2. 科技
    3. owasp zap

    owasp zap

    科技2023-11-27  75

    owasp zap

    Primarily, if we can integrate Selenium Webdriver tests with ZAP then we can have the automated security tests ready through ZAP APIs. In spite of good documentation around this topic, I have seen a lot of people face issues in integrating tests with ZAP. In Traveltriangle, the technical team actively uses OWASP as a primary tool for security testing. This blog is showing the practical steps to have this integration in place using ZAP APIs.

    首先,如果我们可以将Selenium Webdriver测试与ZAP集成在一起 ,则可以通过ZAP API准备自动的安全测试。 尽管围绕该主题提供了很好的文档,但我已经看到很多人在将测试与ZAP集成时仍然遇到问题。 在Traveltriangle中 ,技术团队积极使用OWASP作为安全测试的主要工具。 该博客显示了使用ZAP API进行集成的实际步骤。

    Note — The following content will not cover the OWASP ZAP features, types of ZAP security scans, ZAP internal usage and reading the scan reports. Fortunately, there is very good documentation around all the features of ZAP here. Please go through it.

    注—以下内容将不涉及OWASP ZAP功能,ZAP安全扫描的类型,ZAP内部使用情况以及读取扫描报告。 幸运的是,周围的一切都非常好文档ZAP的功能 在这里 。 请通过它。

    Let’s begin with the actual integration.

    让我们从实际的集成开始。

    The foremost step is to initiate the ZAP executable. The selenium test will be communicating to the ZAP executable so this has to be initiated on the configured machine. ZAP executable supports various command line parameters, but here we will be using the bare minimum.

    最重要的步骤是启动ZAP可执行文件 。 Selenium测试将与ZAP可执行文件通信,因此必须在已配置的计算机上启动。 ZAP可执行文件支持各种命令行参数 ,但是这里我们将使用最低要求。

    zap.sh -daemon -host some-host -port some-port -config api.addrs.addr.regex=true -config api.disablekey=truezap.sh -- a startup script provided by ZAP-daemon - Start in a headless configuration-host, -port - The ZAP host and port where selenium tests will eventually listen-config api.addrs.addr.regex=true - Allow any source IP to connect-config api.disablekey=true - by default it is false

    Once ZAP executable is started, the next action is to configure the selenium driver and add the ZAP APIs library to your selenium framework project and if framework project uses build tool like maven then add the dependencies for 1. OWASP ZAP API client and 2. OWASP Zed Attack Proxy.

    启动ZAP可执行文件后,下一步是配置Selenium驱动程序,并将ZAP API库添加到您的Selenium框架项目中,如果框架项目使用诸如maven之类的构建工具,则添加1. OWASP ZAP API客户端和2. OWASP的依赖项Zed攻击代理 。

    Idea is to initiate the selenium driver using the ZAP proxy address which we initiated above. The example code snippet is as follows — (for reference using chrome driver)

    想法是使用上面我们启​​动的ZAP代理地址来启动Selenium驱动程序。 示例代码段如下所示((供chrome驱动程序参考)

    //setting up chrome optionsChromeOptions chromeOptions = new ChromeOptions();chromeOptions.addArguments("--ignore-certificate-errors");//set the proxy to use ZAP host and port String proxyAddress = ”<ZAP_machine_IP>:<ZAP_machine_PORT>";Proxy zap_proxy = new Proxy();zap_proxy.setHttpProxy(proxyAddress).setSslProxy(proxyAddress);//set the desired capabilities to use zap_proxy object.DesiredCapabilities capabilities = DesiredCapabilities.chrome();capabilities.setCapability(CapabilityType.PROXY, zap_proxy);capabilities.setCapability(CapabilityType.ACCEPT_SSL_CERTS, true);capabilities.setCapability(CapabilityType.ACCEPT_INSECURE_CERTS,true);capabilities.setCapability(ChromeOptions.CAPABILITY, chromeOptions);ChromeDriverService service = new ChromeDriverService.Builder() .usingAnyFreePort() .usingDriverExecutable(new File(<chromedriver executable path)) .build();service.start();// initiate the driver with required chrome options and capabilities.Webdriver driver = new ChromeDriver(service, options);

    If tests need to be executed over the remote machine, the use RemoteWebDriver with appropriate capabilities. Just make sure you are referring to the correct proxy address of ZAP. Having this been done, when the selenium tests execute, in the background ZAP will create a scan tree of navigated application pages through selenium test which is called a passive scan. ZAP uses this scan tree to perform other scans like active scan, spider attack and so on. ZAP generally takes some time to complete the passive scan, so in the code, you must wait for the passive scan to complete once your all tests execution complete. The example code snippet is as follows -

