SECURITY TESTING USING ZAP IN SFDC
- MUSTAFA JHABUAWALA
Overview
• What is ZAP ?
• Introduction
• Features
• Benefits of Security Testing using ZAP
• Installation
• Troubleshooting Errors
• How to use ZAP
• Report analysis
What is ZAP ?
• OWASP ZAP (short for Zed Attack Proxy)
• The Zed Attack Proxy (ZAP) is penetration testing tool for finding vulnerabilities in web applications
• Web application security scanner
Introduction to ZAP
• Open-Source web application security scanner
• Intended to be used by both those new to application security as well as professional penetration testers.
• When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.
• This cross-platform tool is written in Java and is available in all of the popular operating systems including Microsoft Windows, Linux and Mac OS X.
Introduction to ZAP
• ZAP can be configured as a proxy.
• ZAP records the traffic and use that traffic for a replay attack while modifying the request parameters
Features of ZAP
• Intercepting Proxy
• Automated Scanner
• Passive Scanner
• Brute Force Scanner
• Fuzzer
• Port Scanner
• Spider
• Web Sockets
• REST API
Benefits of Security Testing using ZAP
• Identify issues and problems with the implementation of business security policies.
• Better coverage over the entire code base.
• Improvement in the quality of the application before going live.
• Report will have the complete information, so no experts are required.
• Does not affect the QA schedule or activities.
Installation of ZAP
• Download Link:• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Double click on the installation file which you have downloaded and follow below steps1. Accept the license agreement and click Next to continue2. Browse to local directory where you want to store the program files for ZAP3. Select appropriate options and click next to continue4. To confirm click on Install to proceed further
3 4
1 2
5. To confirm click on Install to proceed further6. Successfully Installed.. Click finish7. Double click on the OWASP ZAP icon and accept the license
7
65
Installing Certificates
• Since all requests and responses are proxied by ZAP, the certificate verification will fail for sites using SSL (HTTPS) and the connection will be terminated.
• To prevent this from happening, ZAP generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate.
• This CA certificate is generated the first time ZAP is run, and is stored locally.
• To use the ZAP Proxy with these websites, you will need to install ZAP’s CA certificate as a trusted root in your browser.
Click on Tools –Options –Dynamic SSL Certificates
Click on Generate, click on yes to overwrite the certificate
Browse to local directory where you want to store certificate
Click on Import (which will import your latest certificate in ZAP registry), click yes to overwrite the certificate
Browse to the location where certificate is located and click on Open
Now you are done with Generating and Importing certificates, click on OK
Open your browser(Note – Firefox browser screens are shown here, similarly it can be configured in other browsers)
Click on Advanced –Network – Settings beside the Connection panel
Click on Manual Proxy Configurations, enter the HTTP proxy as shown and port number similar to the one which you have entered in ZAP
Click on Advanced –CertificatesSettings should be same as mentioned below
Click on View Certificates button to import the certificate in browser
Once you click on View Certificate below screen will be displayedClick on Import button, browse the certificate which you have generated through ZAP tool
YOU ARE DONE You have successfully installed and configured ZAP tool
TROUBLESHOOT ERRORS
An error occurred while starting the proxy: Address already in use: JVM_Bind
If you are facing similar kind of error, then you need to change the port of ZAP because it has been used by some other process.
Click on Tools –Options –Local ProxyChange you port (Note –Remember the port number you have entered here)
Click OK
HOW TO USE ZAP ?
How to Use ZAP ?
• Once you have configured certificates and port in your browser
• Enter the URL in browser on which you want to perform security testing, ZAP will start analyzing the site
• URL can be your SFDC ORG link, or a Visual force page link, lightning page link, it can be any link
Open your browser on which you have imported the certificates Type URL and hit Enter
Observe the ZAP tool, sites will be under the tree
REPORT ANALYSIS
Generating Reports
• Reports generated by ZAP contains different risk levels• High
• Medium
• Low
• Informational
• Details with description, URL, Solution will be mentioned in report by ZAP
• Sample errors are as follows• Session ID in URL Rewrite
• X-Frame-Options Header Not Set
• Referrer Exposes Session ID
• Application Error Disclosure and many others..
Click on Report –Generate HTML Report
Report Sample
References
• https://en.wikipedia.org/wiki/OWASP_ZAP
• https://security.secure.force.com/security/tools/webapp/zapbrowsersetup
THANK YOU !!!