ZAP (6)

OWASP Dependency-Check Plugin on Jenkins CI

The OWASP Dependency-Check Plugin will locate npm, maven, php, jar packages and analysze them for known security vulnerabilities (full support list is on the website). To use, you need to create a build step on the app build job you have, after all dependencies installed, then publish the report in a post-build step.

OWASP ZAP on Jenkins CI

OWASP ZAP is a very established and useful test tool, and there is a Jenkins plugin ZAProxy to enable you to easily include it in CI.  You can add it as a step to an exiting job, and create a job specifically to run ZAP.  Instead of using a lot of screenshots, I have done it as a step-by-step text-only guide.

AJAX Crawling Tool

A tool which will automate the crawling of AJAX applications. It can be daisy-chained with other proxies (like ZAP or Burpe) to allow the functionality of those tools to be used on aspects of a web app that traditional spidering tools will miss.

[vimeo width=”500″ height=”375″][/vimeo]

Zed Attack Proxy (ZAP) – The short guide

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

  1. Download Zed Attack Proxy (ZAP), and install
  2. Run Zed Attack Proxy (ZAP)
  3. Go to Tools -> Options -> Connections, and set proxy settings to match your browser proxy settings (and proxy exclusions)
  4. Go to Tools -> Options -> Local proxy and enter localhost (port: 85),
  5. In your browser of choice, set proxy in LAN settings to localhost (port: 85), and clear the proxy exclusions list.
  6. Access a test site URL to verify settings all applied correctly (The Zed Attack Proxy “Sites” window should populate with all URL’s visited)
  7. If the site requires Authentication, go to Tools -> Options -> Authentication, and add details in the table.
  8. Run Active Scan on root URL (Click Active Scan tab, and select URL from dropdown if not already selected).
  9. Click Report -> Generate HTML report, to view issues found.
  10. Run Spider test, which will pick up on 404 errors, missing URL references, and help you identify redundant file calls.

Zed Attack Proxy

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks