Security Automation using ZAP
-
Upload
vaibhav-gupta -
Category
Engineering
-
view
173 -
download
0
Transcript of Security Automation using ZAP
![Page 1: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/1.jpg)
Security Automation Using ZAP
![Page 2: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/2.jpg)
About us• Vaibhav Gupta
– Loves to be both, a defender and attacker J– Security Researcher @ Adobe (For bread, butter & beer!)– Delhi Chapter Leader – OWASP & Null
• Sandeep Sigh (Not with us today L)
– Security Engineer @ ESSEL Group– Delhi Chapter Leader – OWASP & Null
2
![Page 3: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/3.jpg)
About Adobe
Twitter: @VaibhavGupta_1 3
CONTENT DATA
Creative Cloud Document Cloud Marketing Cloud
Community Marketplace Partners Developers
![Page 4: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/4.jpg)
Agenda• What is ZAP
• Quick run through of ZAP GUI
• Understanding what can be automated
• Automating ZAP
• Few considerations/hacks
• Use cases
Twitter: @VaibhavGupta_1 4
![Page 5: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/5.jpg)
What is ZAP• Zed Attack Proxy
• Automated Web Application Security Scanner
• An OWASP Project
• Voted as No. 1 Security Tool as per ToolsWatch Survey
Ref: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Twitter: @VaibhavGupta_1 5
![Page 6: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/6.jpg)
Quick run through of ZAP GUI• Contexts• Request/Response• Options• Spider• Scan Alerts• Scan policy manager
Twitter: @VaibhavGupta_1 6
![Page 7: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/7.jpg)
Understanding what can be automated• Configuration
• Spidering
• Passive Scan
• Active Scan
• Authentication
• Many additional capabilities J
Twitter: @VaibhavGupta_1 7
![Page 8: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/8.jpg)
Automating ZAP• ZAP APIs (http://zap/UI/)• pip install python-owasp-zap-v2.4
• Example 1: Initializing ZAP in python• Example 2: Spidering web application• Example 3: Passive scanning• Example 4: Active scanning• Example 5: Simple authenticated scanning• Example 6: Some other important APIs
Twitter: @VaibhavGupta_1 8
![Page 9: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/9.jpg)
Example 1: Initializing ZAP in python
from zapv2 import ZAPv2
zap = ZAPv2()orzap = ZAPv2(proxies='http': 'http://x.x.x.x:yyyy',
'https': 'http://x.x.x.x:yyyy')
Twitter: @VaibhavGupta_1 9
![Page 10: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/10.jpg)
Example 2: Spidering web application
zap.spider.scan(input_target, apikey = API_Key)
while (int(zap.spider.status()) < 100): print 'Spider progress %: ' + zap.spider.status() time.sleep(2)
zap.ajaxSpider.scan(url = input_target, apikey = API_Key)
Twitter: @VaibhavGupta_1 10
![Page 11: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/11.jpg)
Example 3: Passive scanning
zap.pscan.disable_all_scanners(apikey = API_Key)
zap.pscan.enable_scanners(ids = 10040, apikey = API_Key)
zap.pscan.enable_all_scanners(apikey = API_Key)
zap.pscan.set_enabled(enabled = True, apikey = API_Key)
Ref: http://zap/UI/pscan/view/scanners/
Twitter: @VaibhavGupta_1 11
![Page 12: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/12.jpg)
Example 4: Active scanning
zap.ascan.scan(target, apikey = API_Key)
while (int(zap.ascan.status()) < 100): print 'Scan progress %: ' + zap.ascan.status()
zap.ascan.scan(input_target, scanpolicyname = input_policy, apikey = API_Key)
Twitter: @VaibhavGupta_1 12
![Page 13: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/13.jpg)
Example 5: Simple authenticated scanning
zap.ascan.scan_as_user(url = input_target, contextid = 1, userid = 4, apikey = API_Key)
• http://zap/UI/context/view/context/• http://zap/UI/users/view/usersList/
Twitter: @VaibhavGupta_1 13
![Page 14: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/14.jpg)
Example 6: Some other important APIs
• http://zap/UI/spider/action/setOptionMaxDepth/• http://zap/UI/context/action/importContext/• http://zap/UI/context/action/includeInContext/• http://zap/UI/context/action/newContext/• http://zap/UI/core/other/xmlreport/• http://zap/UI/core/action/shutdown/
Twitter: @VaibhavGupta_1 14
![Page 15: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/15.jpg)
Few considerations/hacks• Ajax spidering• Importing contexts/configs• Random sleeps• Scan output for a particular context/scan• Documentation• Custom scripting!
Twitter: @VaibhavGupta_1 15
![Page 16: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/16.jpg)
Lets Discuss few Use Cases• Scanning at scale• Integration with CI/CD systems like Jenkins• Custom authentication• Unit security test cases• Research at scale! • The list is endless… J
Twitter: @VaibhavGupta_1 16
![Page 17: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/17.jpg)
ZAP Resources• Getting Started Guide (pdf) - an introductory guide
• Tutorial Videos
• User Guide - online version of the ZAP’s user guide
• User Group - ask questions about using ZAP
• Add-ons - help for the optional add-ons you can install
• StackOverflow - because some people use this for everything ;;-)
Twitter: @VaibhavGupta_1 17
![Page 18: Security Automation using ZAP](https://reader036.fdocuments.in/reader036/viewer/2022082217/5871f1f31a28ab5c348b5b3d/html5/thumbnails/18.jpg)
Thank you! J
18
Vaibhav [email protected]: @VaibhavGupta_1Blog: www.exploits.work
-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐Security portal: https://www.adobe.com/security
Security @Adobe blog: https://blogs.adobe.com/securityTwitter: @AdobeSecurity