securecodebox / scanner-webapplication-zap Goto Github PK
View Code? Open in Web Editor NEWPart of the deprecated secureCodeBox v1, see secureCodeBox/secureCodeBox Repo for v2
License: Apache License 2.0
scanner-webapplication-zap's People
Contributors
Stargazers
Watchers
scanner-webapplication-zap's Issues
Secure the Engine API and all Security Scanner with Basic Authentication
The secureCodeBox API should be secured with an authentication method like Basic Auth to ensure that only authenticated scanners are allowed to pull and push scan jobs. This is important if you deploy the scanner and engine in different networks.
Therefore the Engine API needs an configurable Authentication and all scanners must be able to authenticate. This feature must be configurable via environment variables.
Container crashes if wrapper starts before zap proxy
When the Spring Boot wrapper starts before the zap proxy completes its startup the entire container crashes. Stack trace can be found in the integration suite log: https://travis-ci.com/secureCodeBox/secureCodeBox/builds/99466049#L942
Currently the container only contains a sleep, which should ensure that zap is properly started before the wrapper starts. This is unfortunately not true for all machines especially machines with limited performance.
A better way to check it would be a tool like wait-for-it.sh to ensure that zap is up and running before starting the wrapper, or to implement a retry mechanisms for the ZAP Service.
Configure the ZAP Attack Mode
As a user i would like to configure the Attack mode for ZAP scans. More Informations on that can be found here: https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsModes
There is an existing ZAP API Endpoint for this:
- core/action/setMode (mode* ) -> Sets the mode, which may be one of [safe, protect, standard, attack]
In my target definition (used for ZAP Scans) i would like to configure this like:
[
{
"name": "ZAP BodgeIt Scan",
"location": "http://bodgeit:8080/bodgeit/",
"attributes": {
"ZAP_BASE_URL": "http://bodgeit:8080/bodgeit/",
"ZAP_SPIDER_MAX_DEPTH": 1
"ZAP_ATTACK_MODE": "attack"
}
}
]
Develop: Zap stays in Scanner
I am using docker-compose.yml with a self build engine and zap. Both are current develop-branch without modifications.
I scan the juice shop via swagger:
[ { "name": "ZAP Scan 10.10.11.104", "location": "http://10.10.11.104:3000/", "attributes": { "ZAP_BASE_URL": "http://10.10.11.104:3000/", "ZAP_SPIDER_MAX_DEPTH": 1 } } ]
I am not sure which warning/error in the following log is the cause for zap to stay Scanner after finishing "Run OWASP Zap Spider" in the engine.
I see the following in the zap-container-logs:
214907 [ZAP-ProxyThread-70] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site '10.10.11.104:3000': HttpSession [name=secureCodeBoxSession, active=false, tokenValues='']
214911 [ZAP-ProxyThread-71] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Setting new active session for site '10.10.11.104:3000': HttpSession [name=secureCodeBoxSession, active=true, tokenValues='']
2018-11-16 12:50:00.561 INFO 118 --- [pool-1-thread-4] i.s.zap.service.zap.ZapService : Recalling 0 requests to zap.
2018-11-16 12:50:00.561 INFO 118 --- [pool-1-thread-4] i.s.zap.service.zap.ZapService : Starting scanner for targetUrl 'http://10.10.11.104:3000/main.js' and userId -1.
2018-11-16 12:50:00.594 INFO 118 --- [pool-1-thread-4] i.s.zap.service.zap.ZapService : No custom ZAP replacer rule defined yet.
214949 [ZAP-ProxyThread-78] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/xml/ascan/action/scan/] from [127.0.0.1]:
URL Not Found in the Scan Tree (url_not_found)
at org.zaproxy.zap.extension.ascan.ActiveScanAPI.scanURL(ActiveScanAPI.java:779)
at org.zaproxy.zap.extension.ascan.ActiveScanAPI.handleApiAction(ActiveScanAPI.java:293)
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:431)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:456)
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:317)
at java.lang.Thread.run(Thread.java:748)
2018-11-16 12:50:00.604 ERROR 118 --- [pool-1-thread-4] i.s.zap.jobs.definition.EngineWorkerJob : Job execution error!
