Organizations increasingly face the pressure to strengthen the security of their systems. Data protection is a hot topic for good reasons: to protect what’s most important to them. Local security scans, CI/CD pipelines which include security quality gates and security tests for running apps are common now. Besides that, Penetration Testing to automate (certain components of) an application are on the rise. This perfectly fits the principles of shift left and faster feedback loops. In this article, we’ll take a closer look at what PEN testing is and how the automated PEN testing tool called ZAP can help you. Think and act like an attacker is our adagio here.
Setting the security context
The main goal of security testing is to assess and test a system to discover security risks and vulnerabilities in order to protect the system itself and the data. Security testing is divided into the following categories:
- Source code review: inspection and analysis of static source code to detect security vulnerabilities.
- Vulnerability assessment: scanning the source code for security issues.
- Runtime testing: security testing and analysis from an end-user perspective.
- Penetration testing: simulate attacks from a hackers’ perspective.
Risk management is out of scope for these categories since it is not actually a security test. It’s more like an analysis of the perceived security risks and the steps to mitigate those upfront.
What is PEN testing?
Most importantly, PEN testing has the attacker in mind. He/she tries to break in into the system to steal, modify or delete important data or other assets. Another goal might be to execute a denial of service (DDOS) attack which disrupts the given system. The attacker might want to slow down a system to harm an organization, create reputational damage or frustrate end-users. Whatever their motive, it damages your organization.
Most of the time, PEN tests are carried out manually. You need experts to assess complex systems, since it’s a knowledge-intensive process. PEN tests take a lot of time. The human side of things is important here. Apart from the “attacker perspective”, PEN tests are also useful when seen from the “defender” point of view: to verify security requirements, to test defense mechanisms, check out response plans, etc.
In a DevOps world, where speed and agility are extremely important, your organization benefits from automated PEN tests. Besides CI/CD, pay special attention to continuous verification. Automated PEN tests help to continuously verify the deliverables in terms of security regressions, detect new vulnerabilities, find security weaknesses, etc. In these situations, automated PEN tests greatly prove its value.
Since the ultimate goal of PEN testing is to search and address vulnerabilities, you need to test the entire system: the infrastructure on which it runs (even if you don’t host it yourself), the network connections, running applications, external dependencies, integration points, etc. A common process to PEN testing is: explore, attack, and report about these components.
- Explore: learn what the system looks like by analyzing which software is used and which patches are installed, which endpoints exist, open ports, exposed services, etc. In addition to this, search for hidden content (f.e. debugging features that should be turned off), exposed error/log traces which are visible to the end-user, known vulnerabilities, or other weak spots.
- Attack: all of the above-mentioned information is used to simulate an attack. The PEN tester attempts to exploit one or more weaknesses or vulnerabilities to prove they actually exist and to verify that they can actually be misused by an attacker.
- Report: write down the results in a report and communicate the report back to the DevOps team and/or other responsible departments such as First Line Risk. Reports should include a summary of the tests and recommendations. Furthermore, detailed overview of the tests, which vulnerabilities were found, how these were exploited and how much effort it took to exploit them. Finally, it’s best to include the risk classification, the severity of the exploits and steps to mitigate them.
As you can see, there are a lot of manual steps which a PEN tester needs to execute. Tools like ZAP can help to speed up the processes. Often so-called “Red teams” are the ones who conduct PEN tests while “blue teams” try to stop them.
ZAP: spot on
The founders of OWASP created and maintain a free and open-source PEN testing tool called ZAP. It stands for Zed Attack Proxy. It specializes in web applications.
ZAP acts as a “man in the middle proxy” similar to a popular attacking method. End-user requests can be intercepted and/or modified to influence how the targeted application behaves. To make this happen, ZAP acts as a proxy between the two systems. It is also possible to connect ZAP to an existing proxy server. Furthermore, it is possible to install extensions from the client part of the software.
You can run the tool as a standalone application or run it in the background (as a daemon process). Multiple operating systems are supported as well as Docker. Since the source code is public, you can view how ZAP works, you can create extensions and contribute to the project if you wish. Transparency is king here to expose how things work. It greatly helps to convince skeptical people in the organization who wants to know “how you got the evidence” of a certain attack.
