Lädt...


🔧 Securing Your Web Applications (DAST): A Deep Dive into OWASP ZAP Scans with Docker


Nachrichtenbereich: 🔧 Programmierung
🔗 Quelle: dev.to

Scanning Localhost Application with Docker ZAP

Table of Contents

  • Scanning Localhost Application with Docker ZAP
    • Table of Contents
    • Introduction
    • Key Features of ZAP
    • Benefits of Using ZAP for DAST
    • Getting Started with ZAP
    • Setting up TIWAP
    • Step-by-Step Instructions to Set Up the Web Application
    • Docker Installation Instructions
    • Execution Instructions
    • Step 1: Pull the ZAP Docker Image
    • Step 2: Start Your Localhost Application
    • Step 3: Run the ZAP Scan
      • Explanation of the Command
    • Command Output
    • Step 4: Retrieve the HTML Report
    • Additional Tips

Introduction

Dynamic Application Security Testing (DAST) is a type of security testing that involves testing an application in its running state. Unlike static analysis, which examines the source code, DAST scans an application from the outside in, simulating an attacker’s perspective. This approach helps identify vulnerabilities that might be exploited in a real-world attack scenario, such as SQL injection, cross-site scripting (XSS), and other web application vulnerabilities.

One of the most popular tools for performing DAST is the Zed Attack Proxy (ZAP), an open-source security scanner maintained by the Open Web Application Security Project (OWASP). ZAP is designed to be easy to use, even for those new to application security, while also providing powerful features for advanced users.

Key Features of ZAP

  • Automated Scanning: ZAP can automatically scan web applications for security vulnerabilities.
  • Passive Scanning: Monitors HTTP traffic and passively scans for vulnerabilities without altering the request-response cycle.
  • Active Scanning: Actively probes the web application for vulnerabilities by sending various types of malicious requests.
  • Spidering: Crawls the web application to discover all the pages and endpoints that need to be tested.
  • API Integration: Provides a robust API that allows for integration with CI/CD pipelines for continuous security testing.
  • Extensibility: Supports various add-ons and plugins to extend its functionality.

Benefits of Using ZAP for DAST

  1. Comprehensive Coverage: ZAP can identify a wide range of vulnerabilities, including those listed in the OWASP Top Ten.
  2. Ease of Use: Its intuitive interface and extensive documentation make it accessible for beginners.
  3. Community Support: Being an OWASP project, ZAP benefits from a large community of contributors and users who help in improving and updating the tool.
  4. Cost-Effective: As an open-source tool, ZAP is free to use, making it an attractive option for organizations of all sizes.

Getting Started with ZAP

To start using ZAP for DAST scanning, follow these steps:

  1. Download and Install ZAP: ZAP is available for Windows, macOS, and Linux. You can download it from the official ZAP website.
  2. Configure Your Browser: Set up your web browser to use ZAP as a proxy to capture and inspect the HTTP traffic.
  3. Start Scanning: Use ZAP's spidering and scanning features to discover and test the web application's endpoints for vulnerabilities.
  4. Review and Mitigate: Analyze the scan results to identify vulnerabilities and take appropriate actions to mitigate them.

Setting up TIWAP

Step-by-Step Instructions to Set Up the Web Application

  • Clone the GitHub Repository

First, clone the repository to your local machine. Open your terminal and run the following command:

   git clone https://github.com/hassanaftab93/TIWAP.git 

This command downloads all the project files from the GitHub repository to a directory named TIWAP on your local machine.

  • Navigate to the Project Directory

After cloning the repository, navigate into the project directory:

   cd TIWAP

This changes your current directory to the TIWAP directory, where the project files are located.

  • Run Docker Compose to Spin Up the Web Application

Use Docker Compose to build and start the web application. Make sure Docker is installed and running on your system. Then run:

   docker-compose up -d

Docker Compose Output

This command uses the docker-compose.yml file to build the Docker containers and start the application in detached mode (running in the background).

