Zap | what ZAP | whad zap |
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.Set up your Zap trigger
A trigger is the event that starts a Zap. Once you’ve set up a Zap, Zapier will monitor for that trigger event.
Example
You want to send a Slack direct message to yourself every time you receive a new email in Gmail. In this workflow, the trigger would be the new email in Gmail.
There are two types of triggers:
Polling Trigger: the majority of triggers are polling triggers. When using a polling trigger, Zapier will check for new data from your trigger every 1 to 15 minutes in order to start your workflow, depending on your subscription plan.
Instant Trigger: when using an instant trigger, your trigger app will send Zapier an instant notification whenever there's new data. Zaps with instant triggers are labeled Instant on your dashboard.
Zapier relies on a few methods to make sure that your Zap does not trigger multiple times for a single "new" item. Learn more about how triggers are deduplicated in Zaps.
1. Choose your app and event
In the Zap editor, go to the 1. When this happens step.
In the Choose App & Event section, search for and select the app that will trigger the Zap.
Click the Choose Trigger Event dropdown menu and select the event that occurs in the selected app that will trigger the Zap. For example, you can choose to trigger the Zap every time there is a new card on your Trello board.
In this example we are using Trello as our trigger app and we want our Zap to run every time there is a new card.
2. Choose your app account
Next, choose the app account you want to use in the trigger.
If you've already connected an account to Zapier for the trigger app, click the dropdown menu and select the account.
If you've not connected an app account, click Sign in to [app] and follow the instructions to connect your app account to Zapier.
Click Continue.
3. Customize your options
Next, customize your trigger options. For example, you can choose to trigger the Zap only when there is a new card on a specific Trello board and list. Make sure to select or fill in any required fields.
Click Continue.
In this example, we want to trigger the Zap whenever a Trello card has been added to a specific board and list
Zap | what ZAP | whad zap |
NoteThe Customize step may not always be applicable, depending on the trigger app and trigger event combination that you’ve selected. If that's the case, move on to the next step.
4. Test your trigger
To test your connection, click Test & Continue. If Zapier finds an example item, you'll proceed to set up the rest of your Zap.
If you want to first review the data that Zapier pulls from your trigger, click Test & Review.
Find a new email
Zapier will attempt to find some sample data from your trigger app to use in the Zap. For example, if your trigger brings in data from a new Google Sheets spreadsheet row, Zapier will pull in a sample row. The sample row can then be used as test data in an action step later in the Zap. If you want to use different sample data, you can change the sample data in your Zap trigger.
Sample data
If Zapier is having trouble finding data for your trigger, try adding new data for the event in your trigger app.
Once you’ve set up your trigger, you can continue setting up the rest of your Zap, whether that’s setting up your action, or adding a search step.
Zap | what ZAP | whad zap |
TipIf you want to control when your Zap runs, consider using a scheduled trigger.
Note
Polling is distributed across Zapier's servers in a queue, and polling times are not always exact. This means if you try to time multiple Zaps to happen in a specific order closely together, it may not happen as you expected. You might also not be able to time your Zaps to happen at an exact minute.
Since instant triggers are not on a cycle, their timing should be fairly predictable. However, if you are sending a large number of webhooks within a few seconds of each other for example, Zapier will distribute the load across multiple servers. If you expect webhooks that closely follow each other will be processed exactly in the order in which they are sent, between network and processing factors this might not always be reliable.
You are probably here because you want to or were tasked with improving your application security while it's still in the pipeline. In a Rapid Application Development Cycle, whenever a new version or feature of the product is being released, security teams (for the most part) had to manually initiate DAST tools to find security vulnerabilities in the release. This was obviously non-scalable and extremely time consuming especially with strict short release sprints. More so, when the product in question mandates high security impetus. Thankfully, a number of tools exist that can make a good portion of this process automatic. While this may not replace an actual person physically attempting to crack your application, it will reduce that person’s time by handling the tedious day-to-day vulnerability attacks.
OWASP’s Zed Attack Proxy (ZAP) is one of the most widely used application security scanners. The following manual describes the short steps involved in integrating the OWASP ZAP plugin with Jenkins - the world's favorite CI / CD platform.
In this blog, I’ll walk you through integrating ZAP with a Jenkins pipeline, enabling you to trigger ZAP for every build. We’ve kept it very simple, so if some of the steps seem like a no-brainer to you, please ignore it and move along to the subsequent steps.
Note: Words in orange refer to the actual options/menu items displayed on Jenkins or ZAP.
