Securing Your Web Applications with OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is a widely used open-source dynamic application security testing (DAST) tool that helps organizations identify and mitigate security vulnerabilities in their web applications.

DAST tools assess the security of web applications from the outside by actively testing the running application. They simulate attacks and vulnerabilities similar to those that real-world attackers might exploit.

Use Cases: Security Testing, Compliance Testing, Penetration Testing, DevSecOps

Follow the below steps to install Zap in an Ubuntu server.

wget https://github.com/zaproxy/zaproxy/releases/download/v2.13.0/ZAP_2.13.0_Linux.tar.gz
 tar -xvf

# This command runs the zap, but this could still bring up the GUI while the session is created.
./zap.sh -daemon -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

# sample logs to check 
ZAP/
db/permanent (HSQL Database Engine 2.7)
10391 [ZAP-daemon] WARN  org.flywaydb.core.internal.database.base.Database - Flyway upgrade recommended: HSQLDB 2.7 is newer than this version of Flyway and support has not been tested. The latest supported version of HSQLDB is 2.6.
10429 [ZAP-daemon] INFO  org.flywaydb.core.internal.command.DbValidate - Successfully validated 1 migration (execution time 00:00.024s)
10444 [ZAP-daemon] INFO  org.flywaydb.core.internal.command.DbMigrate - Current version of schema "PUBLIC": 1
10452 [ZAP-daemon] INFO  org.flywaydb.core.internal.command.DbMigrate - Schema "PUBLIC" is up to date. No migration necessary.
10463 [ZAP-daemon] INFO  org.zaproxy.addon.oast.services.callback.CallbackService - Started callback service on 0.0.0.0:43845
10557 [ZAP-daemon] INFO  org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening o

# To run ZAP in CLI mode 
./zap.sh -cmd -quickurl "<URL-to-be-scanned>" -quickout <output.html>
# To run with config.yaml
./zap.sh -cmd -autorun config.yaml

Sample config.yaml (this depends on your requirement)

---
env:                                   # The environment, mandatory
  contexts :                           # List of 1 or more contexts, mandatory
    - name: context 1                  # Name to be used to refer to this context in other jobs, mandatory
      urls: [URL]                           # A mandatory list of top level urls, everything under each url will be included
      includePaths:                    # An optional list of regexes to include
      excludePaths:                    # An optional list of regexes to exclude
      authentication:                  # TBA: In time to cover all auth configs
  vars:                                # List of 1 or more variables, can be used in urls and selected other parameters
  parameters:
    failOnError: true                  # If set exit on an error
    failOnWarning: false               # If set exit on a warning
    progressToStdout: true             # If set will write job progress to stdout

jobs:
  - type: addOns                       # Add-on management
    parameters:
     updateAddOns: true               # Update any add-ons that have new versions
    install:                           # A list of non standard add-ons to install from the ZAP Marketplace
    uninstall:                         # A list of standard add-ons to uninstall
  - type: passiveScan-config           # Passive scan configuration
    parameters:
      maxAlertsPerRule: 10             # Int: Maximum number of alerts to raise per rule
      scanOnlyInScope: true            # Bool: Only scan URLs in scope (recommended)
      maxBodySizeInBytesToScan:        # Int: Maximum body size to scan, default: 0 - will scan all messages
  - type: graphql                      # GraphQL definition import
    parameters:
      endpoint:                        # String: the endpoint URL, default: null, no schema is imported
  - type: openapi                      # OpenAPI definition import
    parameters:
      apiFile:                         # String: Local file containing the OpenAPI definition, default: null, no definition will be imported
      apiUrl:                          # String: URL containing the OpenAPI definition, default: null, no definition will be imported
      targetUrl:                       # String: URL which overrides the target defined in the definition, default: null, the target will not be overriden
  - type: soap                         # SOAP WSDL import
    parameters:
      wsdlFile:                        # String: Local file path of the WSDL, default: null, no definition will be imported
      wsdlUrl:                         # String: URL pointing to the WSDL, default: null, no definition will be imported
  - type: spider                       # The traditional spider - fast but doesnt handle modern apps so well
    parameters:
      context:                         # String: Name of the context to spider, default: first context
      url:                             # String: Url to start spidering from, default: first context URL
      maxDuration: 30                    # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
      maxDepth:                        # Int: The maximum tree depth to explore
      maxChildren:                     # Int: The maximum number of children to add to each node in the tree
  - type: spiderAjax                   # The ajax spider - slower than the standard spider but handles modern apps well
    parameters:
      context:                         # String: Name of the context to spider, default: first context
      url:                             # String: Url to start spidering from, default: first context URL
      maxDuration: 30                    # Int: The max time in minutes the ajax spider will be allowed to run for, default: 0 unlimited
      maxCrawlDepth:                   # Int: The max depth that the crawler can reach, default: 10, 0 is unlimited
      numberOfBrowsers:                # Int: The number of browsers the spider will use, more will be faster but will use up more memory, default: 1
  - type: passiveScan-wait             # Passive scan wait for the passive scanner to finish
    parameters:
      maxDuration:                   # Int: The max time to wait for the passive scanner, default: 0 unlimited
  - type: activeScan                   # The active scanner - this actively attacks the target so should only be used with permission
    parameters:
      context:                         # String: Name of the context to attack, default: first context
      policy:                          # String: Name of the scan policy to be used, default: Default Policy
      maxRuleDurationInMins:           # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
      maxScanDurationInMins: 60          # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
  - type: report                       # Report generation
    parameters:
      template:  "modern"                       # String: The template id, default : modern
      theme:                           # String: The template theme, default: the first theme defined for the template (if any)
      reportDir: "path"                      # String: The directory into which the report will be written
      reportFile: "reportname"
      reportTitle: "reportTitle"           # String: The report title
      reportDescription:               # String: The report description

Sample Report:

Report generated from the Deployment YAML

Note: If you are using the zap containers , the commands may change.

Sample report formats in ZAP: [high-level-report, modern, risk-confidence-html, sarif-json, traditional-html, traditional-html-plus, traditional-json, traditional-json-plus, traditional-md, traditional-pdf, traditional-xml, traditional-xml-plus]

If you want to know how this needs to be integrated in Jenkinsfile, contact me.