Integrate OWASP ZAP with CI/CD with Login Authentication

bySahil Gupta -


In the recent blog, we see how to Conduct DAST manually using OWASP ZAP with Login Authentication and Session Management. In this blog, we will see how to integrate OWASP ZAP with CI/CD to Conduct DAST with Login Authentication and Session Management.


Why is it important to run DAST with authentication?

It is essential to configure DAST (Dynamic Application Security Testing) tool to carry out user authentication and manage sessions in web applications in order to expand the scope of crawling/spidering and audit, allowing DAST tools to find more security issues.  Running DAST without user authentication restricts it from testing pages, directories, and functionality that require authentication.

Configure Login authentication and session management is ticky in OWASP ZAP

Steps to Integrate OWASP ZAP with CI/CD (e.g., Jenkins) to Conduct DAST with Login Authentication and Session Management

Step 1: use manual explorer in ZAP to capture login steps.
Step 2: Create a new context of the root domain
Step 3: Configure Authentication
Step 4: Add the user
Step 5: Configure Session management
Step 6: Export Session Management Script
Step 7: Export Context
Step 8: Create a parameterized freestyle project in Jenkins for OWASP ZAP 
Step 9: Integrate OWASP ZAP parameterized freestyle project with CI/CD pipeline
Step 10: Trigger Build

Note: Manual generation of the Context and Session Management script is a one-time task; after that, the same script will be used for each scan.

For Step 1 to 5, refer to my previous blog.

In this blog, we will start with Step 6


Step 6: Export Session Management Script


To export the session management script, go to the Scripts section, then right-click on the script that you want to export, and click save to save the script in the file system.



Step 7: Export Context


To export the context, go to the Sites section, then right-click on the context that you want to export, and click Export Context to save the context in the file system.




Step 8: Create a parameterized freestyle project in Jenkins for OWASP ZAP 


Follow Below Steps to Create a parameterized freestyle project in Jenkins for OWASP ZAP. 

Step 8.a: Check on New Item  in Jenkins Dashboard
    



Step 8.b:  Enter the name of the item, then select Freestyle project, and at last click ok.

    



Step 8.c: In the Freestyle project configuration window, type the description (Optional) and enable This project is parameterized checkbox.
                    



Step 8.d: After enabling the parameterized checkbox, we will get the option to Add parameters, click on Add parameter button and select the string parameter
    


Step 8.e: In the String parameter form, create string parameters for zap_url, zap_api_key, target_url, script_name, script_engine, script_path, context_path, pool_time, spider_scan_result_path, ajax_spider_scan_result_path, and title.

  • zap_url: OWASP ZAP API URL e.g http://localhost:8090
  • zap_api_key: OWASP ZAP API Key
  • target_url: Target URL
  • script_name: Session Management Script Name
  • script_engine: Session Management Script Engine (Graal.js, Oracle Nashorn or Mozilla Zest)
  • script_path: Session Management Script Path (As per ZAP Container)
  • context_path: Context Path (As per ZAP Container)
  • pool_time: Time interval to get latest scan status (in second)", type=int)
  • spider_scan_result_path: Path to Save Tradition Spider Result
  • ajax_spider_scan_result_path: Path to Save AJAX Spider Result
  • title: Report Title



Step 8.f: In the Build Step section, click on Add Build Step button and select Execute Shell



Step 8.g: In the Execute Shell command textbox, enter the following command to perform the following tasks

1. Run OWASP ZAP API service in the container using OWASP ZAP official docker image (owasp/zap2docker-stable) with docker volume (allow us to mount OWASP ZAP Jenkins workspace on containers to access report generated by the ZAP and allow ZAP container to access Session Managemnet Script and Context)

2. Execute Python script that performs the following tasks in the below sequence

  • Check ZAP API Service is Live or Not
  • Load Session Management Script 
  • Import Context
  • View Session Management Information
  • View Users List
  • Trigger Traditional Spider Scan
  • Check Spider Scan Status until it is completed
  • Generate Spider Scan full result 
  • Trigger AJAX Spider Scan
  • Check AJAX Spider Scan Status until it is completed
  • Generate AJAX Spider Scan full result 
  • Trigger Active Scan
  • Check Active Scan Status until it is completed
  • Generate Report

3. Stop the OWASP ZAP Container
4. Remove OWASP ZAP Container

You can download the python script from my GitHub Repository

docker run -d -v $(pwd):/home/zap/ --network appsecworld --ip 10.10.10.7 --name owasp_zap -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.key=demoapikey

sleep 20

python3.10 zap_authenticated_scan.py -zap ${zap_url} -key ${zap_api_key} -t ${target_url} -sn ${script_name} -se ${script_engine} -sp ${script_path} -cp ${context_path} -pool_time ${pool_time} -tsp ${spider_scan_result_path} -asp ${ajax_spider_scan_result_path} -title ${title}

docker container stop owasp_zap

docker container rm owasp_zap {codeBox}



Step 9: Integrate OWASP ZAP parameterized freestyle project with CI/CD pipeline

Step 9.a: Go to the pipeline project and open the configuration.



Step 9.b: In the configuration page, go to the pipeline script section and define the variable and the values that we are going to pass in the OWASP_ZAP build job

Step 9.c: After defining the variables, create one stage for OWASP ZAP that will trigger the OWASP_ZAP freestyle project with parameters and values, also publish the HTML report in Jenkins Dashboard using the HTML Publisher plugin


node('node'){

    def ZAP_zap_url="http://localhost:8090"
    def ZAP_zap_api_key="demoapikey"
    def ZAP_target_url="http://10.10.10.2:3000"
    def ZAP_script_name="Juice_Shop_Demo"
    def ZAP_script_engine="Graal.js"
    def ZAP_script_path="/home/zap/Juice_Shop_Demo.js"
    def ZAP_context_path="/home/zap/Juice_Shop.context"
    def ZAP_pool_time=10
    def ZAP_spider_scan_result_path=pwd()+"/"+"ZAP_spider_scan_resul.txt"
    def ZAP_ajax_spider_scan_result_path=pwd()+"/"+"ZAP_ajax_spider_scan_result.txt"
    def ZAP_title="CI_Demo"

    stage('OWASP ZAP'){

        build job: 'OWASP_ZAP_DAST', parameters: [string(name: 'zap_url', value: "${ZAP_zap_url}"), string(name: 'zap_api_key', value: "${ZAP_zap_api_key}"), string(name: 'target_url', value: "${ZAP_target_url}"), string(name: 'script_name', value: "${ZAP_script_name}"), string(name: 'script_engine', value: "${ZAP_script_engine}"), string(name: 'script_path', value: "${ZAP_script_path}"), string(name: 'context_path', value: "${ZAP_context_path}"), string(name: 'pool_time', value: "${ZAP_pool_time}"), string(name: 'spider_scan_result_path', value: "${ZAP_spider_scan_result_path}"), string(name: 'ajax_spider_scan_result_path', value: "${ZAP_ajax_spider_scan_result_path}"), string(name: 'title', value: "${ZAP_title}")]

        sh('cp /var/lib/jenkins/workspace/OWASP_ZAP_DAST/2022-12-09-ZAP-Report-.html $(pwd)/2022-12-09-ZAP-Report-.html')

        publishHTML([allowMissing: false, alwaysLinkToLastBuild: false, keepAll: false, reportDir: '.', reportFiles: '2022-12-09-ZAP-Report-.html', reportName: 'OWASP ZAP DAST Report', reportTitles: '', useWrapperFileDirectly: true])

    }
} {codeBox}

Step 10: Now Save the project and trigger the build, once the build is complete, we can open the OWASP ZAP report from Pipeline Dashboard



Tags:

Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post
Share to other apps
Copy Post link

Contact Form