org.zaproxy.clientapi.core.ClientApiException: URL Not Found in the Scan Tree
at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(ApiResponseFactory.java:50) ~[zap-clientapi-1.6.0.jar!/:1.6.0]
at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:332) ~[zap-clientapi-1.6.0.jar!/:1.6.0]
at org.zaproxy.clientapi.gen.Ascan.scan(Ascan.java:278) ~[zap-clientapi-1.6.0.jar!/:1.6.0]
at org.zaproxy.clientapi.gen.Ascan.scan(Ascan.java:236) ~[zap-clientapi-1.6.0.jar!/:1.6.0]
at io.securecodebox.zap.service.zap.ZapService.startScannerAsUser(ZapService.java:260) ~[classes!/:na]
at io.securecodebox.zap.jobs.definition.EngineWorkerJob.executeScanner(EngineWorkerJob.java:239) ~[classes!/:na]
at io.securecodebox.zap.jobs.definition.EngineWorkerJob.performScannerTask(EngineWorkerJob.java:179) ~[classes!/:na]
at io.securecodebox.zap.jobs.definition.EngineWorkerJob.execute(EngineWorkerJob.java:108) ~[classes!/:na]
at de.otto.edison.jobs.service.JobService$1.execute(JobService.java:252) [edison-jobs-0.82.2.jar!/:na]
at de.otto.edison.jobs.service.JobRunner.executeAndRetry(JobRunner.java:61) [edison-jobs-0.82.2.jar!/:na]
at de.otto.edison.jobs.service.JobRunner.start(JobRunner.java:50) [edison-jobs-0.82.2.jar!/:na]
at de.otto.edison.jobs.service.JobService.lambda$startAsync$7(JobService.java:216) [edison-jobs-0.82.2.jar!/:na]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_131]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_131]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) ~[na:1.8.0_131]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) ~[na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[na:1.8.0_131]
at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_131]
2018-11-16 12:50:00.728 ERROR 118 --- [pool-1-thread-4] d.o.e.jobs.eventbus.LogJobEventListener : 'Fatal error in job engine/worker/owasp/zap (64287835-c2f1-42bd-aee7-e602b53f5034)
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "http://engine:8080/box/jobs/ff1825e9-e99d-11e8-a098-0242ac120006/failure": http://engine:8080/box/jobs/ff1825e9-e99d-11e8-a098-0242ac120006/failure; nested exception is java.io.FileNotFoundException: http://engine:8080/box/jobs/ff1825e9-e99d-11e8-a098-0242ac120006/failure
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:674)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:621)
at org.springframework.web.client.RestTemplate.postForEntity(RestTemplate.java:415)
at io.securecodebox.zap.service.engine.EngineTaskApiClient.reportFailure(EngineTaskApiClient.java:145)
at io.securecodebox.zap.service.engine.ZapTaskService.reportFailure(ZapTaskService.java:66)
at io.securecodebox.zap.jobs.definition.EngineWorkerJob.execute(EngineWorkerJob.java:111)
at de.otto.edison.jobs.service.JobService$1.execute(JobService.java:252)
at de.otto.edison.jobs.service.JobRunner.executeAndRetry(JobRunner.java:61)
at de.otto.edison.jobs.service.JobRunner.start(JobRunner.java:50)
at de.otto.edison.jobs.service.JobService.lambda$startAsync$7(JobService.java:216)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.FileNotFoundException: http://engine:8080/box/jobs/ff1825e9-e99d-11e8-a098-0242ac120006/failure
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1872)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
at org.springframework.http.client.SimpleClientHttpResponse.getBody(SimpleClientHttpResponse.java:85)
at org.springframework.http.client.BufferingClientHttpResponseWrapper.getBody(BufferingClientHttpResponseWrapper.java:69)
at io.securecodebox.zap.service.engine.LoggingRequestInterceptor.traceResponse(LoggingRequestInterceptor.java:58)
at io.securecodebox.zap.service.engine.LoggingRequestInterceptor.intercept(LoggingRequestInterceptor.java:44)
at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:88)
at org.springframework.http.client.InterceptingClientHttpRequest.executeInternal(InterceptingClientHttpRequest.java:72)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:660)
... 16 more
': '64287835-c2f1-42bd-aee7-e602b53f5034'