  • Verify the Application is Running

After running the Docker Compose command, verify that the application is running. Open your web browser and navigate to:

   https://localhost:8080

browser webpage

or you can

   curl -k https://localhost:8080

curl localhost

As seen in the images above, the web application up and running.

Docker Installation Instructions

In order for you to run any of these commands, you'll need to have Docker installed. You can view the instructions here: Get Docker: Installation Instructions.

Execution Instructions

Step 1: Pull the ZAP Docker Image

First, ensure you have Docker installed and running on your system. Then, pull the latest OWASP ZAP Docker image:

docker pull owasp/zap2docker-stable

Before we start with the zap scans, lets first take a look at the docker image itself

Lets run the following command:

   docker run --rm -it zaproxy/zap-stable:latest bash

This will take us inside the running container of the image and show us the contents in its default working dir, which is /zap

zap@6026a83c9b31:/zap$ ls -la
total 5632
drwxr-xr-x 1 zap  zap     4096 Oct  7 16:47 .
drwxr-xr-x 1 root root    4096 Oct 15 15:26 ..
-rw-r--r-- 1 zap  zap    10324 Oct  7 16:45 CHANGELOG.md
-rw-r--r-- 1 zap  zap     2167 Jan  2  1970 README
-rw-r--r-- 1 zap  zap       18 Oct  7 16:47 container
drwxr-xr-x 2 zap  zap     4096 Jan  2  1970 db
drwxr-xr-x 2 zap  zap     4096 Jan  2  1970 lang
drwxr-xr-x 2 zap  zap     4096 Jan  2  1970 lib
drwxr-xr-x 2 zap  zap     4096 Jan  2  1970 license
drwxr-xr-x 2 zap  zap     4096 Oct  7 16:47 plugin
drwxr-xr-x 3 zap  zap     4096 Jan  2  1970 scripts
drwxr-xr-x 1 zap  zap     4096 Oct  7 16:45 webswing
drwxr-xr-x 2 zap  zap     4096 Jan  2  1970 xml
-rw-r--r-- 1 zap  zap  5450049 Jan  2  1970 zap-2.15.0.jar
-rwxr-xr-x 1 zap  zap    26496 Oct  7 16:45 zap-api-scan.py
-rwxr-xr-x 1 zap  zap    24732 Oct  7 16:45 zap-baseline.py
-rwxr-xr-x 1 zap  zap    20576 Oct  7 16:45 zap-full-scan.py
-rwxr-xr-x 1 zap  zap     2977 Oct  7 16:45 zap-webswing.sh
-rwxr-xr-x 1 zap  zap      319 Oct  7 16:45 zap-x.sh
-rw-r--r-- 1 zap  zap      188 Jan  2  1970 zap.bat
-rw-r--r-- 1 zap  zap   123778 Jan  2  1970 zap.ico
-rwxr-xr-x 1 zap  zap     4231 Jan  2  1970 zap.sh
-rw-r--r-- 1 zap  zap    23306 Oct  7 16:45 zap_common.py

As seen above in the output, we have 3 main python executable files that we can use for scans, later in the article we will see the flag to pass the python file name to use

  • zap-api-scan.py
  • zap-baseline.py
  • zap-full-scan.py

Step 2: Start Your Localhost Application

Make sure your local application is running on localhost. For example, if it's a web application, it might be accessible at
http://localhost:8080.

Step 3: Run the ZAP Scan

Use the following command to run the ZAP scanner against your localhost application. This command assumes your application is accessible on port 8080. Adjust the port number accordingly if your application uses a different port.

  • Linux/Unix

    docker run -v $(pwd):/zap/wrk/:rw --network="host" zaproxy/zap-stable zap-baseline.py -t https://localhost:8080 -r scan-report.html
    
  • Windows Powershell

    docker run -v ${PWD}:/zap/wrk/:rw --network="host" zaproxy/zap-stable zap-baseline.py -t https://localhost:8080 -r scan-report.html
    

Explanation of the Command

  • -v $(pwd):/zap/wrk/:rw

This option mounts the current directory ($(pwd)) to the /zap/wrk/ directory inside the container. The report will be saved in this directory.

