Skip to content

feat(lab5): ZAP baseline + auth + Semgrep + correlation#5

Merged
Troshkins merged 1 commit into
mainfrom
feature/lab5
Jun 22, 2026
Merged

feat(lab5): ZAP baseline + auth + Semgrep + correlation#5
Troshkins merged 1 commit into
mainfrom
feature/lab5

Conversation

@Troshkins

@Troshkins Troshkins commented Jun 22, 2026

Copy link
Copy Markdown
Owner

Goal

Run ZAP baseline and authenticated scans against OWASP Juice Shop, analyze Semgrep findings for the matching v20.0.0 source, and correlate a confirmed SQL Injection finding across both tools.

Changes

  • Added submissions/lab5.md with DAST, SAST, and correlation analysis.
  • Updated labs/lab5/scripts/zap-auth.yaml for the Docker network target and report output paths.
  • Updated labs/lab5/scripts/compare_zap.sh to compare the baseline and authenticated reports passed as arguments.

Testing

  • Started bkimminich/juice-shop:v20.0.0 on the lab5-net Docker network.

  • Ran ZAP baseline scan:

    zap-baseline.py -t http://juice-shop:3000 -r baseline-report.html -J baseline-report.json

    Result: 10 alert types — 0 High, 2 Medium, 5 Low, 3 Informational.

  • Ran authenticated ZAP Automation Framework scan:

    zap.sh -cmd -autorun /zap/wrk/scripts/zap-auth.yaml -port 8090

    Result: 12 alert types — 1 High, 4 Medium, 3 Low, 4 Informational.

  • Compared ZAP reports:

    bash labs/lab5/scripts/compare_zap.sh \
  labs/lab5/results/baseline-report.json \
  labs/lab5/results/auth-report.json

    Result: authenticated/baseline alert-type ratio = 1.20x.

  • Cloned Juice Shop source pinned to v20.0.0 and ran Semgrep:

    semgrep --config=p/owasp-top-ten \
  --config=p/javascript \
  --config=p/secrets \
  labs/lab5/semgrep/juice-shop \
  --json -o labs/lab5/results/semgrep.json \
  --severity ERROR --severity WARNING

    Result: 22 findings — 12 ERROR and 10 WARNING.

  • Confirmed correlation between:

    • ZAP SQL Injection alert at /rest/products/search?q=%27%28
    • Semgrep finding at routes/search.ts:23

Artifacts & Screenshots

  • Scan summaries, severity tables, false-positive review, and the SAST/DAST correlation report are documented in submissions/lab5.md.
  • Raw ZAP and Semgrep outputs were intentionally not committed because they are generated and reproducible.

Checklist

  • Title is clear (feat(lab5): ZAP baseline + auth + Semgrep + correlation)
  • No secrets/large temp files committed
  • Submission file at submissions/lab5.md exists

@Troshkins Troshkins merged commit 13c09a5 into main Jun 22, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Troshkins