Learn more about how Uleska can help you run an effective application security program, while removing the burden of manual processes.
Learn more about how Uleska can help you run an effective application security program, while removing the burden of manual processes.
OWASP ZAP (Zed Attack Proxy) is a flagship security proxy and web application scanner from OWASP, and is the worlds most widely used web app scanner. ZAP has great automation features and its own marketplace for extensions to be added.
ZAP proxy is used in two main ways, a proxy mode allowing requests between a browser and a site to be intercepted and modified to exploit various types of flaws, and a web application scanner including a spider and security scanner that finds flaws in the targeted web service.
As ZAP is an open source tool, you are free to download it from https://www.zaproxy.org/download/ (including docker versions) for your own use, and for automated scanning in your pipeline. When using it for scanning your pipeline, the Uleska Platform can then interact with the ZAP API to manage scans, record, and compare results.
Security Stage | DAST (Dynamic Analysis) |
Type | Open Source |
Languages | Many |
Site | https://www.zaproxy.org/ |
1 | (optional) You will need an OWASP ZAP instance running on a server your control |
2 | You'll need a URL to scan |
There are two ways to run ZAP proxy with Uleska :
You can utilize the OWASP ZAP cloud server (running as part of the Uleska Platform)
You can connect the Uleska Platform to your own OWASP ZAP instance
These instructions will show you how to setup both scenarios. If you wish to use the internal ZAP instance with the Uleska cloud, skip to the 'Configure a connection in the Uleska Platform to interact with OWASP ZAP' section.
If you haven't signed up to Uleska, you can do so 👉 here.
There are a number of ways you can setup your own instance of ZAP to work with the Uleska Platform. The ZAP web application scanner runs on Windows, Linux, and Mac, and can run as a desktop tool, a daemon, and in docker versions.
The instructions here are to help you get OWASP ZAP API running with requests from systems other than the OWASP ZAP localhost (i.e. the Uleska Platform), which can take a bit of configuration. For further details you can refer to the OWASP ZAP documentation at https://www.zaproxy.org/docs/api/ or their user group at https://groups.google.com/g/zaproxy-users/
To add OWASP ZAP into the Uleska Platform, there are 3 main stepss:
If you are planning to run OWASP ZAP on a cloud server (e.g. AWS EC2, or Azure) then you will need to include a reverse proxy to allow external HTTP (API) requests to be processed. By default ZAP needs to bind to a known IP address on the server, and with EC2/etc boxes not listing the external IP address, this can be difficult. Therefore setting up a reverse proxy that simply forwards all traffic to the OWASP ZAP instance gives you the network accessibility.
Instructions for setting up an instance of OWASP ZAP are as follows:
On your system, download the latest stable release from https://www.zaproxy.org/download/
Install the OWASP zed attack proxy system onto your server.
By default the ZAP will have the API enabled, and will listen on port 8080 for both proxy traffic and API traffic. There are a few settings you can change, either through the UI or in settings flags:
You can test these settings on the local box by making a request to http://127.0.0.1:80801/UI/ (either through a browser running on the box, or via curl or other). If this returns the 'ZAP API UI' with text and links, then ZAP is setup.
Download Nginx to use as a reverse proxy from https://nginx.org/
Extract Nginx and exit the 'nginx.conf' file in the 'conf' directory of your extracted files. Here you can add many settings, including TLS certificates, but the basic settings to get this up and running are:
server {
listen 8080;
server_name servername.domainname;
location / {
proxy_pass http://127.0.0.1:8081;
}
Now let's get the Uleska Platform to talk to ZAP.
Add the OWASP ZAP tool into a Toolkit
Now the Uleska Platform is setup to allow any project to be dynamically tested with your OWASP tool. Let's show you how to setup your applications and versions to run this.
Your version configuration will be setup for dynamic testing. Go to the dynamic documentation page to see how to set this up for any dynamic testing.
To enable the OWASP ZAP tool with a Toolkit:
Now any time you click 'Test Now' with that Toolkit, or make a request over the Uleska API or CLIwith that Toolkit, the OWASP ZAP tool will be included in the test run which will start a spider and security scan of the Uri for the configured version. Any results added to your vulnerabilities list.
Notes
None