ZAP Automated Security Test
This page demonstrates a project which shows how a dev team can run ZAP headless to run automated security tests and send the results to a bug-tracker (currently only JIRA).
ZAP is an Open Source Web App Security Testing Tool and browser proxy, that is very flexible and can be automated to run as part of a build.
- Download and Install ZAP - https://github.com/zaproxy/zaproxy/wiki/Downloads
- Add ZAP root certificate to your browser - Open ZAP > Tools > Options > Dynamic SSL Certificates > Save
- Start ZAP daemon (also see
zap.sh -daemon -port 8080 -config api.disablekey=true &
- Configure your machine or browser to use ZAP local proxy for all internet traffic
- Download the project (https://github.com/zaproxy/community-scripts/archive/master.zip), unzip it and navigate into this directory (
/api/sdlc-integration) - let's call it the root from now on.
- Install requirements:
pip install -r requirements.txt
core/config.py- here you can configure:
- ZAP's URL
- Maximum duration of the active scan
- Your JIRA credentials and URL (the results of the scan can be posted to JIRA as a new issue).
- For advanced active scanning you can also specify authentication for your web app, so that ZAP can log in and attack the app as a logged in user.
- Modify any
core/setup_module/proxy_scripts/*as needed – all files in this folder will be used (For instance you might want to add a CSP header to each response)
- Setup your own selenium drivers and tests (or any other way to generate internet traffic at a later stage).
The project is split into two main modules -
scan_module. You should only care about the two scripts located in the root directory -
run_session_setup.py is used to clean the ZAP session and set up basic configuration - this should be run before any scans are run (+ it assumes that ZAP daemon is already running).
After this point, you should generate some internet traffic going through the proxy. This could be done using your Selenium tests or via any other means. This could be as simple as running a few cURL commands (you can do additional spidering via the scripts later).
run_scan.py triggers the actual scan functions and can also post the scan results to JIRA - it assumes that ZAP daemon is running, session has been set up and selenium tests have been run (through the ZAP proxy)
- (optional) Run
python run_session_setup.py -g rules_config.txtto generate a template for your rule configuration file
- (optional) Change your
rules_config.txtfile to indicate which rules should be ignored and which should cause the test to fail
- To set up the session run:
python run_session_setup.py -t "www.example.com" -c rules_config.txt -dwhere the
-c filenameflags are optional. The
-t urlparameter is used to limit the proxy only to the target domain and avoid any other internet traffic from the machine.
- Now you generate some internet traffic (targeting the domain you specified with the
-tflag earlier). This is the point where you should run your Selenium tests.
python run_scan.py -c rules_config.txt -r -dto execute the test and have the results posted to JIRA (
-rflag). Note that if you use the
-c filenameflag, you should use the same
rules_config.txtfile you used for the session setup!)
- (optional) If you want the
run_scan.pyscript to perform additional spidering, specify a
-x filenameflag in the previous step, where the filename points to a file that contains a set of regexes (each on a new line) that limit the spider to particular subpaths of your site.