Introduction
What is Dynamic Application Security Testing (DAST)
Dynamic application security testing (DAST) is a process of testing an application or software product in an operating state. This kind of testing is helpful for industry-standard compliance and general security protections for evolving projects.
What is ZAP
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
How to use ZAP
ZAP Scan for API
You can use zap-api-scan to perform scans against APIs defined by OpenAPI, SOAP, or GraphQL. If your API is protected with authentication, you will need to prepare a token or API key before running the script.
Local Run
Example - for API with Swagger
The following example shows how to run ZAP locally against an API with:
- url: http://192.168.1.10
- the swagger doc url: http://192.168.1.10/swagger.json
- Authentication header name: Authorization
- Authentication header value: api_token_value
Steps:
- Put your token or API key used for authentication into a configuration file or environment parameters, the following is a configuration file example.
ZAP_AUTH_HEADER_VALUE=api_token_value
ZAP_AUTH_HEADER=Authorization
ZAP_AUTH_HEADER_SITE=192.168.1.10
Note: the ZAP_AUTH_HEADER_SITE value should exclude the http/https protocol and port, e.g. for the target https://www.this-is-a-target.com:8080, the ZAP_AUTH_HEADER_SITE value should be www.this-is-a-target.com.
- Run the following command to pull the zap docker image
docker pull owasp/zap2docker-stable
- Run the following command to trigger zap-api-scan for an API with swagger doc (please replace the values in color when you use it for your API):
docker run -it --env-file configuration_file_name --rm -v $PWD:/zap/wrk owasp/zap2docker-stable:latest zap-api-scan.py -t http://192.168.1.10/swagger.json -f openapi -r report.html
- After executing the above commands, a report.html should be generated in your current directory, it contains the test results.
For SOAP/GraphQL
- To run ZAP Scan against SOAP/GraphQL is very similar to the way to run it against Swagger API, the only difference is you need to change the "-f" option in the step 3 command to the following.
For SOAP:
docker run -it --env-file configuration_file_name --rm -v $PWD:/zap/wrk owasp/zap2docker-stable:latest zap-api-scan.py -t http://192.168.1.10/soap_wsdl_url -f soap -r report.html
For GraphQL:
docker run -it --env-file configuration_file_name --rm -v $PWD:/zap/wrk owasp/zap2docker-stable:latest zap-api-scan.py -t http://192.168.1.10/graphql_url -f graphql -r report.html
CircleCI Integrate
Example - for API with Swagger
The following example shows how to integrate ZAP into CircleCI to scan the API with:
- url: http://192.168.1.10
- the swagger doc url: http://192.168.1.10/swagger.json
- Authentication header name: Authorization
- Authentication header value: api_token_value
Steps:
- Add the following Environment Variables into your project env in the CircleCI
ZAP_AUTH_HEADER_VALUE=api_token_value
ZAP_AUTH_HEADER=Authorization
ZAP_AUTH_HEADER_SITE=target_url
Note: the ZAP_AUTH_HEADER_SITE value should exclude the http/https protocol and port, e.g. for the target https://www.this-is-a-target.com:8080, the ZAP_AUTH_HEADER_SITE value should be www.this-is-a-target.com.
- Add the following content in .circleci/config.yml:
jobs:
scan:
docker:
- image: owasp/zap2docker-stable
steps:
- run:
command: |
mkdir /zap/wrk
zap-api-scan.py -f openapi -t https://target-url/swagger.json -r report.html
- store_artifacts:
path: /zap/wrk
destination: zap-report
- After executing the above commands, a zap-report/report.html should be generated in the pipeline artifacts, it contains the test results.
For SOAP/GraphQL
To integrate ZAP Scan into CI/CD to scan the SOAP/GraphQL API is very similar to the way to run it against Swagger API, the only difference is you need to change the "-f" option in the step 2 .circleci/config.yml file.
For SOAP:
jobs:
scan:
docker:
- image: owasp/zap2docker-stable
steps:
- run:
command: |
mkdir /zap/wrk
zap-api-scan.py -f soap -t https://target-url/soap_wsdl_url -r report.html
- store_artifacts:
path: /zap/wrk
destination: zap-report
For GraphQL:
jobs:
scan:
docker:
- image: owasp/zap2docker-stable
steps:
- run:
command: |
mkdir /zap/wrk
zap-api-scan.py -f graphql -t https://target-url/graphql_url -r report.html
- store_artifacts:
path: /zap/wrk
destination: zap-report
ZAP Scan for Application (with UI)
You can use zap-full-scan to perform a full active scan for a web application. If your application is protected with authentication, you will need to prepare an authorization header or cookie before running the script.
Local Run for UI app
The following example shows how to run ZAP locally against an application with:
- url: http://192.168.1.10
- Authentication header name: Authorization
- Authentication header value: authrozation_token_here
Note: Please change the header name to "Cookie" if your application is authenticated by cookie/session.
Steps:
- Put your token or API key used for authentication into a configuration file or environment parameters, the following is a configuration file example.
ZAP_AUTH_HEADER_VALUE=authrozation_token_here
ZAP_AUTH_HEADER=Authorization
ZAP_AUTH_HEADER_SITE=192.168.1.10
Note: the ZAP_AUTH_HEADER_SITE value should exclude the http/https protocol and port, e.g. for the target https://www.this-is-a-target.com:8080, the ZAP_AUTH_HEADER_SITE value should be www.this-is-a-target.com.
- Run the following command to pull the zap docker image
docker pull owasp/zap2docker-stable
- Run the following command to trigger zap-full-scan (please replace the values in color when you use it for your application):
docker run -it --env-file configuration_file_name --rm -v $PWD:/zap/wrk owasp/zap2docker-stable:latest zap-full-scan.py -t http://192.168.1.10 -r report.html
- After executing the above commands, a report.html should be generated in your current directory, it contains the test results.
CircleCI Integration for UI app
The following example shows how to integrate ZAP into CircleCI to scan the application with:
- url: http://192.168.1.10
- Authentication header name: Authorization
- Authentication header value: authrozation_token_here
Steps:
- Add the following Environment Variables into your project env in the CircleCI:
ZAP_AUTH_HEADER_VALUE=api_token_value
ZAP_AUTH_HEADER=Authorization
ZAP_AUTH_HEADER_SITE=target_url
Note: the ZAP_AUTH_HEADER_SITE value should exclude the http/https protocol and port, e.g. for the target https://www.this-is-a-target.com:8080, the ZAP_AUTH_HEADER_SITE value should be www.this-is-a-target.com.
Note: Please change the header name to "Cookie" if your application is authenticated by cookie/session.
- Add the following content in .circleci/config.yml:
jobs:
scan:
docker:
- image: owasp/zap2docker-stable
steps:
- run:
command: |
mkdir /zap/wrk
zap-full-scan.py -t https://target-url -r report.html
- store_artifacts:
path: /zap/wrk
destination: zap-report
- After executing the above commands, a zap-report/report.html should be generated in the pipeline artifacts, it contains the test results.
Top comments (1)
This article was curated as a part of the 45th Issue of the Software Testing Newsletter