Security Automation Series — Part 1 OWASP ZAP — Jenkins Integration

Gowtham
Gowtham
Jun 19 · 5 min read

This series is about various automation’s that can be used to perform Automated Vulnerability Assessment of Web Applications.

ZAP — Jenkins Integration

Lets get started…

Part 1 — How to integrate OWASP ZAP in Jenkins and run a simple web application scan.

About OWASP ZAP:

ZAP (ZED Attack Proxy) — is an open-source proxy tools like Burp which is used in Security Assessments of web apps. It offers various features like Scanner, Fuzzer , REST Api and lot more. A new interesting feature is ZAP Heads Up Display (HUD) which is really interesting.

About Jenkins:

Jenkins is an open source automation server widely used for CI / CD purposes.

In this post I will walkthrough installation of ZAP and Jenkins in a Ubuntu / Linux Operating system so that I can explain about issues and its solutions occur during the process.

Step-1:

Installing Jenkins in ubuntu — https://www.digitalocean.com/community/tutorials/how-to-install-jenkins-on-ubuntu-18-04

Once installed, configure Jenkins with an username & password and login using the credentials.

Step-2:

For installing ZAP using we need following 2 Jenkins plugin needs to be installed:

Choose “Manage Jenkins” -> “Manage Plugins” search for OWASP ZAP , “Custom Tools Plugin” and install both.

OWASP ZAP Plugin in Jenkins
Custom Tools Plugin in Jenkins

Step-3:

Next using Custom Tool Plugin we will install ZAP in the system.

Choose “Manage Jenkins” -> “Global Tool Configuration” -> Custom Tool Option.

Installing ZAP using Custom Tool Plugin

Tip: Make sure keep the Label field blank to avoid this error.

You can use stable or weekly build based on your need.

Step-4:

Building a Jenkins job.

Now we can create a new Jenkins job to configure ZAP to run in the system.

Choose “New Item”-> “Freestyle Project” with desired name and click Ok.

Creating New Project Item

Build the job without any options configured to create Workspace for the project, this helps to store reports, logs, etc,.

Step-5:

Installing ZAP in the system using Custom Tools Plugin. This step can be ignored if ZAP is already installed manually or any other ways.

Choose the created ZAP project and select configure. Under Build Environment section select “Install Custom tool” options. Click “Add Tool” and from the drop-down select ZAP(name chosen in Step-3).

Configuring Build Environment

Click Apply and Save the project. Let’s run the build and find out how ZAP is getting installed.

Click “Build Now” and once build is complete select the build id and choose “Console Output”.

ZAP installation output

We can now notice that ZAP installation Path and its workspace. Biingo !! Our first step towards integration is success!! ZAP is successfully installed.

Step-6:

Next step is to “Execute ZAP” during Build process to scan application of our choice.

Choose the same project and select configure, now uncheck “Install Custom Tool” option and under Build -> Add Build Step -> Execute ZAP.

Options to Execute ZAP

Specify Host and Port on which ZAP needs to run.

Choosing Installation Method

For Installation Method we will choose Custom Tool Installation option. If ZAP is installed Manually select “System Installed” and set necessary Environment Variable to ZAP installed Path.

To Set Environment Variable Go to Manage Jenkins -> Configure System -> Environment variable checkbox under Global Properties. Click Add.

Name — ZAPPROXY_HOME , Value — Path where ZAP is installed (The path should be noted during manual installation)

Setting Environment Variables

Next we need to set ZAP Home Directory. This can be /var/lib/jenkins/.ZAP_D

Setting ZAP Home Directory

Tip : Remember , ZAP installation and Home directory are different.

Step-7:

Configuring the application for scanning.

Scan Configuration

Under Session Management, to store the session file for each build we can choose persist session or can load the existing session after a build. If we choose Persist Session chances are high it may consume system memory and might result this error.

You can also specify various Jenkins variables like “BUILD_ID” to avoid overwriting the same session file or the Context Name.

Include in Context — Define the list of URL’s to be scanned / in-scope.

Exclude in Context — Define the list of URL’s to be considered out of scope. We can also specify using Regex for exact pattern matching.

Tip: You will get “The provided url is not in the required context” error if URL’s are not specified in “Include in Context” Filed.

Step-8:

Setting up Scan Mode

We can select the Starting Point and the type of scan under the Attack Mode menu. If you don’t find any value in Policy dropdown leave it default and it will pop-up after the first run.

Generation of reports

It is possible to Generate Reports with the FileName (include jenkins variable) to avoid overwriting. Also you can Create JIRA issues which will not be covered in this post.

If you want to save logs , html reports of ZAP scans it can be done using “Post-Build Actions”

That’s IT 👍. We have successfully configured ZAP in Jenkins to perform a basic scan of the application.

In the next post, I will cover about application authentication, perform automated Builds and ZAP ZEST Script and many more…

Cheers!!!

Thanks to Vignesh C.

Gowtham

Written by

Gowtham

Security Engineer!!