You can integrate OWASP scanner as part of your build pipeline to test your application for web related vulnerabilities. Zed Attack Proxy (ZAP) allows you to continuously monitor your applications for OWASP vulnerabilities and mitigate them.
In order to install ZAP proxy, you can follow the below steps on Amazon linux instance
1. Install open-jdk as part of the package manager update.
***************
$sudo yum install -y java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.59
***************
2. Download and install ZAP proxy
***************
$wget http://downloads.sourceforge.net/project/zaproxy/2.4.0/ZAP_2.4.0_Linux.tar.gz
$tar xvfz ZAP_2.4.0_Linux.tar.gz
$sudo cp -Ra ZAP_2.4.0 /opt/zaproxy
***************
3. If you are running the proxy in a headless environment, then you will need to pass the below argument
**************
$sudo vi zap.sh
....
#Start ZAP
exec java ${JMEM} -Djava.awt.headless=true -XX:PermSize=256M -jar "${BASEDIR}/zap-2.4.0.jar" "$@"
**************
4. Increase Xmx value in zap.sh from 512m to 1024m
5. Download and install the ZAP API client
*************
$wget http://hivelocity.dl.sourceforge.net/project/zaproxy/client-api/zap-api-2.4-v1.jar
$ tar xvfz zap-api-2.4-v1.jar
*************
6. Run zap proxy in daemon and intercepting mode
*************
sudo ./zap.sh -daemon
*************
7. Execute a scan using the client API by sending a http query - https://code.google.com/p/zaproxy/wiki/ApiDetailsActions
*************
$ curl -vvv http://localhost:8080/JSON/spider/action/scan/?url=http%3A%2F%2Fwww.google.com%3A80%2Fbodgeit%2F
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /JSON/spider/action/scan/?url=http%3A%2F%2Fwww.google.com%3A80%2Fbodgeit%2
F HTTP/1.1
> User-Agent: curl/7.40.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Pragma: no-cache
< Cache-Control: no-cache
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET,POST,OPTIONS
< Access-Control-Allow-Headers: ZAP-Header
< X-Clacks-Overhead: GNU Terry Pratchett
< Content-Length: 12
< Content-Type: application/json; charset=UTF-8
*************
In order to install ZAP proxy, you can follow the below steps on Amazon linux instance
1. Install open-jdk as part of the package manager update.
***************
$sudo yum install -y java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.59
***************
2. Download and install ZAP proxy
***************
$wget http://downloads.sourceforge.net/project/zaproxy/2.4.0/ZAP_2.4.0_Linux.tar.gz
$tar xvfz ZAP_2.4.0_Linux.tar.gz
$sudo cp -Ra ZAP_2.4.0 /opt/zaproxy
***************
3. If you are running the proxy in a headless environment, then you will need to pass the below argument
**************
$sudo vi zap.sh
....
#Start ZAP
exec java ${JMEM} -Djava.awt.headless=true -XX:PermSize=256M -jar "${BASEDIR}/zap-2.4.0.jar" "$@"
**************
4. Increase Xmx value in zap.sh from 512m to 1024m
5. Download and install the ZAP API client
*************
$wget http://hivelocity.dl.sourceforge.net/project/zaproxy/client-api/zap-api-2.4-v1.jar
$ tar xvfz zap-api-2.4-v1.jar
*************
6. Run zap proxy in daemon and intercepting mode
*************
sudo ./zap.sh -daemon
*************
7. Execute a scan using the client API by sending a http query - https://code.google.com/p/zaproxy/wiki/ApiDetailsActions
*************
$ curl -vvv http://localhost:8080/JSON/spider/action/scan/?url=http%3A%2F%2Fwww.google.com%3A80%2Fbodgeit%2F
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /JSON/spider/action/scan/?url=http%3A%2F%2Fwww.google.com%3A80%2Fbodgeit%2
F HTTP/1.1
> User-Agent: curl/7.40.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Pragma: no-cache
< Cache-Control: no-cache
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET,POST,OPTIONS
< Access-Control-Allow-Headers: ZAP-Header
< X-Clacks-Overhead: GNU Terry Pratchett
< Content-Length: 12
< Content-Type: application/json; charset=UTF-8
*************
No comments:
Post a Comment