Where next?
Mass Baseline scan
Provides a simple dashboard
Shows the detailed results
Shows the per service history
Mass Baseline scan
Part of the community-scripts repo:
zaproxy/community-scripts/api/mass-baseline
Full Scans
Packaged options: Cmdline quick scan
Jenkins plugin
Sdlc-integration scripts
Daemon mode + API
(ZAP as a Service in development)
Cmdline Quick Scan
./zap.sh -cmd -quickurl \
http://example.com/ -quickprogressSpidering
Active scanning
[====================] 100%
Attack complete
0: print ('Pscan records : ' +
zap.pscan.records_to_scan())
time.sleep(5)
print ('Pscan completed')
h
Passive scanning happens automatically when proxying
To tell when its finished:
Scanning Active Scan
h
zap.ascan.scan(target)time.sleep(5)
while int(zap.ascan.status()) < 100:
print ('Ascan progress %: ' +
zap.ascan.status())
time.sleep(5)
print ('Ascan completed')
Reporting HTML + XML
h
# HTML Reportwith open ('report.html', 'w') as f:
f.write(zap.core.htmlreport())# XML Report
with open ('report.xml', 'w') as f:
f.write(zap.core.xmlreport())
Reporting all alert data
h
# Use paging for lots of alertsoffset = 0; page = 100
alerts = zap.core.alerts('', offset, page)
while len(alerts) > 0:
for alert in alerts:
# Do whatever you want with alert
offset += page
alerts = zap.core.alerts('', offset,
page)
And dont forget...
h
# Your work here is done...zap.core.shutdown()
Any questions about the API?
h
Authenticating
Authentication can be hard :(
Simple form based auth should be ok
Authentication scripts should be able to handle anything
But if you have complex SSO or equiv you may want a simpler option in your test env
Pro Top: use the UI to set authentication up!
AuthAPIDemo
Tuning - speed
Spider time limits
Data driven content
Technology
Active scan Scan rules
Input vectors
Attack strength
Tuning - feedback
Active scan stats
Response stats
Authentication stats (alpha add-on)
Statsd support
Tuning - accuracy
Attack thresholds
Rule configuration (post 2.5.0) Forms that dont need CSRF tokens
Increase timing attacks from 5 seconds
Need help?
Getting Started Guide
Desktop Help (also online)
Wiki FAQ, Docs, Videos
ZAP User Group
irc.mozilla.org #websectools
Workshop Summary
Use the baseline scan for a quick security overview
Use the mass baseline to create a dashboard
Use full ZAP scans for more depth
Configure ZAP to authenticate for even better results
If you need help, just ask!
Now go forth and
automate ZAP :)
http://www.owasp.org/index.php/ZAP
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.