ALRIGHT THEN, LETS GET STARTED!!
STEP 1: To integrate ZAP with Jenkins, you’ll first need the ZAP Jenkins plugin. You can get that under Manage Jenkins -> Manage Plugins. Install OWASP ZAP Official plugin under Available Tab.
Downloading ZAP plugin
STEP 2: In addition to the plugin, you’ll also need to install ZAP in your local machine. If you already have ZAP, you can skip this step.
Under Manage Jenkins -> Global Tool Configuration, click on Custom Tool installation. Under Custom tool Section; provide OWASP ZAP tar downloadable link and the directory name. (The actual download will happen in step 7, so don’t worry about it right now)
Note: If you do not have the Custom Tool Installation option, you need to download a plugin called “Custom Tool Installation”. To get that, follow the same process as in Step 1
installing ZAP
STEP 3: By now, you should have ZAP and its plugin. Moving forward, you’ll need to configure two essential things; namely ZAP host and port. Go to Manage Jenkins -> Configure System and fill the ZAP HOST and Port field under ZAP section.
configuring ZAP
Ok, now let’s go ahead and create a “job” on Jenkins to run ZAP.
STEP 4: Click New Item and create a new Job as Freestyle Project. Click OK
creating a new jenkins job
Next step is to create a workspace folder in master machine. Follow the steps 5 & 6
STEP 5: Click Save without making any configuration changes for the Job.
Creating a new job without making configuration changes
STEP 6: Now, click Build Now to create a workspace on the master machine.
Creating a workspace on the master machine.
Voila! We are now ready to configure ZAP as a part of the job. If you had ZAP before reading this blog, you can skip step 7. As mentioned earlier, this part does the actual downloading of ZAP to your system.
STEP 7: Go to ZAP Project Configure Page. In my case, it would be under ZAP_CI_Demo project. Click Configure | Select Build Environment. Check the Install Custom Tools option, and select the ZAP tool.
Downloading ZAP through Jenkins
Next step in the integration process is to trigger-start ZAP during the build process.
STEP 8: Select Build Tab under project configurations | Click Add build step | Select Execute ZAP
Setting a trigger for ZAP
To let Jenkins know how to start ZAP and where to locate ZAP installed directory, follow step 9.1 or 9.2 based on if you had ZAP before this blog or not.
STEP 9.1: If you had ZAP before this blog, move to step 9.2
Use the Installation Method option to specify how ZAP will be installed on the master machine and specify the absolute location of the ZAP Home Directory where would you like to create, or you can specify .ZAP as relative path for ZAP Home Directory. It will automatically create the .ZAP folder on the Jenkins Custom Tools Directory (/var/lib/jenkins/tools/../.ZAP/)
Note: If you specified custom path for ZAP Home Directory, make sure Jenkins has the needed permission to create a directory on the specified path. For Example: If the Jenkins user does not have permission to create directory on /home/ , you'll have to create the directory manually and change the owner of the folder to the Jenkins user.
Specifying home directory path
STEP 9.2: If you already had ZAP, select the “System Installed: ZAP Installation Directory” option, and let the environment variable input remain default.
Now, to specify the ZAP installed path for the environment variable (ZAPROXY_HOME).
9.2.1: Go to Manage Jenkins -> Configure System and Select Environment variable checkbox under Global Properties. Click Add
9.2.2: Enter the name as ZAPROXY_HOME and give the value as ZAP installed path. In this example, it would be the path /opt/zaproxy. Save the changes.
Specifying build environment
Then continue with your ZAP Configuration. Under ZAP Home Directory, provide the path along with “.ZAP”. (ZAP Home Directory is already created while running the ZAP for the first time in your local machine. In this example it would be /home/umar/.ZAP)
STEP 10: So far, you’ve connected ZAP with Jenkins and configured it such that ZAP is triggered during the build process. Now, you need to provide information on application or URL that needs testing. This part is still done under BUILD tab.
10.1: For that, you would need to create Persist session in ZAP under Session Management section.
10.2: Next, you’ll need to provide application name and URL under Session Properties Options in regex format. Under the Include in Context, supply the URL. Under the Exclude in Context, you should provide the parameter that does not need an active scan or spidering.
For Example:
Include in Context: http://testphp.vulnweb.com
where Testphp.vulnweb.com is the Target Application and * indicates all paths across the application
Exclude from Context (optional): ^(?:(?!http:\/\/testphp.vulnweb.com).*).$
No comments:
Post a Comment