Skip to content

Running ZAP against an application with proxied test cases inside Docker containers + Reporting in JIRA + Notification in Slack

August 24, 2015

Building off of my last blog post, I could start two containers – ZAP and the application and then run ZAP against the application and generate a report. However, I observed that this was not getting me good results. Most of the issues reported were missing header issues which weren’t that useful to begin with.

So, I had to figure out a way to make this more meaningful and effective if we were to actively deploy such an automated scanning process in our DevOps pipeline.

The way I figured this would work was to get some legitimate traffic in ZAP before beginning the scan. And, the way we would get any traffic inside ZAP would be to use it as a proxy first before the actual scanning. Now, this would mean that the application would have to be browsed manually in order to generate the data. But, we were trying to automate this entire process so any form of manual intervention was not desired, at least till the point when the reports need to be triaged.

Luckily, we had some custom test cases written in Python and Lua that would generate and send some API requests to the application. So, I had to simply do that first (send the test cases to the application proxying it via ZAP) before beginning my ZAP scan. The results of doing this were slightly better. It also meant it took care of the authentication part because the requests that were sent as a result of running the test cases also contained some headers that were used to authenticate to the application so I didn’t have to change anything specifically within the ZAP API code.

We got a few more issues than just the header stuff so I was happy the approach worked. There is still a lot of work to be done but since the application I am dealing with is not a traditional web application, I am looking at a slightly different route now and maybe do something more than just running the ZAP scan. More on that later as and when I have something to blog about.

A few more things I added to this process were that the reports are now being automatically sent to our JIRA instance and a ticket gets created with the reports as attachments. We also have a webhook for Slack built in so whenever this ticket is created, we get a nice notification in our Slack channel notifying everyone that the scan was run and the report was generated attached to the JIRA ticket for auditing purposes. I also added some exception handling and cleaned the code a little bit.

Overall, the complete automated process looks like:

Screen Shot 2015-08-24 at 8.42.38 PM

zaprun.sh can be found here.

runzap.py can be found here.

jiraconnect.sh can be found here. For this script, you will also need to create a folder called “data” in $pwd and then add 2 files in that directory – credentials.json and data.json. Credentials.json will have your username and password to authenticate to JIRA. It will look something like this:

{

  “username”: “<username>”,

  “password”: “<password>”

}

Data.json will have the ID of your JIRA project, summary, description, issue type and label for the issue that will get created. This information can easily be obtained from your JIRA installation using the REST API browser plugin in JIRA. It will look something like this:

{

    “fields”: {

       “project”:

       {

          “id”: “<id>”

       },

       “summary”: “ZAP Scan Result”,

       “description”: “This issue contains the scan results when ZAP is run against the app”,

       “issuetype”: {

          “id”: “<>”

       },

        “labels”: [

“scan”

]

   }

}

And, that’s it! A fully automated process of running OWASP ZAP in your Devops build pipeline with test cases being proxied via ZAP inside Docker containers and reporting in JIRA with notifications sent to Slack.

Feel free to reach out to me if you have any questions or just to share your experiences if you have been trying to do something similar.

Cheers!!

Advertisements
One Comment
  1. lakshmi permalink

    i had gone though your articles on ZAP. Information provided is very helpful. I too have similar task to automate ZAP process using CI tool.

    Kindly let me know if below things can be achieved.

    1. I have web application and apis for which penetration testing needs to be done using ZAP tool (automated way)
    2. Web app and APIs have authentication mechanism (login, logout, downloads, search)

    Queries:
    1. To test authentication part do i need to write automated test cases?
    2. Can ZAP is used to test API security testing?
    3. If I do not have docker image of my application, can I still be able to use it with CI tool?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: