Resources
Resources

OWASP ZAP

zap128x128

What is OWASP ZAP?

OWASP ZAP (Zed Attack Proxy) is a flagship security proxy and web application scanner from OWASP, and is the worlds most widely used web app scanner. ZAP has great automation features and its own marketplace for extensions to be added.

ZAP proxy is used in two main ways, a proxy mode allowing requests between a browser and a site to be intercepted and modified to exploit various types of flaws, and a web application scanner including a spider and security scanner that finds flaws in the targeted web service.

As ZAP is an open source tool, you are free to download it from https://www.zaproxy.org/download/ (including docker versions) for your own use, and for automated scanning in your pipeline. When using it for scanning your pipeline, the Uleska Platform can then interact with the ZAP API to manage scans, record, and compare results.

Security Stage DAST (Dynamic Analysis)
Type Open Source
Languages Many
Site https://www.zaproxy.org/

 

Pre-requisite

1 (optional) You will need an OWASP ZAP instance running on a server your control
2 You'll need a URL to scan

How do I set it up?

There are two ways to run ZAP proxy with Uleska :

  1. you can utilize the OWASP ZAP cloud server (running as part of the Uleska Platform)

  2. you can connect the Uleska Platform to your own OWASP ZAP instance

These instructions will show you how to setup both scenarios.  If you wish to use the internal ZAP instance with the Uleska cloud, skip to the 'Configure a connection in the Uleska Platform to interact with OWASP ZAP' section.

 

Setting up OWASP ZAP API for an external instance

There are a number of ways you can setup your own instance of ZAP to work with the Uleska Platform. The ZAP web application scanner runs on Windows, Linux, and Mac, and can run as a desktop tool, a daemon, and in docker versions.

The instructions here are to help you get OWASP ZAP API running with requests from systems other than the OWASP ZAP localhost (i.e. the Uleska Platform), which can take a bit of configuration. For further details you can refer to the OWASP ZAP documentation at https://www.zaproxy.org/docs/api/ or their user group at https://groups.google.com/g/zaproxy-users/

To add OWASP ZAP into the Uleska Platform, there are 3 main stepss:

  1. Setup the API and key for the internal OWASP ZAP instance
  2. Configure a connection in the Uleska Platform to interact with the internal OWASP ZAP instance
  3. Add the OWASP ZAP tool into your application and version toolkit

 

Setup the API and key on your OWASP ZAP instance

If you are planning to run OWASP ZAP on a cloud server (e.g. AWS EC2, or Azure) then you will need to include a reverse proxy to allow external HTTP (API) requests to be processed. By default ZAP needs to bind to a known IP address on the server, and with EC2/etc boxes not listing the external IP address, this can be difficult. Therefore setting up a reverse proxy that simply forwards all traffic to the OWASP ZAP instance gives you the network accessibility.

Instructions for setting up an instance of OWASP ZAP are as follows:

  1. On your system, download the latest stable release from https://www.zaproxy.org/download/

  2. Install the OWASP zed attack proxy system onto your server.

  3. By default the ZAP will have the API enabled, and will listen on port 8080 for both proxy traffic and API traffic. There are a few settings you can change, either through the UI or in settings flags:

  • Get or set the API key (can be obtained from the UI by going to Tools → Options → API and recording the API key provided (or setting your own). See the ZAP docs for the latest method to set an API key via the command line.
  • Ensure that localhost & 127.0.0.1 are enabled in the 'Addresses permitted to use the API' box.
  • Ensure the Local Proxy is listening on 127.0.0.1 by going to Tools → Options → Local Proxy. Set the Local Proxy port to be 8081. See the ZAP docs for the latest method to set the local proxy IP address and port via the command line.

You can test these settings on the local box by making a request to http://127.0.0.1:80801/UI/ (either through a browser running on the box, or via curl or other). If this returns the 'ZAP API UI' with text and links, then ZAP is setup.

  1. Download Nginx to use as a reverse proxy from https://nginx.org/

  2. Extract Nginx and exit the 'nginx.conf' file in the 'conf' directory of your extracted files. Here you can add many settings, including TLS certificates, but the basic settings to get this up and running are:

server {
listen 8080;
server_name servername.domainname;

location / {
proxy_pass http://127.0.0.1:8081;
}

  • This setting will have the Nginx reverse proxy listen on port 8080 for external traffic. You will need to setup some DNS to map whatever servername.domainname you wish to use to the public IP address of your server. If using EC2 or similar we recommend using an elastic IP address for consistency.
  • With your proxy settings saved, start up Nginx. Any traffic coming into this reverse proxy on port 8080 will be forwarded onto port 8081 which is the OWASP ZAP instance. Note, remember to enable your server (local) firewall and cloud security groups to allow external traffic to access port 8080.
  • You can test this internally to the server, and externally, by making a request to http://servername.domainname:80801/UI/ (either through a browser running on the box, or via curl or other). If this returns the 'ZAP API UI' with text and links, then ZAP and your Nginx reverse product is setup.

Configure a connection in the Uleska Platform to interact with OWASP ZAP 

Now let's get the Uleska Platform to talk to ZAP.

  • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
  • Click on 'Add Connection'
  • From the drop down list, select 'OWASP ZAP'
  • Add the URL of the ZAP instance you created above (e.g. http://servername.domainname:8080).  Note if you wish to use the internal ZAP instance, enter 'http://uleska-zap:8080'.
  • For the API key, add the key you copied took when setting up the API above.  Note if you wish to use the internal ZAP instance, enter 'ZAPcupticket'.
  • At this stage you can click the 'Test' button to ensure this configuration is correct and can access the OWASP ZAP instance.
  • Click 'Save'

OWASPZapConn

Add the OWASP ZAP tool into your application and version toolkit

Now the Uleska Platform is setup to allow any project to be dynamically tested with your OWASP tool. Let's show you how to setup your applications and versions to run this.

Your version configuration will be setup for dynamic testing. Go to the dynamic documentation page to see how to set this up for any dynamic testing.

To enable the OWASP tool for the stage scanning,

  • Go to the 'Test Tools' tab and click 'Add Tool' for the 'ZAP Scanner' tool.

OWASPZapSetup

  • Click Save.

Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the OWASP zed attack proxy tool will be included in the test run which will start a spider and security scan of the Uri for the configured version. Any results added to your vulnerabilities list.

Notes

None