Two types of scans
Once you fire ZAP, you will see a website with three tabs: the quick-start, request and response tab. In the quick-start tab, you can start two types of scans: automated scans and manual scans. Using the quick-start tab is the easiest way to use ZAP, especially if you are exploring the tool for the first time.
To run automated scans, you need to provide the following fields:
- The URL of the web application to attack.
- Select which spider to use: the traditional (fast, but rather limited) or AJAX spider (slower, but more advanced) or both. The spiders will crawl your application by sending requests and collecting the results.
- Select the browser to run the tests (f.e. Firefox, Chrome, Safari and PhantomJS). Some browsers also support a headless configuration so you can start it in the background.
Besides this, you need to decide which form of scanning you want:
- Passive scanning: a safe way to verify your application since it does not change the responses which come back from the application itself. This method reveals the basic security state of your application.
- Active scanning: actually attacking your application. ZAP changes the responses which the application sends back to the client. In addition to that, ZAP also attempts to find more comprehensive vulnerabilities which it tries to exploit. This can actually put your application at risk. Take special care of this scanning form and be sure to notify the owner of the application if it’s not yours.
For advanced users and extended test cases, automated scans might not be sufficient. Known limitations of automated scans (using ZAP) are:
- You don’t get any control over the sequence of the tests. Requests and responses can interfere with each other.
- ZAP will not authenticate itself against an application that requires a login to access restricted pages. You need to enable the authentication feature and enter login details to let ZAP login to your application to also take into account the restricted pages.
Manual exploration of applications is still needed to get more advanced behavior. Take the following key aspects in mind: the traditional and AJAX-based spiders only enter basic data into form fields which might only trigger the so-called “happy flow” of an application. You need to step into “fool” forms by entering invalid data. Besides this example, you also need to manually interfere with results that are not correctly entered by the spiders.
Be sure to check out each and every page (even the hidden pages or the pages which do not have a direct link to them) since these can be points of entry towards penetrating the underlying system. ZAP builds up a complete application tree and stores it locally. By having a complete picture of the application, you can easily compare different versions of applications with each other. This is especially useful if you want to compare the number and severity of known vulnerabilities across different versions of the application.
Interpret the results
Requests and responses are recorded and these are presented in the main results window. In case something goes wrong with a request, you will find an indication here. Crawled pages can be browsed and you can also view the individual URLs. Drilling down reveals the requests and responses to those URLs.
ZAP keeps track of the total number of alerts and breaks them down into five risk categories ranging from false positives to high risks. If a risk reveals a vulnerability you can dig in into the request and response of this individual item. This presents the response header and body (the actual content) as well as which piece of information generated the alert. By analyzing this you get to know the actual behavior of the application. You should understand the application (domain) a bit better to correctly interpret this information.
Without automation, running PEN tests through ZAP will slow you down. Nearly everything you can do with the Graphical User Interface can be achieved using the powerful API. The API is very well documented and you can use several client SDKs to easily use an endpoint that ZAP exposes to you. Client SDKs are supported for the following programming languages: Python, PHP, Java, NodeJS, .NET & Ruby, so this aims to support a large variety of software developers.
ZAP has an API catalog that helps you to get you started with the REST API. It provides an overview on how to authenticate your client, how to define the needed parameters and common errors with solutions. At the heart of the API catalog, you will find an alphabetically sorted list of every endpoint you can imagine. For every one of them, it displays the parameters you need to use in the request as well as the response you can expect.
Where to go from here
If this article made you curious, be sure to check out the following links to gain more knowledge about ZAP:
- OWASP has created the OWASP Academy which also contains instructor-led training about ZAP.
- An overview of every feature of the API catalog
- Installing ZAP and a tutorial on how to scan an application.
- Find the latest and greatest tags of the official OWASP ZAP Docker image.
- And last but not least: the source code of various OWASP ZAP products and components.
Automated PEN testing is a valued addition to other security tests and manual PEN tests. ZAP offers multiple ways to scan your application(s). Think from an attacker’s perspective and find vulnerabilities and other weak points. Use the ZAP API to automate tests and integrate it into your CI/CD pipeline. This really helps to speed up and shift left your security efforts.