2018-11-16 12:50:00.730 ERROR 118 --- [pool-1-thread-4] de.otto.edison.jobs.service.JobRunner : Fatal error in job engine/worker/owasp/zap (64287835-c2f1-42bd-aee7-e602b53f5034)
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "http://engine:8080/box/jobs/ff1825e9-e99d-11e8-a098-0242ac120006/failure": http://engine:8080/box/jobs/ff1825e9-e99d-11e8-a098-0242ac120006/failure; nested exception is java.io.FileNotFoundException: http://engine:8080/box/jobs/ff1825e9-e99d-11e8-a098-0242ac120006/failure
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:674) ~[spring-web-4.3.15.RELEASE.jar!/:4.3.15.RELEASE]
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:621) ~[spring-web-4.3.15.RELEASE.jar!/:4.3.15.RELEASE]
at org.springframework.web.client.RestTemplate.postForEntity(RestTemplate.java:415) ~[spring-web-4.3.15.RELEASE.jar!/:4.3.15.RELEASE]
at io.securecodebox.zap.service.engine.EngineTaskApiClient.reportFailure(EngineTaskApiClient.java:145) ~[classes!/:na]
at io.securecodebox.zap.service.engine.ZapTaskService.reportFailure(ZapTaskService.java:66) ~[classes!/:na]
at io.securecodebox.zap.jobs.definition.EngineWorkerJob.execute(EngineWorkerJob.java:111) ~[classes!/:na]
at de.otto.edison.jobs.service.JobService$1.execute(JobService.java:252) ~[edison-jobs-0.82.2.jar!/:na]
at de.otto.edison.jobs.service.JobRunner.executeAndRetry(JobRunner.java:61) [edison-jobs-0.82.2.jar!/:na]
at de.otto.edison.jobs.service.JobRunner.start(JobRunner.java:50) [edison-jobs-0.82.2.jar!/:na]
at de.otto.edison.jobs.service.JobService.lambda$startAsync$7(JobService.java:216) [edison-jobs-0.82.2.jar!/:na]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_131]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_131]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) ~[na:1.8.0_131]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) ~[na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[na:1.8.0_131]
at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_131]
Caused by: java.io.FileNotFoundException: http://engine:8080/box/jobs/ff1825e9-e99d-11e8-a098-0242ac120006/failure
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1872) ~[na:1.8.0_131]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474) ~[na:1.8.0_131]
at org.springframework.http.client.SimpleClientHttpResponse.getBody(SimpleClientHttpResponse.java:85) ~[spring-web-4.3.15.RELEASE.jar!/:4.3.15.RELEASE]
at org.springframework.http.client.BufferingClientHttpResponseWrapper.getBody(BufferingClientHttpResponseWrapper.java:69) ~[spring-web-4.3.15.RELEASE.jar!/:4.3.15.RELEASE]
at io.securecodebox.zap.service.engine.LoggingRequestInterceptor.traceResponse(LoggingRequestInterceptor.java:58) ~[classes!/:na]
at io.securecodebox.zap.service.engine.LoggingRequestInterceptor.intercept(LoggingRequestInterceptor.java:44) ~[classes!/:na]
at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:88) ~[spring-web-4.3.15.RELEASE.jar!/:4.3.15.RELEASE]
at org.springframework.http.client.InterceptingClientHttpRequest.executeInternal(InterceptingClientHttpRequest.java:72) ~[spring-web-4.3.15.RELEASE.jar!/:4.3.15.RELEASE]
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) ~[spring-web-4.3.15.RELEASE.jar!/:4.3.15.RELEASE]
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53) ~[spring-web-4.3.15.RELEASE.jar!/:4.3.15.RELEASE]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:660) ~[spring-web-4.3.15.RELEASE.jar!/:4.3.15.RELEASE]
Use the minimal ZAP docker images instead of the big stable one.
Try to use the smaller alpine based image "owasp/zap2docker-bare" instead of the bigger one "owasp/zap2docker-stable".
Therefore you have to install the packages with another package manager and maybe kick supervisor (not sure if it works under alpine linux).
Zap-Replacer-Plugin not working
The replacer-plugin is not working in my test cases.
I am using current develop docker-image of engine and zap.
docker-compose.yml:
version: '3'
services:
engine:
image: securecodebox/engine:develop
[...]
scanner-webapplication-zap:
image: securecodebox/zap:develop
[...]
