What is OWASP ZAP?
OWASP ZAP (Zed Attack Proxy) is a flagship security proxy and scanner from OWASP, and is the world's most widely used web app scanner. OWASP ZAP has great automation features and it's own marketplace for extensions to be added.
OWASP ZAP is used in two main ways, a proxy mode allowing requests between a browser and a site to be intercepted and modified to exploit various types of flaws, and a spider and security scanner that finds flaws in the targeted web service.
As OWASP ZAP is an open source tool, you are free to download it from https://www.zaproxy.org/download/ (including docker versions) for your own use, and for automated scanning in your pipeline. When using it for scanning your pipeline, the Uleska Platform can then interact with the ZAP API to manage scans, record, and compare results.
|Security Stage||DAST (Dynamic Analysis)|
|1||You'll need a URL to scan|
|2||You can optionally use your own OWASP ZAP instance|
|3||You'll need to setup a connection configuration to ZAP|
How do I set it up?
To add OWASP ZAP into the Uleska Platform, there are 3 main steps:
Setup the API and key on your OWASP ZAP instance
For the first step, given you wish to run OWASP ZAP as part of your pipeline, you will have OWASP ZAP running on a server you control. This instance will have network access to the running systems you wish to test. It will also be accessible to the Uleska Platform so it can send instructions and retrieve results from the API, as follows:
Note that as OWASP ZAP is open source, Uleska has an instance of it running in the cloud and that can be used to perform scanning on your website. If you wish to make use of the Uleska OWASP ZAP instance, please contact us for setup details.
On your OWASP installation, you will then setup an API key for Uleska to communicate. The instructions to setup the API can be found on the ZAPproxy website at https://www.zaproxy.org/docs/api/#basics-on-the-api-request
Configure a connection in the Uleska Platform to interact with your OWASP ZAP instance
Now that you have your OWASP ZAP running with API enabled, let's get the Uleska Platform to talk to it.
Add the OWASP ZAP tool into your application and version toolkit
Now the Uleska Platform is setup to allow any project to be dynamically tested with your OWASP tool. Let's show you how to setup your applications and versions to run this.
Your version configuration will be setup for dynamic testing. Go to the dynamic documentation page to see how to set this up for any dynamic testing.
To enable the OWASP tool for the stage scanning,
Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the OWASP ZAP tool will be included in the test run which will start a spider and security scan of the Uri for the configured version. Any results added to your vulnerabilities list.