4. Secure Development Lifecycle (SDL / S-SDLC)
● What scans should you run?
○ Static - Code analysis (SAST)
○ Dynamic - Live analysis (DAST)
● Dynamic Application Security Testing (DAST)
○ Black box testing
○ Requires a WebApp in staging or prod env
○ Finds environment issues
○ Finds run-time issues
4
Build Test Deploy
Shift Left
DevSecOps: Faster better feedback, fail fast and safe
5. What are we trying to solve?
● Finding security issues as early as possible
● Integration into the DevOps pipeline
● Finding all of the possible vulnerabilities
● Putting pentesters out of a job :P
5
What are we NOT trying to solve?
6. 1 Tool - 3 Types of Users
● Pentesters
○ information gathering by recording traffic, manual intercepting of traffic and tampering
data
● Developers
○ running vulnerability scans as part of their CI/CD pipeline e.g. a “ZAP baseline” scan
● Testers
○ running their testing traffic through ZAP for passive scanning and/or active security
testing
The ZAP Head-up-Display (HUD) is applicable for all.
6
7. It is a Tool...
… start playing with it!
zaproxy.org/download
7
14. Test-driven Scanning vs. Baseline scan
Benefits by using your existing test framework:
● Take advantage of existing tests
● Better coverage of the tested app
○ If you do have good test coverage all endpoints are already covered.
○ For the Crawler/Spider it is difficult to find all endpoints. Therefore it is better to record or
import all API-endpoints.
● The captured traffic is valid.
○ ZAP does not have to guess if a parameter is expected to be a integer or string. Makes it
easier for ZAP in the active scan. A request is not blocked because one of the parameters
is in the wrong format.
14
15. Using Command-line Options
● Command to start ZAP GUI
● As long as you keep ZAP open => HTTP Proxy and API available at localhost:8080
15
cd /Applications/OWASP ZAP.app/Contents/Java
java -jar zap-2.10.0.jar -config scanner.attackOnStart=true
-config view.mode=attack -config api.key=secret123 -
newsession Latest_WebGoat_Scan.session
16. Other useful commands:
● Setting the api key
○ -config api.key=secret123
● Disable API key in a safe environment
○ -config api.disablekey=true
● Tun of db recovery (speeds things up)
○ -config database.recoverylog=false
● Update all add-ons
○ -addonupdate
● Install a non default add-on
○ -addoninstall addonname
● The ZAP Port
○ -port 8080
● Starts ZAP in daemon mode, ie without a UI
○ -daemon
● Allow any source IP to connect
○ -config api.addrs.addr.regex=true
16
17. Using ZAP API
Two API calls to start active Scans:
1. creating a Context
2. add a URL (the target) to the Scope
17
curl
'http://localhost:8080/JSON/context/action/newContext/?zapapiformat=JSON&apikey=s
ecret123&formmethod=GET&contextName=My+Context'
curl
'http://localhost:8080/JSON/context/action/includeInContext/?apikey=secret123&con
textName=My+Context®ex=http://localhost/WebGoat.*'
18. Webdriver.io
● “WebdriverIO lets you control a browser or a mobile application with just
a few lines of code.”
● Simple Selenium binding for JS
● Very popular framework for automation testing
Setting proxy: https://webdriver.io/docs/proxy/
18
19. Selenium Driver Settings
// Set Chrome Options
ChromeOptions chromeOptions = new ChromeOptions(); chromeOptions.addArguments("--
ignore-certificate-errors");
// Set proxy
String proxyAddress = "localhost:8080";
Proxy proxy = new
Proxy();proxy.setHttpProxy(proxyAddress).setSslProxy(proxyAddress);
// Set Desired Capabilities
DesiredCapabilities capabilities = DesiredCapabilities.chrome();
capabilities.setCapability(CapabilityType.PROXY, proxy);
capabilities.setCapability(CapabilityType.ACCEPT_SSL_CERTS, true);
capabilities.setCapability(CapabilityType.ACCEPT_INSECURE_CERTS, true);
capabilities.setCapability(ChromeOptions.CAPABILITY, chromeOptions);
19
20. Different ways to become MitM
There is always a way to set a HTTP Proxy...
● Using Browser Settings
● Using a Browser Add-On like FoxyProxy
● Using Java Network Properties
○ jmeter -Dhttp.proxyHost=localhost -
Dhttp.proxyPort=8080 -
Dhttps.proxyHost=localhost -
Dhttps.proxyPort=8080
● Using system-wide OS settings
20
var proxy = "http://localhost:8080";
...
capabilities: [{
browserName: 'chrome',
proxy: {
httpProxy: proxy,
sslProxy: proxy,
ftpProxy: proxy,
proxyType: "MANUAL",
autodetect: false
},
'chrome.switches': [
'--ignore-certificate-errors'
]
}],
21. Solve Strict-Transport-Security Certificate Errors
If you are targeting a web application with Strict-Transport-Security and you
are using a browser, you will need to add ZAP’s Dynamic SSL Certificate to
your browser.
To retrieve the ZAP’s SSL certificate you can download the CA from
● ZAP -> Preferences -> Options -> Dynamic SSL Certificate
To import the ZAP SSL Certificate into Firefox:
● Preferences -> Privacy & Security -> View Certificates -> Authorities ->
Import
PS: Of course you can call the ZAP API to download the cert ;-)
21
22. Report
● HTML File - default
● XML File - default
○ Upload file to ThreadFix, a vulnerability management solution
○ Allows to synchronice with Jira
● JSON Format - a zap-baseline.py option
● Markdown Format - a zap-baseline.py option
● API
○ curl -s 'http://localhost:8080/OTHER/core/other/htmlreport/?apikey=secret123' > report.html
22
23. More Resources
● https://www.zaproxy.org/ - Getting started guide
● https://www.zaproxy.org/zap-in-ten/ - Series of short videos
● https://twitter.com/zaproxy - Official Twitter
23