Hashes of images:
tpagel@qui-gon:~/git/securecodebox/secureCodeBox$ docker images | grep "zap\|engine" | grep develop
securecodebox/engine develop 22c16fec4827 4 hours ago 171MB
securecodebox/zap develop 019df2720f2d 2 weeks ago 559MB
I developed a small test.php to see the header:
<?php
$filename="/var/www/html/requests.log";
header("Authorization", "Bearer XYZ");
$content=date("H:i:s") . " URI: " . $_SERVER["REQUEST_URI"] . " Header Authorization: ". header("Authorization") . "\n";
file_put_contents ($filename, $content, FILE_APPEND);
echo $content;
You can run it via (test.php in same folder):
docker run --rm -p 81:80 -v "$PWD":/var/www/html --name test php:7.2-apache
Run zap via securecodebox via API on the endpoint /box/processes/zap-process according to #17:
[
{
"name": "ZAP test.php Scan",
"location": "http://172.17.0.1:81/test.php",
"attributes": {
"ZAP_BASE_URL": "http://172.17.0.1:81/test.php",
"ZAP_SPIDER_MAX_DEPTH": 2,
"ZAP_REPLACER_RULES":
[
{ "matchType":"REQ_HEADER",
"description":"Add a special Authentication Header",
"matchString":"Authorization",
"initiators":"",
"matchRegex":"false",
"replacement":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l",
"enabled":"true"}
]
}
}
]
I tried it with "Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l" in matchString and replacement, but it also didn't work.
Now you can check out requests.log and you will see that the expected Authorization-Header is not there.
Exception on empty replacer list
I started a Zap Process with an advanced scanner configuration but did not set any replacer rules.
The scanner wrapper failed too start the scan, see exception.
479603 [ZAP-ProxyThread-172] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/xml/replacer/action/addRule/] from [127.0.0.1]:
Missing Parameter (missing_parameter) : replacement
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:423)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:456)
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:317)
at java.lang.Thread.run(Thread.java:748)
2018-10-24 16:15:03.718 ERROR 112 --- [pool-1-thread-5] i.s.zap.jobs.definition.EngineWorkerJob : Job execution error!
org.zaproxy.clientapi.core.ClientApiException: Missing Parameter
at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(ApiResponseFactory.java:50) ~[zap-clientapi-1.6.0.jar!/:1.6.0]
at org.zaproxy.clientapi.core.ClientApi.callApi(ClientApi.java:332) ~[zap-clientapi-1.6.0.jar!/:1.6.0]
at org.zaproxy.clientapi.gen.Replacer.addRule(Replacer.java:77) ~[zap-clientapi-1.6.0.jar!/:1.6.0]
at io.securecodebox.zap.service.zap.ZapService.addReplacerRule(ZapService.java:330) ~[classes!/:na]
at io.securecodebox.zap.service.zap.ZapService.addReplacerRule(ZapService.java:321) ~[classes!/:na]
at io.securecodebox.zap.service.zap.ZapService.resetDefaultRules(ZapService.java:98) ~[classes!/:na]
at io.securecodebox.zap.service.zap.ZapService.startScannerAsUser(ZapService.java:258) ~[classes!/:na]
at io.securecodebox.zap.jobs.definition.EngineWorkerJob.executeScanner(EngineWorkerJob.java:236) ~[classes!/:na]
at io.securecodebox.zap.jobs.definition.EngineWorkerJob.performScannerTask(EngineWorkerJob.java:179) ~[classes!/:na]
at io.securecodebox.zap.jobs.definition.EngineWorkerJob.execute(EngineWorkerJob.java:108) ~[classes!/:na]
at de.otto.edison.jobs.service.JobService$1.execute(JobService.java:252) [edison-jobs-0.82.2.jar!/:na]
at de.otto.edison.jobs.service.JobRunner.executeAndRetry(JobRunner.java:61) [edison-jobs-0.82.2.jar!/:na]
at de.otto.edison.jobs.service.JobRunner.start(JobRunner.java:50) [edison-jobs-0.82.2.jar!/:na]
at de.otto.edison.jobs.service.JobService.lambda$startAsync$7(JobService.java:216) [edison-jobs-0.82.2.jar!/:na]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_131]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_131]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) ~[na:1.8.0_131]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) ~[na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[na:1.8.0_131]
at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_131]
Configure OpenAPI Scans based on Example Values
Is your feature request related to a problem? Please describe.
As a security tester i would like to use example values described in OpenAPI Tests to automate API Tests with the secureCodeBox more convenient.
Describe the solution you'd like
Based on the OpenAPI ZAP improvements: zaproxy/zaproxy#5913 we have to extend the SCB ZAP Scanner to reflect this feature.
Additional context
Returning empty results seems not to work.
