OWASP ZAP | Automated Pen Test with Jenkins

Assumption here — we have good understanding of following tool / terminologies.
* The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools. 
* It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications.
  • Jenkins (Continuous Integration Tool)
* Jenkins is a self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software.

Purpose / Objective / Problem Statement:

Run OWASP Zed Attack Proxy(ZAP) with Jenkins to automate the Security testing for an application. We are going to see implementation on below site:

AUT: http://newtours.demoaut.com/mercurywelcome.php

High Level Process Flow:

OWASP ZAP | Automated Pen Test with Jenkins | Process Flow

A) Create a new Jenkins job:

* Click New Item and create a new Job as Freestyle Project. Click OK
* Click Save without making any configuration changes for the Job.
Create a new Jenkins job
* Click Build Now to create a workspace on the master machine

B) Install “OWASP ZAP” Tool:

We need to have OWASP ZAP tool installed on Jenkins machine. There are two ways to get this done:

  • Installed Manually
Download from Official website where Jenkins node is running.

Go to Manage Jenkins -> Configure System and Select Environment variable checkbox under Global Properties. Click Add

Enter the name as ZAPROXY_HOME and give the value as ZAP installed path. In this example, it would be the path /opt/zaproxy. Save the changes.

  • Installed Automatically through Jenkins
Under Manage Jenkins -> Global Tool Configuration, click on Custom Tool installation. Under Custom tool Section; provide OWASP ZAP tar (.exe in case of windows OS) downloadable link and the directory name.
Note: 
1) If you don't have the Custom Tool Installation option, you need to download a plugin called “Custom Tool Installation”
2)
Actual download will happen once we build job.
Will use this config in Section "D) Configure Jenkins job:" below

C) Install “Official OWASP ZAP” Plugin:

To integrate ZAP with Jenkins, you need to install “Official OWASP ZAP” plugin. You can get that under Manage Jenkins -> Manage Plugins.

Download ZAP plugin

C-1) Configure “Official OWASP ZAP” Plugin:

you’ll need to configure two essential things; namely ZAP host and port. Go to Manage Jenkins -> Configure System and fill the ZAP HOST and Port field under ZAP section

Port 5555 is an example, you can choose the port you want here

D) Configure Jenkins job:

  • Click Configure | Select Build Environment. Check the Install Custom Tools option, and select the ZAP tool.
Installed ZAP Automatically through Jenkins
Add the Execute ZAP build step
  • Select Build Tab under project configurations | Click Add build step | Select Execute ZAP

E) Configure “Execute ZAP” Step:

E-1 ) Mentioned “Installation Method”

  • If Installed Manually:

If you already had ZAP, select the “System Installed: ZAP Installation Directory” option, and let the environment variable input remain default.

Specify the ZAP installed path for the environment variable (ZAPROXY_HOME).

If Installed Manually
  • If Installed Automatically:

If you don’t have ZAP, select the “Custom Tool Installation” option, and let the environment variable input remain default.

If Installed Automatically

E-2 ) Set “ZAP Home Directory” section

Should be the path to the directory of the Jenkins job you are creating

E-3 ) Configure “Session Management/Properties” section

  • You would need to create Persist session in ZAP under Session Management section. You’ll need to provide application name and URL under Session Properties Options.
Session Management

E-4) Configure “Attack Mode” section

Under the Attack Mode section of the build tab, enter the URL in Starting Point field for spidering the application, and select Spider scan option. Let the rest under this section remain default. Enable Active Scan checkbox and select thePolicy from the dropdown list.

NOTE: If you don’t have any options in the dropdown list, which will be the case if it’s your first time running ZAP, it will consider the Default Policy for the active scan.
Configuring the scan policies per your testing requirements

E-5) Configure “Generate Report” section

Tick Generate Report check box and provide all information to generate report in HTML and XML Format. You need to give a unique filename for every iteration of scans.

EX:
ENKINS_ZAP_VULNERABILITY_REPORT_${BUILD_ID}
JENKINS_ZAP_VULNERABILITY_REPORT_ : This is a constant prefix
${BUILD_ID}  : This is the Jenkins Environment variable, which is always unique for on the current build.
Generating reports

F) Configure “Post-build Actions” Step:

  • Add a Publish HTML reports post-build step

G) Build Job

Click on Save and Click Build Now. Once build is completed, you can view the HTML Report on Job Dashboard and other archived files from workspace.

Conclusion:

Achieved OWASP Zed Attack Proxy(ZAP) with Jenkins to automate the Security testing for an application.

Is that over? Well, In my next blog, we will see -

  • How to execute Active Attack on saved OWASP ZAP session (i.e Session management > Load Session).
  • How to handle user authentication

Stay tuned!!!

References:

[1] https://wiki.jenkins-ci.org/display/JENKINS/Custom+Tools+Plugin
[2] https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin
[3] https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan