Product
Pricing
Resources
Docs
Product
Pricing
Resources
Docs

OWASP ZAP

zap128x128

What is OWASP ZAP?

OWASP ZAP (Zed Attack Proxy) is a flagship security proxy and scanner from OWASP, and is the world's most widely used web app scanner. OWASP ZAP has great automation features and it's own marketplace for extensions to be added.

OWASP ZAP is used in two main ways, a proxy mode allowing requests between a browser and a site to be intercepted and modified to exploit various types of flaws, and a spider and security scanner that finds flaws in the targeted web service.

As OWASP ZAP is an open source tool, you are free to download it from https://www.zaproxy.org/download/ (including docker versions) for your own use, and for automated scanning in your pipeline. When using it for scanning your pipeline, the Uleska Platform can then interact with the ZAP API to manage scans, record, and compare results.

Security Stage DAST (Dynamic Analysis)
Type Open Source
Languages Many
Site https://www.zaproxy.org/

 

Pre-requisite

1 You'll need a URL to scan
2 You can optionally use your own OWASP ZAP instance
3 You'll need to setup a connection configuration to ZAP

How do I set it up?

To add OWASP ZAP into the Uleska Platform, there are 3 main steps:

  1. Setup the API and key on your OWASP ZAP instance
  2. Configure a connection in the Uleska Platform to interact with your OWASP ZAP instance
  3. Add the OWASP ZAP tool into your application and version toolkit

Setup the API and key on your OWASP ZAP instance

For the first step, given you wish to run OWASP ZAP as part of your pipeline, you will have OWASP ZAP running on a server you control. This instance will have network access to the running systems you wish to test. It will also be accessible to the Uleska Platform so it can send instructions and retrieve results from the API, as follows:

  • If you have the Uleska Platform installed on-site, you can configure your network security as relevant.
  • If you are using a dedicated cloud tenant provided by Uleska, then we will have communicated the relevant IP addresses to you during setup.
  • If you are using the cloud version of the Uleska Platform, you can allocate the Uleska cloud IP addresses.  Contact Uleska to obtain these address for your account.

Note that as OWASP ZAP is open source, Uleska has an instance of it running in the cloud and that can be used to perform scanning on your website. If you wish to make use of the Uleska OWASP ZAP instance, please contact us for setup details.

On your OWASP installation, you will then setup an API key for Uleska to communicate. The instructions to setup the API can be found on the ZAPproxy website at https://www.zaproxy.org/docs/api/#basics-on-the-api-request

Configure a connection in the Uleska Platform to interact with your OWASP ZAP instance

Now that you have your OWASP ZAP running with API enabled, let's get the Uleska Platform to talk to it.

  • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
  • Click on 'Add Connection'
  • From the drop down list, select 'OWASP ZAP'
  • Add the URL of your OWASP ZAP instance
  • For the API key, add the key you copied took when setting up the API.
  • At this stage you can click the 'Test' button to ensure this configuration is correct and can access the OWASP ZAP instance.
  • Click 'Save'

OWASPZapConn

Add the OWASP ZAP tool into your application and version toolkit

Now the Uleska Platform is setup to allow any project to be dynamically tested with your OWASP tool. Let's show you how to setup your applications and versions to run this.

Your version configuration will be setup for dynamic testing. Go to the dynamic documentation page to see how to set this up for any dynamic testing.

To enable the OWASP tool for the stage scanning,

  • Go to the 'Test Tools' tab and click 'Add Tool' for the 'ZAP Scanner' tool.

OWASPZapSetup

  • Click Save.

Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the OWASP ZAP tool will be included in the test run which will start a spider and security scan of the Uri for the configured version. Any results added to your vulnerabilities list.

Notes

None