Open in app

Sign in

Write

Sign in

Comprehensive Guide to Automating Security Tests with OWASP ZAP’s Automation Framework

Sam A
3 min readApr 30, 2024

--

In the dynamic field of software development, security testing is not just beneficial — it’s imperative. Among the many tools available, OWASP ZAP (Zed Attack Proxy) stands out for its robustness and flexibility, especially when it comes to its Automation Framework. This framework enables teams to automate both passive and active security scans, integrating seamlessly into CI/CD pipelines for continuous security assessments. In this blog, we will explore how to set up passive and active scans using ZAP’s Automation Framework and delve into customizing alert risks with alert filters.

Introduction to OWASP ZAP’s Automation Framework

OWASP ZAP provides a powerful Automation Framework that allows for detailed configuration of security scans via YAML files. This makes it highly adaptable for different testing environments and requirements. The framework supports passive scans, which are unobtrusive and do not modify requests, and active scans, which are more aggressive and interact with the application to identify vulnerabilities.

Setting Up for Passive Scanning

Passive scanning is an excellent initial approach to security testing, providing insights without impacting the system’s performance or functionality. Below is a sample YAML configuration for setting up a passive scan:

---
env:
  contexts:
  - name: "mainContext"
    urls:
    - "https://api.example.com"
    includePaths:
    - "https://api.example.com.*"
    excludePaths: []
    authentication:
      method: 'manual'
      parameters: {}
    sessionManagement:
      method: "http"
      parameters: {}
  parameters:
    failOnError: true
    failOnWarning: false
    progressToStdout: true
jobs:
- type: "replacer"
  rules:
    - description: "Authorization"
      matchType: "req_header"
      matchString: "Authorization"
      matchRegex: false
      replacementString: "Bearer <My Token>"
- parameters:
    maxAlertsPerRule: 0
    scanOnlyInScope: true
    maxBodySizeInBytesToScan: 0
    enableTags: false
    disableAllRules: false
  rules: []
  name: "passiveScan-config"
  type: "passiveScan-config"
- parameters:
    apiFile: "swagger-example.yaml"
    targetUrl: "https://api.example.com"
    context: "mainContext"
  name: "openapi"
  type: "openapi"
- parameters:
    maxDuration: 0
  name: "passiveScan-wait"
  type: "passiveScan-wait"
- parameters:
    template: "risk-confidence-html"
    theme: "original"
    reportDir: "/zap/wrk/report_dir"
    reportFile: "report.html"
    reportTitle: "ZAP Scanning Report"
    reportDescription: ""
    displayReport: false
  name: "report"
  type: "report"
- parameters:
    template: "traditional-json-plus"
    reportDir: "/zap/wrk/report_dir"
    reportFile: "report.json"
    reportTitle: "ZAP Report"
    reportDescription: ""
    displayReport: false
  name: "report"
  type: "report"

Configuring Active Scanning

For a more in-depth examination, active scanning is utilized. This involves modifying the configuration to introduce tasks that interact with the application. Here’s how you can adjust your YAML configuration to switch from passive to active scanning:

Add Active Scan Configuration

- parameters:
    context: "crapiContext"
    maxRuleDurationInMins: 0
    maxScanDurationInMins: 30
    maxAlertsPerRule: 10
  policyDefinition:
    defaultStrength: "high"
    defaultThreshold: "medium"
    rules: []
  name: "activeScan"
  type: "activeScan"

Remove Passive Scan-Specific Sections

- parameters:
    maxDuration: 0
  name: "passiveScan-wait"
  type: "passiveScan-wait"

- parameters:
    maxAlertsPerRule: 0
    scanOnlyInScope: true
    maxBodySizeInBytesToScan: 0
    enableTags: false
    disableAllRules: false
  rules: []
  name: "passiveScan-config"
  type: "passiveScan-config"

Customizing Alert Risks with Alert Filters

Sometimes, it may be necessary to adjust the risk levels of specific alerts generated during the scans, either to downgrade overestimated risks or to ignore false positives. This can be achieved by adding alert filters to your YAML configuration:

- parameters:
  alertFilters:
    - ruleId: 10038
      newRisk: "False Positive"
  type: "alertFilter"

These filters can reclassify the risk levels of alerts according to your specific security policies and requirements, making the reports generated by ZAP more aligned with your organization’s risk assessment frameworks.

Conclusion

By leveraging OWASP ZAP’s Automation Framework, teams can enhance their security testing practices, automate repetitive tasks, and integrate continuous security assessments into their software development pipelines. Whether you are conducting passive or active scans, or need to customize the alert risks, ZAP provides the flexibility and tools needed to maintain robust security standards in your applications.

For further information on using and configuring OWASP ZAP, visit the official ZAP documentation.

Devsecops
Owasp Zap Proxy
Cicd Pipeline
Dast

--

--

Sam A

Written by Sam A

3 Followers

Senior DevOps Consultant, a tech enthusiast and cloud automation expert that helps companies improve efficiency by incorporating automation

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams