Automating Security Testing of web applications using OWASP Zed Attack Proxy in Jenkins

Automating Security Testing of web applications is not an easy task. Recently, I tried following OWASP Zed Attack Proxy(ZAP) with Jenkins to automate the Security testing for an application I have developed. After trying everything with the help of various sources I was able to completely automate the testing process.

This post summarizes steps I have followed to automate the testing.

Jenkins

Jenkins is an extensible automation server, we can deploy Jenkins war file inside any server and using its plugin architecture, we can use it for various purposes.

Zed Attack Proxy (ZAP)

The ZAP is one of the world’s most popular free security tools . It can help you automatically find security vulnerabilities in your web applications.

I have deployed Jenkins 1.651.2.war inside my tomcat server to do this testing.

  1. Install custom tool plugin[1]and zaproxy plugin[2]

Manage jenkins → Manage plugins → Available

2. Configuring the ZAP

This can be done in two ways, if you are using ZAP for the first it is recommended to do the configuration from source code of the ZAP which is available in their git repository. This will automatically assigned the environments you need have for the testing.

Manage jenkins -> Global tool Configuration → Custom tool → Custom tool installations

As a second option if you already have ZAP installed in your local machine, you can specify it inside the job configuration.

Go to your job → Configure → Startup → ZAProxy is already installed and specify the ZAP_HOME in the field.

3. Now create a new job using new Item option and click OK(I have created the project as a Freestyle project)

4. Then we will be redirected to the job configuration section, Configure the source code management section with git/subversion URL

6. Configure the build options

This section is fully customization and you can customize this according to your project needs. I’m using a maven web project for my testing purposes, so to deploy the web application, I should build the application and deploy it in a server.

7. Configure ZAProxy for the job

Leave the Admin configuration with the default configuration, for the Startup, if you have configured ZAPProxy correctly in the global configuration, you will find drop down options for Tool to use in the field .

Setup[2]

Load session: Allows the user to load a ZAProxy session. The session must be in a folder’s workspace, If a session is loaded, it is not necessary to save it at the end because ZAProxy backup in real time until the session is closed.(Not be available during the first time of configuration)

Target URL: The URL will endure ZAProxy attacks.

URL to exclude from context : the URL(s) that ZAP has not to scan in order to prevent some edge effects, for Example if it is an authenticated session, invalidating the session by logging out

Choose policy to use: This list contains all policy files located in “specifiedDirectory/policies”. You can add custom policies to define the strength of our scan inside this directory.

Unauthenticated scan : ZAP will perform teh scan with no user profile

  • Spider URL: If this box is checked, ZAProxy will do a spider [3].
  • Ajax Spider : If this box is checked zaproxy will do a Ajax Spider scan [4]
  • Scan URL : If this box is checked, ZAProxy will do a scan (active scan ) of the specified URL

Authenticated scan : ZAP does the scan in the point of view of the defined user.

Generate report: If this box is checked, the security alerts emitted by ZAProxy will be saved into a file in the build’s workspace, under this you can specify the file format too.

8. Building the job

Select the job → Build Now

If the building process execution succeeded, you will find the generated report in the workspace

References

[1] https://wiki.jenkins-ci.org/display/JENKINS/Custom+Tools+Plugin
[2] https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin
[3] https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan
[4] https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts#ajax-spider
[5] https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project