security testing with zap
TRANSCRIPT
![Page 1: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/1.jpg)
Dynamic Security TestingNovember 2017
@omerlh@yshayy
![Page 2: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/2.jpg)
![Page 3: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/3.jpg)
http://www.align.com/wp-
content/uploads/2017/09/Equifax_Infographic.png
![Page 4: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/4.jpg)
And it affects the stock price...
disclosed
![Page 5: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/5.jpg)
http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-
failed-to-patch-was-to-blame-for-data-breach/
![Page 6: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/6.jpg)
https://nvd.nist.gov/vuln/detail/CVE-2017-5638
![Page 7: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/7.jpg)
Will you be the next Equifax?
![Page 8: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/8.jpg)
What can we do?
● Threat Modeling
● Design/Code review
● Bug bounties
● Security tests
● And many more…
![Page 9: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/9.jpg)
Security Tests in CI
![Page 10: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/10.jpg)
What's a feature management solution?
![Page 11: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/11.jpg)
Let’s try to change the design a bit to
increase engagement
Demo e-commerce app
Example 1 - A/B Testing
![Page 12: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/12.jpg)
Feature flags
![Page 13: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/13.jpg)
Tweek is mission critical
![Page 14: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/14.jpg)
Tweek is open source...
![Page 15: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/15.jpg)
GitHub Flow
Source: GitHub
Checks - Quality Feedback
![Page 16: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/16.jpg)
PR Quality Feedback
![Page 17: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/17.jpg)
Security Department
Source: IT Crowd
![Page 18: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/18.jpg)
Can we add security checks?
![Page 19: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/19.jpg)
The best defense is a good offense
Source: http://community-sitcom.wikia.com/wiki/File:Dual_wielding_Chang.jpg
![Page 20: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/20.jpg)
And run it in CI
Let’s take a hacking tool
![Page 22: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/22.jpg)
OWASP Zaproxy
https://www.openhub.net/p/zaproxy
Free and Open Source hacking tool
![Page 23: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/23.jpg)
![Page 24: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/24.jpg)
Zap has two modes:
Passive Active
![Page 25: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/25.jpg)
Let’s Hack Tweek!
![Page 26: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/26.jpg)
Tweek’s Architecture
![Page 27: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/27.jpg)
Passive Mode
![Page 28: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/28.jpg)
What Zap does?
● Inspecting request and response
● Run passive scan rules:○ Cookies misconfiguration
○ Security HTTP Headers
○ Mixed Content
○ And many more
![Page 29: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/29.jpg)
Setup Proxy
![Page 30: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/30.jpg)
Browse Editor
![Page 31: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/31.jpg)
Many findings
![Page 32: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/32.jpg)
Potential issue
![Page 33: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/33.jpg)
Why?
![Page 34: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/34.jpg)
Zap does not only find the issues
It will also help you fix them!
![Page 35: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/35.jpg)
Active Mode
![Page 36: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/36.jpg)
What Zap does?
● Find all URLS/Paths
● Run active scan rules:○ SQL injections
○ XSS
○ Directory browsing
○ Remote file inclusion
○ And many more
![Page 37: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/37.jpg)
![Page 38: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/38.jpg)
Zap can parse the spec
![Page 39: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/39.jpg)
And now we can attack it…
![Page 40: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/40.jpg)
Let’s push the red button
![Page 41: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/41.jpg)
Now relax and drink some coffee
![Page 42: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/42.jpg)
Massive attack
![Page 43: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/43.jpg)
Many findings
![Page 44: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/44.jpg)
Potential issue
![Page 45: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/45.jpg)
Why?
![Page 47: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/47.jpg)
Questions so far?
