Increase Automated Security Test Coverage by Integrating OWASP ZAP with Katalon Studio
In today’s post, I will share with you how you could automate OWASP ZAP Dynamic Application Security Tests and integrate with Katalon Studio to deliver more secure applications with high quality.
With this solution you will be able to increase security test coverage and get insight about your application security continuously. And also reduce effort, save time and cost in performing security regression tests after each code change.
At the end of this post, you will learn how to automate your dynamic application security tests a.k.a penetration tests and how to get more efficient output by integrating automated security tests with a web application test automation tool like Katalon Studio to increase test coverage.
Toolset we will use :
I used Katalon Studio as Web Application Test Automation Tool but you could use this solution for other tools such as Selenium, UFT One etc. All you have to do is set up your automated test scripts to flow through the proxy.
How Could You Integrate OWASP ZAP Dynamic Application Security Tests with Katalon Studio ?
- Configure OWASP ZAP
You should configure Owasp Zap as a proxy to capture browser traffic.
Start Owasp Zap and navigate to Tools -> Options -> Local Proxies enter Address and Port with appropriate information.
- Create a Context
A context is used for grouping the URLs (sites) will be scanned. When you need to attack the specific set of URLs with special configuration in your website, a context can be created in ZAP which will ignore the rest and attack only the ones you mentioned. This will help you to avoid unnecessary data and scan all sites under context with same configuration.
You could configure the URLs will be included in context or exclude from context by adding regular expression related to URLs.
You can also exclude URLs from Proxy,Spider and Scanner globally in addition to excluding from Context. Here are the details about these configurations:
Exclude from Proxy : URLS exclude from Proxy will be ignored by the local proxies.
Exclude from Spider : URLS exclude from Spider will be ignored during spider.
Exclude from Scanner :URLS exclude from Scanner will be ignored during active scan.
- Writing custom ZAP scripts for Authentication
We prefer Python as scripting language for authentication scripts. We need to write own authentication script to increase authorized content of scan so we will test our web site end to end against known vulnerabilities.
You should add script-based authentication script with endpoint that will authenticate your requests as ‘ Auth_URL’ . If you want, you could add regex pattern for identifying ‘Logged In’ status in response messages.And also you should add user details to use during authorization.After adding user don’t forget to check its status, it should be enabled and force it from ‘Forced User’ tab.
In addition to Authentication Script you need an HTTP Sender Script will be used to add token is extracted from authentication script to each subsequent requests. Don’t forget to enable it as shown below screenshot.
- Create a ZAP Scan Policy
A scan policy defines exactly which rules are run as part of an active scan.
You can define as many scan policies as you like and select the most appropriate one when you start the scan via the Active Scan Dialog.
Navigate to Analyse Menu to add new custom Scan Policy as shown below:
2. Configure Katalon Studio
After automate your functional test scenarios with Katalon Studio you should configure it to direct traffic flow through OWASP ZAP Proxy.
You could make proxy configuration on Katalon Studio by going to Window -> Katalon Studio Preferences -> Proxy and select ‘Manual Proxy Configuration’ option.
Proxy configurations will be like OWASP ZAP Proxy details given in the step 1.
Now, you can execute your automated functional tests over proxy so Katalon Studio will direct browser traffic flow through OWASP ZAP. After Katalon finishes executing, you could start to spider urls listed under sites for discovering the web site content and then enable active scan to attack the website using known techniques to find vulnerabilities.
Automate Security Analysis with Azure DevOps Pipeline Integration
All the details are given above is about integrating OWASP ZAP Dynamic Application Security Tests with Katalon Studio manually. In this way you will spend more time and effort to execute tests continuously.
Therefore you should automate this integration and integrate to CI/CD pipeline to execute automatically with minimum effort, takes quick and continuously feedback about your application security and increase customer satisfaction with more reliable products.
I will use OWASP ZAP APIs to automate security scanning, you can find more details about APIs you could use in this link.
I don’t mention how an agent can configure in this flow but you can find more details about agent configuration on Azure DevOps Server in this link.
- Let’s start pipeline integration with add ‘Command Line Task’ from task catalog :
Actually while you use OWASP ZAP APIs to interact OWASP ZAP instance, you should use “ZAP_URL” , “ZAP_API_KEY” and “ZAP_PORT” like below :
zap-cli --zap-url <zap-url> --port <port-number> --api-key <api-key> spider <scan-app-url>
For security reasons, we preferred to give this sensitive information as agent capability rather than write it clearly in the pipeline task. For more details about agent capabilities follow this link.
- Enter OWASP ZAP Configuration Details
- Integrate Katalon Studio Execution over Proxy
For more details about Katalon Studio Command Line Execution use this link.
- Enter OWASP ZAP Spider, Active Scan and Report Configuration Details
Don’t forget to give “Working Directory” especially to keep and access owasp zap execution reports easily.
- Add “Publish Release Artifact” task with reports path to publish owasp zap execution reports as an artifact and download it easily from release logs.
I hope my first article has been useful for you.
See you in my next post, stay tuned :)