scripts that automate owasp zap as part of a continuous delivery pipeline
TRANSCRIPT
ZAP – SDLC Integration
An Intern Project
Objectives
• Engage and support the AppSec Community
• Fine a way to contribute to improvement of OSS Security tools
• Focus on Integration into Developers SDLC
Project Diagram
The project is split into two parts
• run_session_setup.py is used to clean the ZAP session and set up basic configuration - this should be run before any scans are run (+ it assumes that ZAP daemon is already running)
• run_scan.py contains the actual scan functions and also posts the scan results to JIRA - it assumes that ZAP daemon is running, session has been set up and selenium tests have been run (through the ZAP proxy)
Step 1 – Setup ZAP• Project Setup• Download and Install ZAP - https://github.com/zaproxy/zaproxy/wiki/Downloads• Add ZAP root certificate to your browser - Open ZAP > Tools > Options > Dynamic SSL
Certificates > Save• Configure your machine to use ZAP local proxy for all internet traffic• Download the project• Install requirements: pip install -r requirements.txt• Modify any core/setup_module/proxy_scripts/* as needed – all files in this folder will be
used
– For instance you might want to add a CSP header to each response• Start ZAP daemon (also see start-zap.sh script): zap.sh -daemon -port 8080 -config
api.disablekey=true &• Setup your own selenium drivers and tests (or any other way to generate internet traffic).
Usage (relevant to both modules)• Run python scriptname.py -h to see instructions and all
available options (substitute 'run_scan.py' or 'run_session_setup.py')
• Run python scriptname.py -g rules_config.txt to generate a template for your rule configuration file– rules_config_demo.txt - This is what it could look like
• Change your rules_config.txt file to indicate which rules should be ignored and which should cause the test to fail.
• Modify core/config.py settings
Configuring Scan Settings – pt01
Configuring Scan Settings – pt02
Example Scan
• Run setup_module:• To set up the session run: python run_session_setup.py
-t "www.example.com" -c rules_config.txt -d
• Run scan_module:• Run: python run_scan.py -c rules_config.txt -r to execute
the test and have the results posted to JIRA (Note: You should use the same rules_config.txt file!)
Usage - cont• (optional) Run python run_session_setup.py -g
rules_config.txt to generate a template for your rule configuration file
• (optional) Change your rules_config.txt file to indicate which rules should be ignored and which should cause the test to fail
• To set up the session run: python run_session_setup.py -t "www.example.com" -c rules_config.txt -d where the -d(debug) and -c filename flags are optional. The -t url parameter is used to limit the proxy only to the target domain and avoid any other internet traffic from the machine.
Usage - cont• Now you generate some internet traffic (targeting the domain you specified
with the -t flag earlier). This is the point where you should run your Selenium tests.
• Run: python run_scan.py -c rules_config.txt -r -d to execute the test and have the results posted to JIRA (-rflag). Note that if you use the -c filename flag, you should use the same rules_config.txt file you used for the session setup!)
• (optional) If you want the run_scan.py script to perform additional spidering, specify a -x filename flag in the previous step, where the filename points to a file that contains a set of regexes (each on a new line) that limit the spider to particular subpaths of your site.
Example Scan - Snapshot
Example Scan – Results in Jira