OWASP ZAP
OWASP ZAP (Zed Attack Proxy) is an open source tool widely used for automated and manual security testing of web applications. Developed by the OWASP security community, ZAP has become an essential choice for security professionals and web application developers who want to identify and mitigate vulnerabilities. Its easy-to-use interface and powerful capabilities make it a valuable tool in the fight against online application security threats.
Main Features
Automated scanning: ZAP can perform automated scans to detect a wide range of common vulnerabilities, such as SQL injections, XSS, CSRF and many more.
Application scanning: It can map the structure of a web application, identifying all its pages and functionalities, which facilitates the detection of possible vulnerabilities.
Fuzzing attacks: Allows fuzzing attacks to test the application's resistance to invalid or malicious input.
Advanced spidering: ZAP performs advanced spidering to collect application data, identify hidden vulnerabilities and generate site maps.
Proxy Interception: Acts as a proxy between the browser and the application, allowing users to intercept and modify HTTP requests and responses for manual testing.
Scripting support: ZAP supports custom scripts in multiple languages, allowing users to perform specific tests and automate repetitive tasks.
Generate reports: Generates detailed reports including vulnerability descriptions, locations and remediation recommendations.
CI/CD integration: Can be integrated into CI/CD pipelines for automated testing at each stage of the development cycle.
Authentication and sessions: Allows you to configure authentication and manage sessions for testing applications that require login.
Active support: ZAP is backed by an active community of users and developers who provide support and keep its detection capabilities up to date.
Customization: Users can easily customize the scope and test settings to suit their specific needs.
Usage
In order to use it we have to use the automatic system part of OWASP ZAP if you want more information is highly recommended the following video.
Context configuration
In order to use OWASP ZAP in our CI, the first thing to do is to configure it from the interface to establish the instance to be used in the pipeline.
Open OWASP ZAP and click on Default Context
in the left sidebar. In the window that opens, select Authentication
, where you can configure how the login is performed in our application.
The following types of authentication are available:
-
Manual authentication: Allows users to authenticate manually, as in a browser using a proxy, then selecting the HTTP session. It does not support reauthentication, but ZAP maintains statistics with verification strategies.
-
**Forms-based authentication: Uses form submission or GET request to authenticate with username/password credentials. Supports re-authentication and configuration through the Authentication screen of session contexts or context menus.
-
JSON-based authentication: Similar to forms-based authentication, but uses a JSON object sent to a specific URL. Allows reauthentication and user/password credentials configuration.
-
HTTP/NTLM authentication: Employs HTTP or NTLM mechanisms with headers in HTTP messages. It supports Basic, Digest, NTLM authentication schemes and allows reauthentication with header sending on each request.
-
Script-based authentication: Ideal for complex authentication processes, requires defining a custom script to handle authentication. Allows reauthentication and configuration through parameters defined in the script
In our case, we are going to use form-based authentication. To do so, we need the following data:
- The URL to which the form data is sent.
- The URL where the login form is located.
- The data sent in the POST method.
- The parameters to be replaced with the user and password.
- The verification strategy to determine whether or not we are authenticated.
- A regular expression (regex) to identify whether we are authenticated or unauthenticated.