This series is about various automation’s that can be used to perform Automated Vulnerability Assessment of Web Applications.
Lets get started…
Part 1 — How to integrate OWASP ZAP in Jenkins and run a simple web application scan.
About OWASP ZAP:
ZAP (ZED Attack Proxy) — is an open-source proxy tools like Burp which is used in Security Assessments of web apps. It offers various features like Scanner, Fuzzer , REST Api and lot more. A new interesting feature is ZAP Heads Up Display (HUD) which is really interesting.
Jenkins is an open source automation server widely used for CI / CD purposes.
In this post I will walkthrough installation of ZAP and Jenkins in a Ubuntu / Linux Operating system so that I can explain about issues and its solutions occur during the process.
Installing Jenkins in ubuntu — https://www.digitalocean.com/community/tutorials/how-to-install-jenkins-on-ubuntu-18-04
Once installed, configure Jenkins with an username & password and login using the credentials.
For installing ZAP using we need following 2 Jenkins plugin needs to be installed:
- Custom Tool Plugin — This is used to install ZAP in the respective Operating System using Jenkins. If you have installed or need to install ZAP manually this plugin can be ignored. However to avoid unnecessary problems it is better to use the plugin.
- OWASP ZAP official Plugin
Choose “Manage Jenkins” -> “Manage Plugins” search for OWASP ZAP , “Custom Tools Plugin” and install both.
Next using Custom Tool Plugin we will install ZAP in the system.
Choose “Manage Jenkins” -> “Global Tool Configuration” -> Custom Tool Option.
Tip: Make sure keep the Label field blank to avoid this error.
You can use stable or weekly build based on your need.
Building a Jenkins job.
Now we can create a new Jenkins job to configure ZAP to run in the system.
Choose “New Item”-> “Freestyle Project” with desired name and click Ok.
Build the job without any options configured to create Workspace for the project, this helps to store reports, logs, etc,.
Installing ZAP in the system using Custom Tools Plugin. This step can be ignored if ZAP is already installed manually or any other ways.
Choose the created ZAP project and select configure. Under Build Environment section select “Install Custom tool” options. Click “Add Tool” and from the drop-down select ZAP(name chosen in Step-3).
Click Apply and Save the project. Let’s run the build and find out how ZAP is getting installed.
Click “Build Now” and once build is complete select the build id and choose “Console Output”.
We can now notice that ZAP installation Path and its workspace. Biingo !! Our first step towards integration is success!! ZAP is successfully installed.
Next step is to “Execute ZAP” during Build process to scan application of our choice.
Choose the same project and select configure, now uncheck “Install Custom Tool” option and under Build -> Add Build Step -> Execute ZAP.
Specify Host and Port on which ZAP needs to run.
For Installation Method we will choose Custom Tool Installation option. If ZAP is installed Manually select “System Installed” and set necessary Environment Variable to ZAP installed Path.
To Set Environment Variable Go to Manage Jenkins -> Configure System -> Environment variable checkbox under Global Properties. Click Add.
Name — ZAPPROXY_HOME , Value — Path where ZAP is installed (The path should be noted during manual installation)
Next we need to set ZAP Home Directory. This can be /var/lib/jenkins/.ZAP_D
Tip : Remember , ZAP installation and Home directory are different.
Configuring the application for scanning.
Under Session Management, to store the session file for each build we can choose persist session or can load the existing session after a build. If we choose Persist Session chances are high it may consume system memory and might result this error.
You can also specify various Jenkins variables like “BUILD_ID” to avoid overwriting the same session file or the Context Name.
Include in Context — Define the list of URL’s to be scanned / in-scope.
Exclude in Context — Define the list of URL’s to be considered out of scope. We can also specify using Regex for exact pattern matching.
Tip: You will get “The provided url is not in the required context” error if URL’s are not specified in “Include in Context” Filed.
We can select the Starting Point and the type of scan under the Attack Mode menu. If you don’t find any value in Policy dropdown leave it default and it will pop-up after the first run.
It is possible to Generate Reports with the FileName (include jenkins variable) to avoid overwriting. Also you can Create JIRA issues which will not be covered in this post.
If you want to save logs , html reports of ZAP scans it can be done using “Post-Build Actions”
That’s IT 👍. We have successfully configured ZAP in Jenkins to perform a basic scan of the application.
In the next post, I will cover about application authentication, perform automated Builds and ZAP ZEST Script and many more…