2020 ADDO Spring Break OWASP ZAP Automation
•
3 j'aime•616 vues
A deep dive into OWASP ZAP Automation and Authentication. The slides are from a 3 hour workshop delivered as part of the All Day DevOps Spring Break conference help in April 2020
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à 2020 ADDO Spring Break OWASP ZAP Automation
Similaire à 2020 ADDO Spring Break OWASP ZAP Automation (20)
Dernier
Dernier (20)
2020 ADDO Spring Break OWASP ZAP Automation
- 1. ZAP Automation Deepdive Simon Bennetts ZAP Project Lead Mozilla Security Team
- 2. Workshop Overview ● Quick Intro to ZAP ● Packaged Scans ● Authentication ● Daemon and API
- 3. ZAP Overview
- 4. ZAP Overview ● The worlds most widely used web app scanner – March 2020 ● > 85,000 Direct downloads ● > 220,000 Docker pulls ● > 1 Million Runs in just that one month!
- 5. ZAP Runtime Options ● Desktop UI ● Heads Up Display ● Command Line ● Packaged Scans ● Daemon + API
- 6. ZAP Automation ● Command Line ● Packaged Scans – Baseline Scan – API Scan – Full Scan ● Daemon + API
- 7. Target Applications ● BodgeIt Store – Traditional app, simple, relatively easy – Not maintained, only good for simple demos ;) ● OWASP Juice Shop – Modern, lots of pain points – Well maintained, very good for manual testing
- 9. Command Line Demo ● ZAP installed locally ● BodgeIt running Docker docker pull psiinon/bodgeit docker run --rm -p 8080:8080 -i -t psiinon/bodgeit cd 'C:Program FilesOWASPZed Attack Proxy' ./zap.bat -cmd -quickurl http://localhost:8080/bodgeit -quickprogress
- 10. ZAP Packaged Scans ● Baseline Scan ● API Scan ● Full Scan
- 11. Baseline Demo ● ZAP baseline scan (docker) ● BodgeIt running Docker docker pull psiinon/bodgeit docker pull owasp/zap2docker-stable docker run --rm -p 8080:8080 -i -t psiinon/bodgeit docker run -t owasp/zap2docker-stable zap-baseline.py -t http://localhost:8080/bodgeit Fails :(
- 12. Baseline Demo v2 ● ZAP baseline scan (docker) ● BodgeIt running in Docker docker pull psiinon/bodgeit docker pull owasp/zap2docker-stable docker network create zapnet docker run --rm -p 8080:8080 --net zapnet -i -t psiinon/bodgeit docker run -t --net zapnet owasp/zap2docker-stable zap-baseline.py -t http://192.168.0.32:8080/bodgeit
- 13. Baseline Defaults ● Traditional Spider for up to 1 min ● No Ajax Spider ● Passive scan – release and beta quality rules
- 14. Baseline Options docker run owasp/zap2docker-stable zap-baseline.py -h Usage: zap-baseline.py -t <target> [options] -t target target URL including the protocol, eg https://www.example.com Options: -h print this help message -c config_file config file to use to INFO, IGNORE or FAIL warnings -u config_url URL of config file to use to INFO, IGNORE or FAIL warnings -g gen_file generate default config file (all rules set to WARN) -m mins the number of minutes to spider for (default 1) -r report_html file to write the full ZAP HTML report -w report_md file to write the full ZAP Wiki (Markdown) repor
- 15. Bodgeit Baseline Scan Scan Time URLs Warnings Baseline default 1 min 410 13 Baseline default 2nd 1 min 410 13 Baseline -a 1 min 411 17 Baseline -j 2 mins 422 14 Baseline -a -j 2 mins 421 16 Baseline -a -j -m 5 6 mins 422 17
- 16. Baseline Demo – Juice Shop ● ZAP baseline scan (docker) ● JuiceShop running in Docker docker pull bkimminich/juice-shop docker pull owasp/zap2docker-stable docker network create zapnet docker run --rm -p 3000:3000 --net zapnet bkimminich/juice-shop docker run -t --net zapnet owasp/zap2docker-stable zap-baseline.py -t http://192.168.0.32:3000
- 17. Juice Shop Baseline Scan Scan Time URLs Warnings Baseline default 1 min 27 5 Baseline default 2nd 1 min 27 5 Baseline -a 2 mins 27 7 Baseline -j 2 mins 75 10 Baseline -a -j 4 mins 72 11 Baseline -a -j -m 5 13 mins 63 11
- 18. Baseline GitHub Action ● https://github.com/marketplace/actions/owasp-zap-baseline-scan ● Run the baseline on GitHubs infrastructure ● Same ‘command line’ options supported ● Automatically maintains issues
- 20. API Scan ● Tuned for apps with no UI but a defined API ● Definitions supported: – OpenAPI – SOAP
- 21. Full Scan Defaults ● No timelimit ● No Ajax Spider ● Passive scan – release and beta quality rules ● Active scan – release and beta quality rules
- 22. Full Scan GitHub Action ● “Coming soon!”
- 24. Packaged Scan Tuning ● Rule configuration file ● ZAP config options ● Scan hooks
- 26. Authentication
- 27. Authentication Overview ● Web authentication is hard! ● ZAP should be able to cope with anything ● But we know its not easy to configure ● Client based authentication was even harder than I expected :P
- 28. Authentication Plan ● Authenticate vs BodgeIt ● Authenticate vs Juice Shop (form) ● Authenticated vs Juice Shop (SSO) ● Automating authentication
- 29. ZAP Authentication ● Needs to understand: – Session handling – Authentication process – Credentials
- 31. BodgeIt Authentication ● Traditional cookie based session ● Simple login form, POST request ● Logged in/out indicators available in most HTTP reqs/resps
- 34. Juice Shop Std Authentication ● Auth header and cookie based session ● Simple login form, Ajax & JSON ● Logged in/out indicators NOT available in most HTTP reqs/resps
- 36. ZAP Auth related Scripts ● Authentication ● Session Management ● Selenium ● HTTP Sender
- 37. ZAP Authentication Scripts ● Handles authentication :) ● Key methods – authenticate(helper, paramVals, creds)
- 38. ZAP Session Mgmt Scripts ● Handles session management :) ● Key methods – extractWebSession(sessionWrapper) – clearWebSessionIdentifiers(sessionWrapper) – processMessageToMatchSession(sessionWrapper)
- 39. ZAP Selenium Scripts ● Run when ZAP launches a browser ● Key methods – browserLaunched(ssutils)
- 40. ZAP HTTP Sender Scripts ● Run when any req/resp goes through ZAP ● Key methods – sendingRequest(msg, initiator, helper) – responseReceived(msg, initiator, helper)
- 41. ZAP Auth Related Script Questions?
- 43. Juice Shop SSO Authentication ● Session handling as before ● Login via Google SSO ● In practice needs a browser