2. Session Agenda
● Introduction to ZAP
● Familiarize with ZAP UI
● Hands on workshop of using ZAP with selenium
● Hands on some key features of ZAP using ZAP API
● Demo - ZAP Integration with CI/CD
3. What is ZAP ?
● The OWASP ZED Attack proxy (ZAP) is a penetration
testing tool for finding vulnerabilities in the web
applications.
● Designed to be used by people with wide range of
security experience.
● Cross platform.
● Marketplace.
● Released on September 2010.
● Current version 2.7.0
4.
5. Key Features of ZAP
● Intercepting proxy
● Spider
● Passive Scanners
● Active Scanners
● Fuzzing
● Report Generation
6. Active Scan
● Performs attacks on the application
● Run when explicitly invoked by the user
● Scan policy
● Set of pre configured rules
● Attack Strength
○ Low – to be up to 6 requests
○ Medium – to be up to 12 requests
○ High- to be up to 24 requests
○ Insane- to be over 24 requests
● Attack threshold
○ Off - scanner won't run.
○ Low - lead to false positives.
○ High - lead to false negatives
● Cannot identify any logical vulnerability
○ Example - broken access control
7. Report Generation
Alert - Potential vulnerability
Risk - Informational,Low,Medium,High
Beware of false positives
Confidence
● False Positive - for potential issues that you later find are not exploitable
● Low - for unconfirmed issues
● Medium - for issues you are somewhat confident of
● High - for findings you are highly confident in
● Confirmed - for confirmed issues
Tag an alert to be false positive
8. Fuzzing
Automated software testing technique that involves providing
invalid, unexpected, or random data as inputs to a computer
program
ZAP allows you to fuzz any request using:
● A build in set of payloads
● Payloads defined by optional add-ons
● Custom scripts
12. Integration with CI/CD
Security tests in CI pipeline - Early feedback on security vulnerabilities
Steps:
● Start ZAP daemon on 8080 port
● Run tests
● Generate results
● Fail build for HIGH vulnerabilities
● Stop Server
Demo on configuring ZAP in Go CI
Active scan rules mapping page -https://www.owasp.org/index.php/ZAPpingTheTop10
13. More ZAP Features….
● Authentication and session support
● Smartcard and client digital certificate support
● Anti CSRF token handling
● Port scanner
● WebSockets support.
● Marketplace