Outline

In this article, I will try to explain basic instructions which will help you to add an automatic step using OWASP ZAP into your Continuous Integration/Continuous Delivery Platform (CI/CDP) systems for security tests.

Bu makalenin Türkçe’si için link’e tıklayınız.

What is OWASP ZAP and What is the Purpose of This Test?

OWASP (Open Source Web Application Security Project) is an online community which produces and shares free publications, methodologies, documents, tools and technologies in the field of application security. ZAP (Zed Attack Proxy) is one of the most important tools developed by this community. The main purpose of this tool is to do security scannings for web applications.

The purpose of the method that I will describe in this article is not to teach you how to do web security testing and its tricks, also, I will not give all the technical details of ZAP. The aim is here to show you the first steps of security scan operations automatically and leave the improvements to you.

Walkthrough and Operations to be Performed

I used Cucumber and Capybara on Ruby at web automation part for this test but no matter which tool or framework is used, you can perform this procedure with any web automation method such as SeleniumWatir, etc. You can examine the code that I wrote for this test on https://github.com/swtestacademy/zap-security/tree/swtestacademy . Now, Let’s go into details of the way that we will carry out this security test.

Step by Step Instructions

Prerequisites

JAVA (preferably 8) must be installed on the computer/build agent/container which will perform all these operations. Download ZAP cross-platform version and extract it into the same machine.

zap

owasp

Step-1: Zap Configuration

You need to specify which address’s which port will be listened by ZAP. First, open ZAP with “zap.bat” (on Windows) or “zap.sh” (OS X or Linux), then start to modify settings. I used localhost:8095 in my project. You can do this setting on Tools -> Options -> Local Proxy screen. If you connect the internet through a proxy in your company, you can change proxy settings on Tools ->> Options ->> Connection screen. Also, you must select your Operating System and Web Browser on Tools ->> Options ->> Connection screen. These settings are shown below figures.

owasp

zap

zap

zap

zap

zap

[Optional] Manual Security Test with ZAP and Firefox

You can change Firefox’s proxy settings as shown below. First, go to Tools ->> Options ->> Advanced tab. Then, do the following settings.

firefox

zap

After completing these settings, restart ZAP and Firefox and then when you visit any website you will see http request lines and Alerts in ZAP console panel as shown below. This is the MANUAL way of performing security tests.

zap

Step-2: Browser Configuration in our Automation Code

As I mentioned earlier, I used Capybara for web automation and Selenium Webdriver as a driver. You should also install RestClient gem.

You can find how to install Ruby, Cucumber, and Capybara configuration in this article.

In this configuration, I chose Firefox as a browser. In order to reach the internet using Firefox browser through our preferred proxy, we need to add below code in env.rb file.

Step-3: Start the ZAP in the Code

Before running the tests, we need to start ZAP. To do this, I executed below line in my Ruby code.

In OS X or Linux:

In Windows :

In Ruby there are a few different ways to run an external program (kernel, exec, backtik, etc.). However, after running the external program, none of the methods do not automatically give rest of the control to the ruby code.Only “IO.popen” method executes the program you want, and then lets the rest of the code continue operate.

Step-4: Running Web Automation Codes

There are passive and active ways to do security testing on web applications. You can attack the sites with AJAX crawlers in active methods. In our sample project, we will use a passive method because site under test doesn’t belong to us. In this method, we will automate some basic journey tests and we will let the ZAP detect security vulnerabilities in the site. If you enrich and diversify your test scenarios, you will also increase the probability of ZAP’s vulnerability detection. In our project, our journey test flow is described below;

  1. Navigate to www.akakce.com
  2. Search an item.
  3. Filter the results according to certain price range.
  4. Go to the details of first filtered result.

Above scenario’s code is shown below:

At the end of the code, I waited 20 seconds because it takes some time for ZAP to interpret the detected vulnerabilities and send the results to the API. Instead of using static wait, you can implement this wait with status checks that the API provides. I am leaving the details of this work to you.

Step-5: Reading Warnings and Reporting with ZAP

When our tests are finished, we need to interpret the detected warnings, errors, vulnerabilities. We use ZAP API to reach them. While your ZAP instance is alive, if you go to the ZAP’s <listened proxy>/UI address with your browser, you can see all the functions that ZAP API provides us. We used below code line to reach warnings/errors/vulnerabilities.

When we get the results, then we can separate and report them with their vulnerability degrees. When we examine our code, if the high priority vulnerability is found, we print them at first and then break the build with an assertion. You can also prepare a test plan and design your build pipeline based on your criteria.

Test Codes and Test Execution

Folder Structure

zap

GitHub Page 0f Test Codes

https://github.com/swtestacademy/zap-security/tree/swtestacademy/

Test Files

Feature File (owasp_zap_scanning.feature):

Steps File (my_steps.rb):

Functions File (functions.rb):

Environment File (env.rb):

Test Execution

You can go to your test automation project folder and run below command.

zap

and then ZAP will open and you will see below results.

zap

zap

Conclusion

Actually, the method that I tried to explain here is the new even to me. There are many improvements that can be made. I hope this article, which aims to explain the security tests can be done without external human intervention, will be useful to you. Please keep in mind that applying the techniques described in here does not mean that you do not need any more security or penetration testing. Security is a very serious issue and it has to be handled by the security experts with an engineering point of view. The basic objective of our test in here is to a give feedback to the development team about the safety of product from the first iteration and ensure the basic level of security. Also, it can help us to find and eliminate the security vulnerabilities before the extensive and more professional security/penetration testing phases.

About ThoughtWorks and Test Hive

ThoughtWorks is a software consultancy firm which carries on its operations in 12 countries with 34 offices and more than 3600 consultants since 1993. In software sector, ThoughtWorks is not only a follower and implementer, it produces and discovers new ways with its game changer consultants. Thus, it is located in a very important place in the market. ThougtWorks has been operating for more than two years in Turkey and it has an ambitious mission to change the understanding of software in our country. In order to achieve this goal, it pioneered foundation of many communities and it is also a sponsor of Test Hive group which undertakes the same mission in software testing domain. Test Hive, regularly organizes events to help progress in software testing, shares articles and research papers, organizes trainings and provides environments to the test engineers for information sharing. www.testhive.org