Integrate OWASP ZAP into CI/CD

Pre-requisites

How do I set it up Owasp Zap?

There are two ways to run ZAP proxy with Uleska :

1. You can utilize the OWASP ZAP cloud server (running as part of the Uleska Platform)

2. You can connect the Uleska Platform to your own OWASP ZAP instance

These instructions will show you how to setup both scenarios.  If you wish to use the internal ZAP instance with the Uleska cloud, skip to the 'Configure a connection in the Uleska Platform to interact with OWASP ZAP' section.

If you haven't signed up to Uleska, you can do so 👉 here. 

Setting up OWASP ZAP API for an external instance

There are a number of ways you can setup your own instance of ZAP to work with the Uleska Platform. The ZAP web application scanner runs on Windows, Linux, and Mac, and can run as a desktop tool, a daemon, and in docker versions.

The instructions here are to help you get OWASP ZAP API running with requests from systems other than the OWASP ZAP localhost (i.e. the Uleska Platform), which can take a bit of configuration. For further details you can refer to the OWASP ZAP documentation at https://www.zaproxy.org/docs/api/ or their user group at https://groups.google.com/g/zaproxy-users/

To add OWASP ZAP into the Uleska Platform, there are 3 main stepss:

1. Setup the API and key for the internal OWASP ZAP instance
2. Configure a connection in the Uleska Platform to interact with the internal OWASP ZAP instance
3. Add the OWASP ZAP tool into your application and version toolkit

Setup the API and key on your OWASP ZAP instance

If you are planning to run OWASP ZAP on a cloud server (e.g. AWS EC2, or Azure) then you will need to include a reverse proxy to allow external HTTP (API) requests to be processed. By default ZAP needs to bind to a known IP address on the server, and with EC2/etc boxes not listing the external IP address, this can be difficult. Therefore setting up a reverse proxy that simply forwards all traffic to the OWASP ZAP instance gives you the network accessibility.

Instructions for setting up an instance of OWASP ZAP are as follows:

1. On your system, download the latest stable release from https://www.zaproxy.org/download/

2. Install the OWASP zed attack proxy system onto your server.

3. By default the ZAP will have the API enabled, and will listen on port 8080 for both proxy traffic and API traffic. There are a few settings you can change, either through the UI or in settings flags:

• Get or set the API key (can be obtained from the UI by going to Tools → Options → API and recording the API key provided (or setting your own). See the ZAP docs for the latest method to set an API key via the command line.
• Ensure that localhost & 127.0.0.1 are enabled in the 'Addresses permitted to use the API' box.
• Ensure the Local Proxy is listening on 127.0.0.1 by going to Tools → Options → Local Proxy. Set the Local Proxy port to be 8081. See the ZAP docs for the latest method to set the local proxy IP address and port via the command line.

You can test these settings on the local box by making a request to http://127.0.0.1:80801/UI/ (either through a browser running on the box, or via curl or other). If this returns the 'ZAP API UI' with text and links, then ZAP is setup.

4. Download Nginx to use as a reverse proxy from https://nginx.org/

5. Extract Nginx and exit the 'nginx.conf' file in the 'conf' directory of your extracted files. Here you can add many settings, including TLS certificates, but the basic settings to get this up and running are:

server {
listen 8080;
server_name servername.domainname;

location / {
proxy_pass http://127.0.0.1:8081;
}

• This setting will have the Nginx reverse proxy listen on port 8080 for external traffic. You will need to setup some DNS to map whatever servername.domainname you wish to use to the public IP address of your server. If using EC2 or similar we recommend using an elastic IP address for consistency.
• With your proxy settings saved, start up Nginx. Any traffic coming into this reverse proxy on port 8080 will be forwarded onto port 8081 which is the OWASP ZAP instance. Note, remember to enable your server (local) firewall and cloud security groups to allow external traffic to access port 8080.
• You can test this internally to the server, and externally, by making a request to http://servername.domainname:80801/UI/ (either through a browser running on the box, or via curl or other). If this returns the 'ZAP API UI' with text and links, then ZAP and your Nginx reverse product is setup.

Configure a connection in the Uleska Platform to interact with OWASP ZAP 

Now let's get the Uleska Platform to talk to ZAP.

• In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
• Click on 'Add Connection'
• From the drop down list, select 'OWASP ZAP'
• Add the URL of the ZAP instance you created above (e.g. http://servername.domainname:8080).  Note if you wish to use the internal ZAP instance, enter 'http://uleska-zap:8080'.
• For the API key, add the key you copied took when setting up the API above.  Note if you wish to use the internal ZAP instance, enter 'ZAPcupticket'.
• At this stage you can click the 'Test' button to ensure this configuration is correct and can access the OWASP ZAP instance.
• Click 'Save'

Add the OWASP ZAP tool into a Toolkit

Now the Uleska Platform is setup to allow any project to be dynamically tested with your OWASP tool. Let's show you how to setup your applications and versions to run this.

Your version configuration will be setup for dynamic testing. Go to the dynamic documentation page to see how to set this up for any dynamic testing.

To enable the OWASP ZAP tool with a Toolkit:

• Create a new Toolkit (or edit an existing one) by following the Creating a Toolkit guide and selecting 'ZAP Scanner' as a tool.

• Click Save.

Now any time you click 'Test Now' with that Toolkit, or make a request over the Uleska API or CLIwith that Toolkit, the OWASP ZAP tool will be included in the test run which will start a spider and security scan of the Uri for the configured version. Any results added to your vulnerabilities list.

Notes

None