Dynamic Scanning Procedures

ZAP

Scanning Tool Web Mobile Local API Extension Serverless Instructions
OWASP® Zed Attack Proxy (ZAP)

Use the OWASP ZAP ; ZAP Docker container to perform automated dynamic scans (DAST) against your application.  Predefined configuration files already have all of the necessary CWEs included. All you need to do is add it to your environment and Docker run command.

For definition of each type Click here App Types

A full scan on Web, Mobile, or Internal Applications can be performed following the below steps:

  1. DAST and API scans will be run using the ZAP Docker image. For web, mobile, or internal applications, the full ZAP scan should be run on a prod-1 or staging environment. 

  2. Download the zap-casa-config.conf configuration file and navigate to its directory. 

  1. Generate a context file for your scan to run against. See “Authentication” instructions below for more details.

  1. Run the following command: 

docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py 
-t https://example.com -P 8080 
-c zap-casa-config.conf 
-x results-full.xml -n example.context -U username

  1. Output will be saved in an XML file (example attached here: zap-results-full.xml)

An API Scan can be performed following the below steps:

  1. For API scans, use the zap-casa-api-config.conf configuration file. 

  1. Navigate to its directory and run the following command

docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw 
-t owasp/zap2docker-stable zap-api-scan.py 
-t https://example.com -f openapi-P 8080 
-c zap-casa-api-config.conf 
-x results-full.xml

  1. Output will be saved in an XML file (example attached here: zap-results-api.xml )

Authentication

ZAP scans should be performed with authentication to understand where user data is stored and accessed. This requires configuration before running your scans. The ZAP Docker image allows for two arguments related to authentication:

-n context_file

Context file which will be loaded prior to scanning the target

-U user

Username to use for authenticated scans. The user must be defined in the given context file. 

To set these parameters, a context file must be created. This is most easily done through the ZAP Desktop UI.

zap context

  1. Set the authentication mechanism. ZAP currently supports five authentication approaches:

    • Manual Authentication

    • Form-Based Authentication

    • HTTP/NTLM Authentication

    • Script-Based Authentication

    • JSON-Based Authentication

zap Authentication
  1. Define your auth parameters. This would generally include the login URL and payload format (username and password). The required parameters are specific to the authentication methods being used.
zap Configure Authentication
  1. Add a valid user and password. Create multiple users if the application exposes different functionality based on roles.
zap Configure Users

Once you have configured these settings, you can export the context as a file for your scan to reference.

zap Export Context

Be sure to save the context somewhere easy to reference, as you will need to include the file path as an argument for your scan command. Now, you will be able to run an authenticated scan with the user login specified within the context. Example:

zap Create User 
  docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw 
  -t owasp/zap2docker-stable zap-full-scan.py 
  -t https://example.com -P 8080 
  -c zap-casa-config.conf -x results-full.xml 
  -n /Users/DemoUser/Documents/Context.context -U test@example.com