security testing using zap in sfdc

SECURITY TESTING USING ZAP IN SFDC

- MUSTAFA JHABUAWALA

Overview

• What is ZAP ?

• Introduction

• Features

• Benefits of Security Testing using ZAP

• Installation

• Troubleshooting Errors

• How to use ZAP

• Report analysis

What is ZAP ?

• OWASP ZAP (short for Zed Attack Proxy)

• The Zed Attack Proxy (ZAP) is penetration testing tool for finding vulnerabilities in web applications

• Web application security scanner

Introduction to ZAP

• Open-Source web application security scanner

• Intended to be used by both those new to application security as well as professional penetration testers.

• When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.

• This cross-platform tool is written in Java and is available in all of the popular operating systems including Microsoft Windows, Linux and Mac OS X.

Introduction to ZAP

• ZAP can be configured as a proxy.

• ZAP records the traffic and use that traffic for a replay attack while modifying the request parameters

Features of ZAP

• Intercepting Proxy

• Automated Scanner

• Passive Scanner

• Brute Force Scanner

• Fuzzer

• Port Scanner

• Spider

• Web Sockets

• REST API

Benefits of Security Testing using ZAP

• Identify issues and problems with the implementation of business security policies.

• Better coverage over the entire code base.

• Improvement in the quality of the application before going live.

• Report will have the complete information, so no experts are required.

• Does not affect the QA schedule or activities.

Installation of ZAP

• Download Link:• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Double click on the installation file which you have downloaded and follow below steps1. Accept the license agreement and click Next to continue2. Browse to local directory where you want to store the program files for ZAP3. Select appropriate options and click next to continue4. To confirm click on Install to proceed further

3 4

1 2

5. To confirm click on Install to proceed further6. Successfully Installed.. Click finish7. Double click on the OWASP ZAP icon and accept the license

7

65

Installing Certificates

• Since all requests and responses are proxied by ZAP, the certificate verification will fail for sites using SSL (HTTPS) and the connection will be terminated.

• To prevent this from happening, ZAP generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate.

• This CA certificate is generated the first time ZAP is run, and is stored locally.

• To use the ZAP Proxy with these websites, you will need to install ZAP’s CA certificate as a trusted root in your browser.

Click on Tools –Options –Dynamic SSL Certificates

Click on Generate, click on yes to overwrite the certificate

Browse to local directory where you want to store certificate

Click on Import (which will import your latest certificate in ZAP registry), click yes to overwrite the certificate

Browse to the location where certificate is located and click on Open

Now you are done with Generating and Importing certificates, click on OK

Open your browser(Note – Firefox browser screens are shown here, similarly it can be configured in other browsers)

Click on Advanced –Network – Settings beside the Connection panel

Click on Manual Proxy Configurations, enter the HTTP proxy as shown and port number similar to the one which you have entered in ZAP

Click on Advanced –CertificatesSettings should be same as mentioned below

Click on View Certificates button to import the certificate in browser

Once you click on View Certificate below screen will be displayedClick on Import button, browse the certificate which you have generated through ZAP tool

YOU ARE DONE You have successfully installed and configured ZAP tool

TROUBLESHOOT ERRORS

An error occurred while starting the proxy: Address already in use: JVM_Bind

If you are facing similar kind of error, then you need to change the port of ZAP because it has been used by some other process.

Click on Tools –Options –Local ProxyChange you port (Note –Remember the port number you have entered here)

Click OK

HOW TO USE ZAP ?

How to Use ZAP ?

• Once you have configured certificates and port in your browser

• Enter the URL in browser on which you want to perform security testing, ZAP will start analyzing the site

• URL can be your SFDC ORG link, or a Visual force page link, lightning page link, it can be any link

Open your browser on which you have imported the certificates Type URL and hit Enter

Observe the ZAP tool, sites will be under the tree

REPORT ANALYSIS

Generating Reports

• Reports generated by ZAP contains different risk levels• High

• Medium

• Low

• Informational

• Details with description, URL, Solution will be mentioned in report by ZAP

• Sample errors are as follows• Session ID in URL Rewrite

• X-Frame-Options Header Not Set

• Referrer Exposes Session ID

• Application Error Disclosure and many others..

Click on Report –Generate HTML Report

Report Sample

References

• https://en.wikipedia.org/wiki/OWASP_ZAP

• https://security.secure.force.com/security/tools/webapp/zapbrowsersetup

THANK YOU !!!