Scribd Logo
Upload

Welcome to Scribd!

  • 9 views

    ZAP CI UserGuide

    Uploaded by

    Vignesh R

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    ZAP CI UserGuide

    Uploaded by

    Vignesh R
    9 views8 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    9 views8 pages

    ZAP CI UserGuide

    Uploaded by

    Vignesh R

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 8

    IN T ER NA L

    ZAP CI User Guide


    User Guide

    PREPARED STATUS SECURITY LEVEL

    2021-11-23 Praveen Kumar K Approved Internal


    APPROVED DOCUMENT KIND

    2021-11-23 Nilesh Khandare User’s Guide


    OWNING ORGANIZATION DOCUMENT ID. REV. LANG. PAGE

    Device Security Assurance Center E en 1/8


    © Copyright 2020 ABB. All rights reserved.
    ZAP CI US ER G UI D E

    Contents
    1. Introduction ..................................................................................................................................................... 3

    2. Zap CI System Requirements ......................................................................................................................... 3


    2.1. System Requirements .......................................................................................................................................... 3
    2.2. Updating the VM ................................................................................................................................................... 3
    2.3. VSTS Agent Setup ................................................................................................................................................. 3

    3. Setting up Pipeline ......................................................................................................................................... 4


    3.1. Repo and the Branch for automation code .................................................................................................... 4
    3.2. command to run Zap Automation.................................................................................................................... 4
    3.2.1. command for Form-Based Authentication .......................................................................................... 4
    3.2.2. command for NTLM Authentication ..................................................................................................... 4
    3.2.3. command for No Authentication ............................................................................................................5
    3.3. upload pipeline artifacts .....................................................................................................................................5

    4. Run and Scan Report....................................................................................................................................... 7

    STATUS SECURITY LEVEL DOCUMENT ID. REV. LANG. PAGE

    Approved Internal E en 2/8


    © Copyright 2020 ABB. All rights reserved.
    ZAP CI US ER G UI D E

    1. Introduction
    OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is one of
    the most active Open Web Application Security Project (OWASP) and has been given Flagship status.
    When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, in-
    cluding traffic using https.

    DSAC has come up with framework which is used in the integration of zap in the CI pipeline. The Frame-
    work is written with python. Any Application with Basic FormBased Authentication and NTLM Authenti-
    cation can be scanned.

    2. Zap CI System Requirements


    2.1. Minimum system Requirements
    To run the ZAP in the ci pipeline the following Virtual machine is required
    • OS - Ubuntu
    • vCPUs - 2
    • RAM - 8 GiB
    • Hard Disk – 20 GiB

    2.2. Updating the VM


    In the VM Run the following commands to update the VM and modules supporting the Framework
    • sudo apt update
    • sudo apt install python3-pip
    • sudo apt install default-jdk
    • sudo apt install git
    • pip3 install python-owasp-zap-v2.4
    • sudo apt install firefox

    2.3. VSTS Agent Setup


    Create an agent pool:
    https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-
    devops&tabs=yaml%2Cbrowser

    Add the above Ubuntu VM to the agent pool:


    https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/v2-linux?view=azure-devops

    STATUS SECURITY LEVEL DOCUMENT ID. REV. LANG. PAGE

    Approved Internal E en 3/8


    © Copyright 2020 ABB. All rights reserved.
    ZAP CI US ER G UI D E

    3. Pipeline Setup
    3.1. Repo and the Branch for automation code
    Repo : https://dev.azure.com/ABB-BEA-DSAC/DSAC_Testing/_git/zap_automation_cicd

    Branch : Develop

    “zapscan.py” is the script needs to be run on the command line for triggering the scan, Below section
    explains how to trigger the script in the pipeline

    Note: Please Raise for access in case if you are not able to reach to above repo

    3.2. Command to run Zap automation


    Currently ZAP Web Application scanner supports 2 Authentications:

    1. Form-Based Authentication

    2. NTLM Authentication

    The Below section Explains about Each Authentication and its parameters

    3.2.1 Command for Form-Based Authentication

    The Following Parameters are needed to be passed for the Form-Based Application

    • -target : URL of the product under test

    • -authtype : Type of the Authentication (i.e. FormBased)

    • -lep : <URL>/<Login Method> i.e., https://demo.testfire.net/doLogin

    Generally, the Login Endpoint is the POST method for login in to the web application

    • -uname & -pswd – Username and the Password to logging into the application

    • -lin – Check to Indicate ZAP whether login is successful or not e.g., Sign Off

    If the Application logged out while scanning, the login method will be called again. ZAP makes
    sure that the application is signed in throughout the entire scan.