There is a 400 Bad request if zap returns failures with empty results back to the engine.
Update vulnerable dependencies
There are some vulnerable libs in the engine, we should do an update:
https://snyk.io/org/securecodebox/project/39c6ce89-ae62-4d50-b586-e113245573ad/
Rate Limit for ZAP Scans
As a user I would like to reduce the number of requests per second during my scans so that they won't affect the performance of my application and the scanner won't be blocked by a WAF.
The ZAP API provides means for rate limits via <zap-service>:<zap-port>/UI/ascan like
- setOptionThreadPerHost (Integer* )
- setOptionDelayInMs (Integer* )
In my target definition (used for ZAP Scans) i would like to configure this like:
[
{
"name": "ZAP BodgeIt Scan",
"location": "http://bodgeit:8080/bodgeit/",
"attributes": {
"ZAP_BASE_URL": "http://bodgeit:8080/bodgeit/",
"ZAP_RATE_LIMITS": {
"threadPerHost": 2,
"delayInMs": 100,
[...]
}
}
}
]
Configure the ZAP Replacer AddOn to add/replace HTTP Header
As a user i would like to configure the ZAP replacer options for my scans. More Informations on that can be found here: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsReplacerReplacer
There is an existing ZAP API Endpoint for this:
/replacer/action/addRule() -> Adds a replacer rule. For the parameters: desc is a user friendly description, enabled is true or false, matchType is one of [REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR], matchRegex should be true if the matchString should be treated as a regex otherwise false, matchString is the string that will be matched against, replacement is the replacement string, initiators may be blank (for all initiators) or a comma separated list of integers as defined in HttpSender
In my target definition (used for ZAP Scans) i would like to configure this like:
[
{
"name": "ZAP BodgeIt Scan",
"location": "http://bodgeit:8080/bodgeit/",
"attributes": {
"ZAP_BASE_URL": "http://bodgeit:8080/bodgeit/",
"ZAP_SPIDER_MAX_DEPTH": 1
"ZAP_REPLACER_RULES":
[
{ "matchType":"RESP_HEADER",
"description":"Remove CSP",
"matchString":"Content-Security Policy",
"initiators":"",
"matchRegex":"false",
"replacement":"",
"enabled":"true"},
{ "matchType":"RESP_HEADER",
"description":"Remove HSTS",
"matchString":"Strict-Transport-Security",
"initiators":"",
"matchRegex":"false",
"replacement":"",
"enabled":"true"},
{ "matchType":"REQ_HEADER",
"description":"Add a special Authentication Headerl",
"matchString":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l",
"initiators":"",
"matchRegex":"false",
"replacement":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l",
"enabled":"true"}
]
}
}
]
The ZAP Docker Container must not run with root user
In order to be able to run this container securely it it must not use the root user. This is also an important requirement to run the ZAP Container within OpenShift.
Addon CSPscanner
I would like to add the cspscanner addon to zap.
For APIs not serving UI/HTML, this will be a false positive.
See https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsCspscannerAbout
It can be added to /dockerfiles/init.sh with
-addoninstall cspscanner
Configure OpenAPI Scans with specific values
As a user i would like to configure the OpenAPI scans with specific values instead of the default ones. More Informations on that can be found here: https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html
Specifying Values
ZAP will use a set of default values when importing APIs. In some cases these will not be suitable values for a specific application, and therefore will not exercise enough of the code. For example a username of βtestβ might not cause a new user to be created as it is not a valid email address.
For APIs defined using OpenAPI/Swagger you can specify the values you want ZAP to use via ZAP command line options.
For example the options:
-config formhandler.fields.field(0).fieldId=username
-config formhandler.fields.field(0).value=[email protected]
-config formhandler.fields.field(0).enabled=true
-config formhandler.fields.field(1).fieldId=phone
-config formhandler.fields.field(1).value=012345678
-config formhandler.fields.field(1).enabled=true
Will supply the following values to the named fields:
username -> [email protected]
phone -> 012345678
The above quote shows an command line example, but our ZAP microservice implementation depends on the ZAP Rest API. Maybe there is an Rest Endpoint for this configuration option?
Enable configurable Scan Policies for Security Tests
As a pentester i would like to configure my own ZAP scan policy to optimize my scan quality. Therefore i would like to attach and configure my own ZAP scan policy.
Remove the OpenAPI-Plugin Workaround regarding the Engine-API File Upload
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.