![Page 48: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/48.jpg)
And run it in CI
Let’s take a Hacking Tool
![Page 49: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/49.jpg)
Zap has two modes:
Passive Active
![Page 50: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/50.jpg)
Passive Mode
![Page 51: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/51.jpg)
Tweek’s Security Testing
TweekAPI
TweekEditor
IntegrationTests
REST
UI Automation
Tests
Selenium
ZAP Proxy
ZAP Proxy
REST
Selenium
![Page 52: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/52.jpg)
Let’s use Docker
● Tweek is designed as a multi-container app
● Every microservice has an offical Docker image
● Tweek uses Docker-native CI (Codefresh)
● Test suites also run as docker containers
● Zap has an official docker image
![Page 53: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/53.jpg)
Containerized them all!
TweekAPI
TweekEditor
Smoke Tests
REST
UI Automation
Tests
Selenium
ZAP Proxy
ZAP Proxy
REST
Selenium
![Page 54: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/54.jpg)
![Page 55: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/55.jpg)
![Page 56: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/56.jpg)
docker-compose up
![Page 57: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/57.jpg)
docker-compose is widely supported
![Page 58: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/58.jpg)
Running it in CI
![Page 59: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/59.jpg)
Zap API
![Page 60: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/60.jpg)
![Page 61: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/61.jpg)
Curl/CLI/SDK
![Page 62: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/62.jpg)
So we have Security Tests...
![Page 63: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/63.jpg)
But it’s not perfect…
![Page 65: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/65.jpg)
OWASP Glue
Security Tool Filtering Reporting
Free and Open Source CI tool
![Page 66: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/66.jpg)
Let’s add some glue to our CI
![Page 67: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/67.jpg)
Using Glue
ruby /usr/bin/glue/bin/glue -t zap --zap-host http://zap-e2e --zap-port 8090 --zap-passive-mode -f text --exit-on-warn 0 http://editor --finding-file-path /usr/src/wrk/glue.json
![Page 68: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/68.jpg)
Let’s look at the findings…
![Page 69: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/69.jpg)
Zap’s findings for the API
● Insecure cookies
● Missing security headers
● Insecure hash
FIXED
FIXED
IGNORE
![Page 70: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/70.jpg)
Active Mode
![Page 71: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/71.jpg)
Simply docker
docker run -t --net=host -v $(pwd):/zap/wrkowasp/zap2docker-weekly zap-api-scan.py-t http://localhost:4003/api/swagger.json-f openapi-r report.html
Find out more on Zap’s wiki...
![Page 72: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/72.jpg)
And the results...
![Page 73: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/73.jpg)
Questions so far?
![Page 74: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/74.jpg)
So we have dynamic security tests...
![Page 75: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/75.jpg)
Let’s see if it works…
![Page 76: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/76.jpg)
Should I approve this pull request?
![Page 77: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/77.jpg)
Let's review it...
![Page 78: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/78.jpg)
That looks good...
![Page 79: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/79.jpg)
But the tests are failing...
![Page 80: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/80.jpg)
Let's see why...
![Page 81: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/81.jpg)
Source: https://giphy.com/gifs/thisisgiphy-reaction-audience-l4HodBpDmoMA5p9bG
![Page 82: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/82.jpg)
Conclusion
![Page 83: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/83.jpg)
Security Testing Options
Passive (Proxy) Active (OpenAPI)
Simple to integrate Simple to integrate
Wide coverage Wide Coverage
Fast Slow
Mixing tests types Dedicated tests types
![Page 84: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/84.jpg)
![Page 85: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/85.jpg)
GitHub Only?
![Page 86: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/86.jpg)
How can you use it?
![Page 87: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/87.jpg)
Useful links
● Pull Request – adding security tests to Tweek
● Malicious Pull Request – The one show a few slides above
● Demo repo – Adding security tests to vulnerable app - Juice Shop
● Blog Post – how I added security tests to Tweek
@omerlh@yshayy
![Page 88: Security Testing with Zap](https://reader035.vdocuments.us/reader035/viewer/2022062302/5a6491127f8b9a36568b5041/html5/thumbnails/88.jpg)
@omerlh@yshayy
Thank You!