Automate ZAP With Docker
Automate penetration testing with Zed Attack Proxy of OWASP with the help of Docker images. This will make it easier to incorporate this into your CI/CD pipeline.
Join the DZone community and get the full member experience.Join For Free
In the previous posts, you learned how to use ZAP with the Desktop client and via the command line with ZAP CLI. This post, you will learn how to use the Docker images which are provided by OWASP. This will even make it easier to automate ZAP, especially in a CI/CD pipeline.
It is strongly advised to read the two previous posts about ZAP before starting with this one. You will need some files which were created in the previous posts. If you already have experience with ZAP, you can continue reading and use the files from the GitHub repository from directory
zap2docker. The generated reports will also be available in this repository. This way, you will be able to compare your results.
In the previous posts, you were shown how to use the ZAP Desktop client and how to use ZAP CLI in order to automate the penetration test. However, OWASP also provides some Docker images which can be used for an automated scan.
You will again use WebGoat as vulnerable web application. If you followed the previous posts, it is better to start from scratch again and remove the Docker container you created.
Since the application under test is running in a Docker container and ZAP will also run in a Docker container, it is necessary to create a Docker network. Otherwise it will not be possible to access WebGoat from within the ZAP Docker container.
Next, create the WebGoat container within the just created network
Navigate to the WebGoat URL and create the user
mydeveloperplanet with password
password. This user will be used for authentication during the scan.
2. ZAP Docker Full Scan
The ZAP Docker image provides several scan possibilities. One of them is a Baseline Scan which will scan your application passively. The active scan, however, will give you better results and this can be accomplished with the Full Scan.
You will need the IP address of WebGoat within the
zapnet network. This can be achieved with the following command. In the example below,
172.22.0.2 is the IP address where WebGoat can be accessed.
First, you will scan the application without any user information. The complete list op options can be found here, below the used options are explained:
--net: in order to add ZAP to the network together with WebGoat
-v: this will map your current directory to the Docker image work directory
-I: do not return failure on warning
-j: run the AJAX spider in addition to the classic one
-m 10: the number of minutes to spider for (just a safeguard, the spider takes less time than 10 minutes)
-T 60: limit the total scan to 60 minutes
-t: the URL to scan for
-r: the name of the report for the results
Just as you noticed when running the scan with ZAP CLI in the previous post, this scan will give you less results than expected. The spider does some work, but not enough and since you did not provide any user credentials, a large part of the application is not scanned.
In order to provide the user credentials, you can provide the context
Webgoat.context you created last time. The only thing you need to do, is to replace
localhost with the IP address in the entire file. Move the context file to the current directory in order that it will be accessible in the ZAP work directory inside the Docker container. You add the following two extra options to the command:
-n: The context file
-U: The user to use
Running this command, results in the following error. It states that the URL is not in the context, but it is. Even if this would work, it is doubtful whether the spider would have found all of the URLs of the application. You have noticed in the previous posts that a manual exploration of the website together with a spider gave much more URLs to scan.
3. ICTU ZAP Docker Full Scan
ICTU, a Dutch IT organisation of the government has extended the ZAP Docker images with a webhook for authentication. It would be interesting to find out whether this way you can scan the application including authentication. Notice that the Docker image is now taken from the ICTU DockerHub page. Two extra options are added compared to the full scan without user authentication:
--hook: the link to the Python script which will take care of the authentication
-z: some extra parameters needed for the authentication
This seems to do its work. However, less results are found compared to the ZAP CLI scan. Most likely due to the spider again.
4. ZAP CLI With Docker
The good news is that ZAP CLI is also shipped in the ZAP Docker image. Good results were achieved with ZAP CLI, so let’s see whether this also applies when you run it from within the ZAP Docker container. You run the Docker container again with a volume mapping to your current directory and with option
-i in order to start the container in interactive mode. This will allow you to execute commands inside the Docker container.
As a test, you can verify whether WebGoat is accessible from within the ZAP Docker container with a
You will follow the exact same steps as in the previous post. The only difference is that you will execute the commands from within the Docker container. First thing to do is to start ZAP. For simplicity, you will disable the API key. Remember that the API key was necessary to access the ZAP API. You can retrieve the API key if you want via the webswing ZAP UI.
Import the context. Remember that you changed
localhost in the context file to the IP address where WebGoat can be accessed.
In the previous post, you exported the manually explored URLs in a file
webgoat-exported-urls.txt. Copy this file to your current directory and find/replace localhost with the WebGoat IP address.
Also, copy the
open-urls.sh script to your current directory and change the path to the text file.
Execute the script, this will take approximately 10 minutes.
Start the classic spider.
Start the active scan, this will take approximately 15 minutes.
Generate the report.
As you can see, this gives you similar results as in the previous post.
Save the session for next use.
exit to exit the interactive shell and shutdown the Webgoat Docker container.
It is great that OWASP provides Docker images with ZAP pre-installed. This simplifies installation and makes it easier to integrate it into your CI/CD pipeline. The default scans which are provided did not give good enough results. Luckily, ZAP CLI is also provided and this did the job. Also note that ZAP CLI will be replaced in the near future with the Automation Framework.
Published at DZone with permission of Gunter Rotsaert, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.