  • --network="host"

This tells Docker to use the host's network, allowing the Docker container to access localhost.

  • zap-full-scan.py

This is a script provided by ZAP for running a full scan, which performs a deeper and more thorough scan. It will take a while though.

  • -t http://localhost:8000

Specifies the target URL for the scan. NOTE: You can however provide URL for your own web app as well, be it on localhost or hosted somewhere, hopefully not in production yet :D

  • -r scan-report.html

Specifies the name of the report file to generate.

Command Output


> docker run -v $(pwd):/zap/wrk/:rw --network="host" zaproxy/zap-stable zap-baseline.py -t https://localhost:8080 -r scan-report.html
Using the Automation Framework
Total of 19 URLs
PASS: Vulnerable JS Library (Powered by Retire.js) [10003]
PASS: In Page Banner Information Leak [10009]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Open Redirect [10028]
PASS: Cookie Poisoning [10029]
PASS: User Controllable Charset [10030]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: Viewstate [10032]
PASS: Directory Browsing [10033]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
PASS: X-Backend-Server Header Information Leak [10039]
PASS: Secure Pages Include Mixed Content [10040]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Retrieved from Cache [10050]
PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Cookie without SameSite Attribute [10054]
PASS: CSP [10055]
PASS: X-Debug-Token Information Leak [10056]
PASS: Username Hash Found [10057]
PASS: X-AspNet-Version Response Header [10061]
PASS: PII Disclosure [10062]
PASS: Timestamp Disclosure [10096]
PASS: Hash Disclosure [10097]
PASS: Cross-Domain Misconfiguration [10098]
PASS: Weak Authentication Method [10105]
PASS: Reverse Tabnabbing [10108]
PASS: Dangerous JS Functions [10110]
PASS: Session Management Response Identified [10112]
PASS: Verification Request Identified [10113]
PASS: Script Served From Malicious Domain (polyfill) [10115]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
PASS: Insecure JSF ViewState [90001]
PASS: Java Serialization Object [90002]
PASS: Sub Resource Integrity Attribute Missing [90003]
PASS: Insufficient Site Isolation Against Spectre Vulnerability [90004]
PASS: Charset Mismatch [90011]
PASS: WSDL File Detection [90030]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Re-examine Cache-control Directives [10015] x 2 
        https://localhost:8080 (200 OK)
        https://localhost:8080/robots.txt (200 OK)
WARN-NEW: Missing Anti-clickjacking Header [10020] x 1 
        https://localhost:8080 (200 OK)
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 6 
        https://localhost:8080 (200 OK)
        https://localhost:8080/index.css (200 OK)
        https://localhost:8080/login?__debugger__=yes&cmd=resource&f=console.png (200 OK)
        https://localhost:8080/login?__debugger__=yes&cmd=resource&f=debugger.js (200 OK)