    如果需要在远程计算机上执行测试,请使用具有适当功能的RemoteWebDriver。 只要确保您引用的是正确的ZAP代理地址即可。 完成此操作后,当执行Selenium测试时,ZAP将在后台通过Selenium测试创建导航应用程序页面的扫描树,这称为被动扫描 。 ZAP使用此扫描树来执行其他扫描,例如主动扫描,蜘蛛攻击等。 ZAP通常需要一些时间才能完成被动扫描,因此在代码中,一旦所有测试执行完成,您必须等待被动扫描完成。 示例代码段如下所示-

    {// create an object of org.zaproxy.clientapi.core.ClientApi using ZAP host and port.private static ClientApi api = new ClientApi(ZAP_HOST, ZAP_PORT);// function to wait for passive scan to completeprivate static void waitForPassiveScanToComplete() {System.out.println("--- Waiting for passive scan to complete --- "); try { api.pscan.enableAllScanners(); // enable passive scanner. // getting a responseApiResponse response = api.pscan.recordsToScan(); //iterating till we get response as "0".while(!response.toString().equals("0")) { response = api.pscan.recordsToScan(); } } catch (ClientApiException e1) { e1.printStackTrace(); } System.out.println("--- Passive scan completed! ---"); } }}

    So, the passive scan is done. Through ZAP APIs you can start the active scans and spider scan. An example code snippet is as follows -

    因此,完成了被动扫描。 通过ZAP API,您可以启动主动扫描和蜘蛛扫描 。 示例代码段如下所示-

    {// create an object of org.zaproxy.clientapi.core.ClientApi using ZAP host and port.private static ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT);private String application_base_url = "https://<application_url>/";// Example function to start and synchronize with active scan.private static void startActiveScan() { System.out.println("Active scan : " + application_base_url);try { // initiate the active scan - refer doc to underatand the constructor parameters. ApiResponse resp = api.ascan.scan(application_base_url, "True", "False", null, null, null); int progress;// scan response will return the scan id to support concurrent scanning.String scanid = ((ApiResponseElement) resp).getValue(); // Polling the status of scan until it completeswhile (true) {Thread.sleep(5000);progress =Integer.parseInt(((ApiResponseElement)api.ascan.status(scanid)).getValue());System.out.println("Active Scan progress : " + progress + "%");if (progress >= 100) { break; }}System.out.println("Active Scan complete"); } catch(Exception e) { e.printStackTrace(); } }}}

    Similarly, the example code snippet to start a spider scan is as follows -

    同样,启动蜘蛛扫描的示例代码段如下所示-

    {// create an object of org.zaproxy.clientapi.core.ClientApi using ZAP host and port. private static ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT);private String application_base_url = "https://<application_url>/"; // Example code to start and synchronize the spider scan.private static void startSpiderScan() { System.out.println("Spider : " + application_base_url); try { // Start the spider scan - refer the documentation of ZAP APIs to understand the spider scan ApiResponse resp = api.spider.scan(TARGET, null, null, null, null); int progress; // scan response will return the scan id to support concurrent scanning. String scanid = ((ApiResponseElement) resp).getValue(); // Polling the status until it completes while (true) { Thread.sleep(1000); progress =Integer.parseInt(((ApiResponseElement) api.spider.status(scanid)).getValue()); System.out.println("Spider progress : " + progress + "%"); if (progress >= 100) { break; } } System.out.println("Spider complete"); } catch(Exception e) { e.printStackTrace(); }}}

    So we saw how different scan starts, the next step is to access and consume the vulnerability reports of scan performed. However, the scan reports can be accessed using a curl request

    因此,我们看到了不同的扫描开始的方式,下一步是访问和使用所执行扫描的漏洞报告。 但是,可以使用curl请求访问扫描报告

    Alerts: ZAP_HOST:ZAP:PORT/JSON/core/view/alertsReport: ZAP_HOST:ZAP:PORT/OTHER/core/other/htmlreport

    As we are discussing here the automation of tests so report should also be automatically fetched, an example code snippet using ZAP APIs is as follows -

    当我们在这里讨论测试的自动化时,也应自动获取报告,使用ZAP API的示例代码段如下所示-

    // example fucntion to store an html report.private static void getReports() {private String application_base_url = "https://<application_url>/"; try { // calling core apis to get html report in bytes. byte[] bytes = api.core.htmlreport(); // getting the alert messages and just printing those. ApiResponse messages = api.core.messages(application_base_url,"0","99999999"); System.out.println(messages); // storing the bytes in to html report. String str = new String(bytes, StandardCharsets.UTF_8); File newTextFile = new File("report.html"); FileWriter fw = new FileWriter(newTextFile); fw.write(str); fw.close(); } catch (Exception e) { e.printStackTrace();}

    I hope you find the content helpful and could solve the issues people are facing with automated security tests.

    我希望您能从中找到有用的内容,并能解决人们在进行自动化安全测试时所面临的问题。

    演示地址

    翻译自: https://medium.com/datadriveninvestor/automated-security-tests-with-owasp-zap-c5326c9970a6

    owasp zap

    相关资源:zap-cli, 在命令行中与 OWASP ZAP展开交互的简单工具.zip
    Processed: 0.009, SQL: 9