Automate ZAP With Docker – DZone Security

Within the earlier posts, you discovered how one can use ZAP with the Desktop consumer and through the command line with ZAP CLI. This publish, you’ll learn to use the Docker photographs that are supplied by OWASP. This can even make it simpler to automate ZAP, particularly in a CI/CD pipeline.

1. Introduction

It’s strongly suggested to learn the 2 earlier posts about ZAP earlier than beginning with this one. You’ll need some recordsdata which had been created within the earlier posts. If you have already got expertise with ZAP, you’ll be able to proceed studying and use the recordsdata from the GitHub repository from listing zap2docker. The generated studies will even be out there on this repository. This manner, it is possible for you to to check your outcomes.

Within the earlier posts, you had been proven how one can use the ZAP Desktop consumer and how one can use ZAP CLI with a purpose to automate the penetration take a look at. Nonetheless, OWASP additionally gives some Docker photographs which can be utilized for an automatic scan.

You’ll once more use WebGoat as susceptible internet utility. Should you adopted the earlier posts, it’s higher to start out from scratch once more and take away the Docker container you created.

For the reason that utility beneath take a look at is working in a Docker container and ZAP will even run in a Docker container, it’s essential to create a Docker community. In any other case it is not going to be potential to entry WebGoat from throughout the ZAP Docker container.

Subsequent, create the WebGoat container throughout the simply created community zapnet.

Navigate to the WebGoat URL and create the person mydeveloperplanet with password password. This person shall be used for authentication in the course of the scan.

2. ZAP Docker Full Scan

The ZAP Docker picture gives a number of scan potentialities. Certainly one of them is a Baseline Scan which can scan your utility passively. The energetic scan, nonetheless, offers you higher outcomes and this may be completed with the Full Scan.

You’ll need the IP deal with of WebGoat throughout the zapnet community. This may be achieved with the next command. Within the instance under, is the IP deal with the place WebGoat might be accessed.

First, you’ll scan the appliance with none person info. The entire record op choices might be discovered right here, under the used choices are defined:

  • --net: with a purpose to add ZAP to the community along with WebGoat
  • -v: this may map your present listing to the Docker picture work listing
  • -I: don’t return failure on warning
  • -j: run the AJAX spider along with the basic one
  • -m 10: the variety of minutes to spider for (only a safeguard, the spider takes much less time than 10 minutes)
  • -T 60: restrict the full scan to 60 minutes
  • -t: the URL to scan for
  • -r: the identify of the report for the outcomes

Simply as you observed when working the scan with ZAP CLI within the earlier publish, this scan offers you much less outcomes than anticipated. The spider does some work, however not sufficient and because you didn’t present any person credentials, a big a part of the appliance just isn’t scanned.

In an effort to present the person credentials, you’ll be able to present the context Webgoat.context you created final time. The one factor you’ll want to do, is to exchange localhost with the IP deal with in the whole file. Transfer the context file to the present listing so that will probably be accessible within the ZAP work listing contained in the Docker container. You add the next two additional choices to the command:

  • -n: The context file
  • -U: The person to make use of

Working this command, ends in the next error. It states that the URL just isn’t within the context, however it’s. Even when this may work, it’s uncertain whether or not the spider would have discovered the entire URLs of the appliance. You might have observed within the earlier posts {that a} guide exploration of the web site along with a spider gave way more URLs to scan.

3. ICTU ZAP Docker Full Scan

ICTU, a Dutch IT organisation of the federal government has prolonged the ZAP Docker photographs with a webhook for authentication. It will be fascinating to search out out whether or not this manner you’ll be able to scan the appliance together with authentication. Discover that the Docker picture is now taken from the ICTU DockerHub web page. Two additional choices are added in comparison with the complete scan with out person authentication:

  • --hook: the hyperlink to the Python script which can maintain the authentication
  • -z: some additional parameters wanted for the authentication

This appears to do its work. Nonetheless, much less outcomes are discovered in comparison with the ZAP CLI scan. Most certainly because of the spider once more.

4. ZAP CLI With Docker

The excellent news is that ZAP CLI can be shipped within the ZAP Docker picture. Good outcomes had been achieved with ZAP CLI, so let’s see whether or not this additionally applies whenever you run it from throughout the ZAP Docker container. You run the Docker container once more with a quantity mapping to your present listing and with possibility -i with a purpose to begin the container in interactive mode. This can will let you execute instructions contained in the Docker container.

As a take a look at, you’ll be able to confirm whether or not WebGoat is accessible from throughout the ZAP Docker container with a wget.

You’ll comply with the very same steps as within the earlier publish. The one distinction is that you’ll execute the instructions from throughout the Docker container. Very first thing to do is to start out ZAP. For simplicity, you’ll disable the API key. Do not forget that the API key was essential to entry the ZAP API. You may retrieve the API key if you would like through the webswing ZAP UI.

Import the context. Do not forget that you modified localhost within the context file to the IP deal with the place WebGoat might be accessed.

Within the earlier publish, you exported the manually explored URLs in a file webgoat-exported-urls.txt. Copy this file to your present listing and discover/exchange localhost with the WebGoat IP deal with.

Additionally, copy the script to your present listing and alter the trail to the textual content file.

Execute the script, this may take roughly 10 minutes.

Begin the basic spider.

Begin the energetic scan, this may take roughly quarter-hour.

Generate the report.

As you’ll be able to see, this provides you comparable outcomes as within the earlier publish.

Save the session for subsequent use.

Shutdown ZAP.

Lastly, sort exit to exit the interactive shell and shutdown the Webgoat Docker container.

5. Conclusion

It’s nice that OWASP gives Docker photographs with ZAP pre-installed. This simplifies set up and makes it simpler to combine it into your CI/CD pipeline. The default scans that are supplied didn’t give ok outcomes. Fortunately, ZAP CLI can be supplied and this did the job. Additionally notice that ZAP CLI shall be changed within the close to future with the Automation Framework.

Supply hyperlink


Check Also

Overcoming Some Pitfalls of the Google Maps API

Intro Not too long ago I needed to combine with Google Maps API for a …

Leave a Reply

Your email address will not be published. Required fields are marked *