        https://localhost:8080/login?__debugger__=yes&cmd=resource&f=style.css (200 OK)
WARN-NEW: Information Disclosure - Suspicious Comments [10027] x 3 
        https://localhost:8080/login?__debugger__=yes&cmd=resource&f=debugger.js (200 OK)
        https://localhost:8080/login?__debugger__=yes&cmd=resource&f=debugger.js (200 OK)
        https://localhost:8080/login (500 Internal Server Error)
WARN-NEW: Strict-Transport-Security Header Not Set [10035] x 12 
        https://localhost:8080 (200 OK)
        https://localhost:8080/app/app.py (404 Not Found)
        https://localhost:8080/app/helper/db_manager.py (404 Not Found)
        https://localhost:8080/index.css (200 OK)
        https://localhost:8080/login?__debugger__=yes&cmd=resource&f=console.png (200 OK)
WARN-NEW: Server Leaks Version Information via "Server" HTTP Response Header Field [10036] x 12 
        https://localhost:8080 (200 OK)
        https://localhost:8080/app/app.py (404 Not Found)
        https://localhost:8080/app/helper/db_manager.py (404 Not Found)
        https://localhost:8080/index.css (200 OK)
        https://localhost:8080/login?__debugger__=yes&cmd=resource&f=console.png (200 OK)
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 8 
        https://localhost:8080 (200 OK)
        https://localhost:8080/app/app.py (404 Not Found)
        https://localhost:8080/app/helper/db_manager.py (404 Not Found)
        https://localhost:8080/login?btn=Confirm+Pin&pin=ZAP (404 Not Found)
        https://localhost:8080/sitemap.xml (404 Not Found)
WARN-NEW: Storable and Cacheable Content [10049] x 12 
        https://localhost:8080 (200 OK)
        https://localhost:8080/app/app.py (404 Not Found)
        https://localhost:8080/app/helper/db_manager.py (404 Not Found)
        https://localhost:8080/index.css (200 OK)
        https://localhost:8080/login?__debugger__=yes&cmd=resource&f=console.png (200 OK)
WARN-NEW: Permissions Policy Header Not Set [10063] x 9 
        https://localhost:8080 (200 OK)
        https://localhost:8080/app/app.py (404 Not Found)
        https://localhost:8080/app/helper/db_manager.py (404 Not Found)
        https://localhost:8080/login?__debugger__=yes&cmd=resource&f=debugger.js (200 OK)
        https://localhost:8080/login?btn=Confirm+Pin&pin=ZAP (404 Not Found)
WARN-NEW: Source Code Disclosure - SQL [10099] x 1 
        https://localhost:8080/login (500 Internal Server Error)
WARN-NEW: Modern Web Application [10109] x 2 
        https://localhost:8080 (200 OK)
        https://localhost:8080/login (500 Internal Server Error)
WARN-NEW: Authentication Request Identified [10111] x 1 
        https://localhost:8080/login (500 Internal Server Error)
WARN-NEW: Absence of Anti-CSRF Tokens [10202] x 1 
        https://localhost:8080/login (500 Internal Server Error)
WARN-NEW: Application Error Disclosure [90022] x 1 
        https://localhost:8080/login (500 Internal Server Error)
FAIL-NEW: 0     FAIL-INPROG: 0  WARN-NEW: 14    WARN-INPROG: 0  INFO: 0 IGNORE: 0       PASS: 52