    Note: All the Fields are Mandatory Except Logged-in Indicator

    So the final Command will be,


    python3 -u zapscan.py -target "https://demo.testfire.net/" -authtype "FormBased" -uname "admin" -
    pswd "admin" -lep "https://demo.testfire.net/doLogin" -lin "Sign Off"

    3.2.2 Command for NTLM Authentication


    The Following Parameters are needed to be passed for the NTLM Application

    • -target: URL of the product under test

    STATUS SECURITY LEVEL DOCUMENT ID. REV. LANG. PAGE

    Approved Internal E en 4/8


    © Copyright 2020 ABB. All rights reserved.
    ZAP CI US ER G UI D E

    • -authtype : Type of the Authentication (NTLM)

    • -domain: The base URL of the Application

    • -uname & -pswd – Username and the Password to logging into the application

    • -port – port number where the application is reachable

    • -lin – Check to Indicate ZAP whether login is successful or not e.g., Sign Off

    If Application logged out while scanning, the login method will be called again. ZAP makes sure
    that the application is signed in throughout the entire scan.

    Note: All the Fields are Mandatory Except Logged-in Indicator

    So the final Command will be


    python3 -u zapscan.py -target "http://10.128.43.27:8431" -authtype "NTLM" -uname "admin" -pswd
    "admin" -domain “10.128.43.27” -port “8431” -lin "Sign Off"

    3.2.3 Command for No Authentication


    • -target: URL of the product under test
    Only Target url has to be supplied no other parameters required

    So the final Command will be

    python3 -u zapscan.py -target "https://demo.testfire.net/"

    3.3. Pipeline Tasks


    Step 1: Use the above created agent pool for the pipeline job
    Step 2 : checkout the develop branch from the repo
    https://dev.azure.com/ABB-BEA-DSAC/DSAC_Testing/_git/zap_automation_cicd into the vm as follows

    STATUS SECURITY LEVEL DOCUMENT ID. REV. LANG. PAGE

    Approved Internal E en 5/8


    © Copyright 2020 ABB. All rights reserved.
    ZAP CI US ER G UI D E

    Step 3: In the command line Script task add the following lines
    o changing the files to be executable
    o chmod -R 777 *
    o python3 -u zapscan.py -target "https://demo.testfire.net/" -authtype "FormBased" -
    uname "admin" -pswd "admin" -lep "https://demo.testfire.net/doLogin" -lin "Sign Off"

    step 4: Publish Pipeline Artifact: Zap_scan_log is the result directory created after the scan is
    completed. Here we are publish the folder as a artifact.using “publish pipeline artifact” task.

    STATUS SECURITY LEVEL DOCUMENT ID. REV. LANG. PAGE

    Approved Internal E en 6/8


    © Copyright 2020 ABB. All rights reserved.
    ZAP CI US ER G UI D E

    4. Run and Scan Report


    After Running the pipeline the log will be available as published in the Run summary as highlighted below

    STATUS SECURITY LEVEL DOCUMENT ID. REV. LANG. PAGE

    Approved Internal E en 7/8


    © Copyright 2020 ABB. All rights reserved.
    ZAP CI US ER G UI D E

    The Scan Report will be available inside the published artifact and appears as below

    “scan_report.xhtml” is the scanned report of the web application as below.

    STATUS SECURITY LEVEL DOCUMENT ID. REV. LANG. PAGE

    Approved Internal E en 8/8


    © Copyright 2020 ABB. All rights reserved.

    You might also like