Automated Security Testing Using The ZAP API

17 Slides918.46 KB

Automated Security Testing Using The ZAP API

About Me My name is Michael Haselhurst. I work for Sage as a Test Analyst. This is the first OWASP meeting I’ve attended, so it’s a bit scary to be standing at the front when I should be hiding at the back of the room. I’m not an expert in anything security related, although hopefully that won’t be too obvious tonight.

What Is ZAP? ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

What Is Sahi? Sahi is a tool used for the automation of web application testing. It comes in two flavours, a tasty free open source version, Sahi Open Source, and a commercial version named Sahi Pro. Sahi Script is Sahi's scripting language. It has the same syntax as Javascript except that variables need to be prefixed with a sign.

Problem As testers, we should be testing the security of the web applications that we support. Some of my colleagues had a few concerns “I don’t know anything about security testing.” “I don’t have time to understand how to do security testing.” “How do I do security testing on this website?”

Solution Teaching my colleagues about security testing wouldn’t be a great idea. It would take a long time, plus, I don’t think I’m an authoritative source on the matter. An easier (lazier) option would be to create an automated test in Sahi to do the security testing for us!

How Will It Work? The automated script would work by Getting the user to declare some simple variables, such as the URL of the site being targeted. Creating a new context. Adding this site to the context. Spidering this site. Performing an active scan of the site. Reporting any issues found.

Setting Up Sahi To allow Sahi to communicate with ZAP: Edit userdata.properties and set the host and the port as follows: ext.https.proxy.host localhost ext.https.proxy.port 8080

Using The ZAP API

Using The ZAP API

Using The ZAP API

Using The ZAP API

Writing The Script var contextName “Site2Target"; var URL “google.com"; var prefix "https"; var children “5"; var newContext "http://zap/HTML/context/action/newContext/? zapapiformat HTML&contextName " contextName; var includeInContext "http://zap/HTML/context/action/includeInContext/? zapapiformat HTML&contextName " contextName "®ex %5CQ" prefix "%253A%252F %252F" URL "%5CE.*"; var spider "http://zap/HTML/spider/action/scan/?zapapiformat HTML&url " prefix "%3A%2F %2F" URL "%2F&maxChildren " children; var activeScan "http://zap/HTML/ascan/action/scan/?zapapiformat HTML&url " prefix "%3A %2F%2F" URL "%2F&recurse &inScopeOnly true&scanPolicyName &method &postData "

Writing The Script navigateTo( newContext); navigateTo( includeInContext); navigateTo( spider); var spiderID getValue( cell(1)); navigateTo("http://zap/HTML/spider/view/status/?zapapiformat HTML&scanId " spiderID); while ( condition( exists( cell(1)("100")) ! true)) call(top.location.reload()); if ( condition( exists( cell(1)("100")))) { navigateTo( activeScan); } var ascanID getValue( cell(1)); navigateTo("http://zap/HTML/ascan/view/status/?zapapiformat HTML&scanId " ascanID); while ( condition( exists( cell(1)("100")) ! true)) call(top.location.reload()); if ( condition( exists( cell(1)("100")))) { navigateTo("http://zap/OTHER/core/other/htmlreport/"); } focusWindow(); takePageScreenShot();

Results Some of my direct colleagues now use this script, as do some other teams within Sage’s UK business as well as some testing teams in other countries, such as in Sage Brazil. I wrote a document to accompany the script for people to learn a little bit more about how the script works and interacts with ZAP. If anyone would like a copy of this document then please get in touch.

Interested? If anything I’ve talked about interests you and you’d like more information (or even a copy of the script), then feel free to contact me via one of many communication methods: Email: [email protected] Facebook: facebook.com/haselhurst Twitter: twitter.com/haselhurst Anything Else: /haselhurst (probably).

Questions? Questions

Back to top button