Step 4: Retrieve the HTML Report

Once the scan is complete, an HTML report named scan-report.html will be saved in your current working directory. You can open this file in any web browser to view the detailed security scan report.

Here is the report it generates:

Scan Report - Generated for TIWAP

Your generated report can be shared with your teams to make the proper fixes required.

Additional Tips

  • Scan Duration: Depending on the complexity and size of your application, the scan may take some time. Ensure your application remains running until the scan is completed.
  • Security Considerations: Regularly update the Docker image with docker pull owasp/zap2docker-stable to ensure you are using the latest security checks and features.
...

🔧 Securing Your Web Applications (DAST): A Deep Dive into OWASP ZAP Scans with Docker


📈 117.39 Punkte
🔧 Programmierung

🔧 OWASP ZAP: Securing Web Applications


📈 53.27 Punkte
🔧 Programmierung

📰 Zap-Hud - The OWASP ZAP Heads Up Display (HUD)


📈 53.1 Punkte
📰 IT Security Nachrichten

📰 Fortifying Linux Web Applications: Mastering OWASP ZAP and ModSecurity for Optimal Security


📈 43.32 Punkte
🐧 Unix Server

📰 Securing Your Web Applications and APIs with Veracode DAST Essentials


📈 41.66 Punkte
📰 IT Security Nachrichten

📰 Securing Your Web Applications and APIs with DAST Essentials


📈 41.66 Punkte
📰 IT Security Nachrichten

🔧 Docker DevTools Day 2.0: Dive Deep into the Docker Developer Ecosystem


📈 36.8 Punkte
🔧 Programmierung

📰 Looking for the best in DAST: How to select DAST tools for DevSecOps


📈 36.68 Punkte
📰 IT Security Nachrichten

🕵️ OWASP ZAP – Web Application Security Testing Tool


📈 36.1 Punkte
🕵️ Hacking

🔧 Enhance Your Application Security with NMAP and OWASP ZAP: A Practical Guide


📈 35.56 Punkte
🔧 Programmierung

📰 Arachni vs OWASP ZAP | UpGuard


📈 32.76 Punkte
📰 IT Security Nachrichten

🎥 WebSocket Hijack, Post-Quantum Side-Channel, OWASP's Future, OAuth Misconfigs, ZAP - ASW #231


📈 32.76 Punkte
🎥 IT Security Video

🎥 OWASP ZAP Project - Simon Bennetts


📈 32.76 Punkte
🎥 IT Security Video

🕵️ Official OWASP ZAP Plugin on Jenkins Global Configuration Credentials information disclosure


📈 32.76 Punkte
🕵️ Sicherheitslücken

🎥 BeNeLux Day 2018: OWASP Zap - David Scrobonia


📈 32.76 Punkte
🎥 IT Security Video

📰 AdEMAMix: A Deep Dive into a New Optimizer for Your Deep Neural Network


📈 32.33 Punkte
🔧 AI Nachrichten

🔧 Uncovering SAST ,DAST ,OWASP Dependency-Check in DevSecOps family (Part-2)


📈 30.76 Punkte
🔧 Programmierung

🔧 A Deep Dive Into Recommendation Algorithms With Netflix Case Study and NVIDIA Deep Learning Technology


📈 29.53 Punkte
🔧 Programmierung

🔧 Deep Dive into apple-app-site-association file: Enhancing Deep Linking on iOS


📈 29.53 Punkte
🔧 Programmierung

🔧 Deep Dive into apple-app-site-association file: Enhancing Deep Linking on iOS


📈 29.53 Punkte
🔧 Programmierung

🎥 Deep dive into Flutter deep linking


📈 29.53 Punkte
🎥 Video | Youtube

🔧 Deep Dive into Docker


📈 29.45 Punkte
🔧 Programmierung

🔧 A Very Deep Dive Into Docker Builds


📈 29.45 Punkte
🔧 Programmierung

🔧 A Deep Dive into Docker Compose


📈 29.45 Punkte
🔧 Programmierung

🔧 Day 7: Deep Dive into Docker and Container Orchestration


📈 29.45 Punkte
🔧 Programmierung

🔧 Deep Dive into Go: Exploring 12 Advanced Features for Building High-Performance Concurrent Applications


📈 29.33 Punkte
🔧 Programmierung

🔧 Deep Dive into Go: Exploring 12 Advanced Features for Building High-Performance Concurrent Applications


📈 29.33 Punkte
🔧 Programmierung

🔧 Ensuring Robust React Applications: A Deep Dive into Testing with Jest and React Testing Library


📈 29.33 Punkte
🔧 Programmierung

🔧 A Deep Dive into AI Advancements and Applications


📈 29.33 Punkte
🔧 Programmierung

📰 A Deep Dive Into Relational Databases And Their Applications


📈 29.33 Punkte
🔧 AI Nachrichten

🔧 Implementing GPT Models: A Deep Dive into Transformative AI Applications


📈 29.33 Punkte
🔧 Programmierung

🎥 A Deep Dive Into POWERful Serverless Applications


📈 29.33 Punkte
🎥 Video | Youtube

🔧 Unlocking Web Data with LangChain: A Deep Dive into Web Loaders


📈 28.78 Punkte
🔧 Programmierung

matomo