![]() ![]() You can also use one of the following Plugins: I have written a small Java application to call the REST API. Once ZAP is done, you can get the results via the ZAP REST API as XML or JSON. ZAP needs to be configured as a proxy for the web browser so it can record the traffic.Īfter jBehave is done, I am using the ZAP REST API to run the url spider and afterwards start the attack of the web application. I am using jBehave to drive the web browser. The following diagram explains the setup. If you are not familiar with jBehave, you can also use Selenium, Robot or Cucumber. For more details on jBehave have a look at: In this example I have written jBehave tests that test all features of the web application. To automate the penetration testing we need to have automated acceptance tests that drive the web application. I created a separate Jenkins Job that can be part of your continuous delivery pipeline or can be run on demand. In the next chapter I will explain how to integrate ZAP in your continuous integration / delivery lifecycle using Jenkins. Integrating ZAP with your continuous delivery lifecycleĪs you can see ZAP is a good start for penetration testing your web application. When you right click on a single site you can configure ZAP to attack the found url’s. In the Sites window you will find all websites and requests that ZAP recorded. ZAP will automatically record the traffic. Now I can use my browser to access my web application. In most browsers you can do this under Settings -> Network -> Proxy Settings. Configure the address and port on which ZAP will listen for requests.Īfter that I need to change my local browser to use this proxy. Open ZAP -> Tools -> Options -> Local Proxy. This allows ZAP to record the traffic and use that traffic for a replay attack while modifying the request parameters.įirst we need to activate ZAP as a proxy. I will configure my local web browser to use ZAP as a proxy while I am browsing my web application. The following diagram shows the setup I am going to introduce now. In order to be more thorough you need to do a little more. ![]() The spider only finds url’s that were linked from the initial page. ![]() You can select the warnings you are interested in and ZAP will show you the request and response raw data as well as hints on how to fix the vulnerability.Īs you can imagine this quick start is just a basic security check for your application. ZAP found seven possible cross site scripting vulnerabilities that need to be fixed. In my case I did not remove the examples folder that comes with the default Tomcat installation. It lists the results in several categories. As you can see ZAP found several warning of possible vulnerabilities. Here is an example of what the result look like. I was running ZAP against my own web application that is running on a tomcat server. In the second step it will run different attack scenarios against the found url’s and record the results. It will skip url’s that point to other domains. Once you start the attack ZAP will crawl through your web application and record all url’s from your domain. It is illegal to attack websites from competitors or other people. Legal disclaimer: Only run ZAP against your own environments, i.e. Simply insert the url of your web application and start the attack. Once you start ZAP you will see a quick start tab. The latest version of ZAP 2.x is a client that runs on Windows, Linux and MacOS and requires Java 7. In this blog I want to give you an introduction on ZAP and how to integrate it in your development lifecycle. It is ideal for developers and functional testers as well as security experts. Its main goal is to allow easy penetration testing to find vulnerabilities in web applications. This open-source tool was developed at the Open Web Application Security Project (OWASP). Recently I came across a tool that solves this problem, the Zed Attack Proxy (ZAP). Other times developers rely on the operation team when it comes to securing the web application. Often development teams use web frameworks to develop their application and rely on build-in security features without understanding possible attack scenarios. Penetration testing web applications is not an easy task, no matter if you are a Java, PHP, Ruby or C# developer. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |