Dynamic application security testing (DAST) is a process of testing an application or software product in an operating state. This kind of testing is helpful for industry-standard compliance and general security protections for evolving projects.
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
You can use zap-api-scan to perform scans against APIs defined by OpenAPI, SOAP, or GraphQL. If your API is protected with authentication, you will need to prepare a token or API key before running the script.
The following example shows how to run ZAP locally against an API with:
Steps:
ZAP_AUTH_HEADER_VALUE=api_token_value
ZAP_AUTH_HEADER=Authorization
ZAP_AUTH_HEADER_SITE=192.168.1.10
Note: the ZAP_AUTH_HEADER_SITE value should exclude the http/https protocol and port, e.g. for the target https://www.this-is-a-target.com:8080, the ZAP_AUTH_HEADER_SITE value should be www.this-is-a-target.com.
docker pull owasp/zap2docker-stable
docker run -it --env-file configuration_file_name --rm -v $PWD:/zap/wrk owasp/zap2docker-stable:latest zap-api-scan.py -t http://192.168.1.10/swagger.json -f openapi -r report.html
For SOAP:
docker run -it --env-file configuration_file_name --rm -v $PWD:/zap/wrk owasp/zap2docker-stable:latest zap-api-scan.py -t http://192.168.1.10/soap_wsdl_url -f soap -r report.html
For GraphQL:
docker run -it --env-file configuration_file_name --rm -v $PWD:/zap/wrk owasp/zap2docker-stable:latest zap-api-scan.py -t http://192.168.1.10/graphql_url -f graphql -r report.html
The following example shows how to integrate ZAP into CircleCI to scan the API with:
Steps:
ZAP_AUTH_HEADER_VALUE=api_token_value
ZAP_AUTH_HEADER=Authorization
ZAP_AUTH_HEADER_SITE=target_url
Note: the ZAP_AUTH_HEADER_SITE value should exclude the http/https protocol and port, e.g. for the target https://www.this-is-a-target.com:8080, the ZAP_AUTH_HEADER_SITE value should be www.this-is-a-target.com.
jobs:
scan:
docker:
- image: owasp/zap2docker-stable
steps:
- run:
command: |
mkdir /zap/wrk
zap-api-scan.py -f openapi -t https://target-url/swagger.json -r report.html
- store_artifacts:
path: /zap/wrk
destination: zap-report
To integrate ZAP Scan into CI/CD to scan the SOAP/GraphQL API is very similar to the way to run it against Swagger API, the only difference is you need to change the “-f” option in the step 2 .circleci/config.yml file.
For SOAP:
jobs:
scan:
docker:
- image: owasp/zap2docker-stable
steps:
- run:
command: |
mkdir /zap/wrk
zap-api-scan.py -f soap -t https://target-url/soap_wsdl_url -r report.html
- store_artifacts:
path: /zap/wrk
destination: zap-report
For GraphQL:
jobs:
scan:
docker:
- image: owasp/zap2docker-stable
steps:
- run:
command: |
mkdir /zap/wrk
zap-api-scan.py -f graphql -t https://target-url/graphql_url -r report.html
- store_artifacts:
path: /zap/wrk
destination: zap-report
You can use zap-full-scan to perform a full active scan for a web application. If your application is protected with authentication, you will need to prepare an authorization header or cookie before running the script.
The following example shows how to run ZAP locally against an application with:
Note: Please change the header name to “Cookie” if your application is authenticated by cookie/session.
Steps:
ZAP_AUTH_HEADER_VALUE=authrozation_token_here
ZAP_AUTH_HEADER=Authorization
ZAP_AUTH_HEADER_SITE=192.168.1.10
Note: the ZAP_AUTH_HEADER_SITE value should exclude the http/https protocol and port, e.g. for the target https://www.this-is-a-target.com:8080, the ZAP_AUTH_HEADER_SITE value should be www.this-is-a-target.com.
docker pull owasp/zap2docker-stable
docker run -it --env-file configuration_file_name --rm -v $PWD:/zap/wrk owasp/zap2docker-stable:latest zap-full-scan.py -t http://192.168.1.10 -r report.html
The following example shows how to integrate ZAP into CircleCI to scan the application with:
Steps:
ZAP_AUTH_HEADER_VALUE=api_token_value
ZAP_AUTH_HEADER=Authorization
ZAP_AUTH_HEADER_SITE=target_url
Note: the ZAP_AUTH_HEADER_SITE value should exclude the http/https protocol and port, e.g. for the target https://www.this-is-a-target.com:8080, the ZAP_AUTH_HEADER_SITE value should be www.this-is-a-target.com.
Note: Please change the header name to “Cookie” if your application is authenticated by cookie/session.
jobs:
scan:
docker:
- image: owasp/zap2docker-stable
steps:
- run:
command: |
mkdir /zap/wrk
zap-full-scan.py -t https://target-url -r report.html
- store_artifacts:
path: /zap/wrk
destination: zap-report