OWASP ZAP Penetration Testing
Overview
We use OWASP ZAP (Zed Attack Proxy) as our primary penetration testing tool for automated security testing of our web applications and APIs. This document outlines our approach to penetration testing and provides guidance on setting up and running security scans.
Repository and Resources
Our penetration testing tools and configurations are maintained in a dedicated repository:
- Repository: MillionOnMars/penTest
- Documentation: This document and the repository README
- Reports: Generated in
reports/directory
Setting Up OWASP ZAP
Prerequisites
- OWASP ZAP
- Python 3.8+
- Docker (optional, for containerized scanning)
Installation
- Install OWASP ZAP:
# For macOS (using Homebrew)
brew install --cask owasp-zap
- Set up the Python environment:
# Create and activate virtual environment
python3 -m venv venv
source venv/bin/activate # On macOS/Linux
# .\venv\Scripts\activate # On Windows
# Install dependencies
pip install -r requirements.txt
Running Security Scans
Quick Start
- Launch ZAP using the provided script:
./scripts/launch-zap.sh
- Once ZAP is running, you can:
- Use the "Quick Start" tab for automated scanning
- Configure detailed scans in the "Automated Scan" section
- Perform manual exploration of specific features
Manual Scanning
- Start ZAP:
zap.sh
-
Configure your target application URL in ZAP's interface
-
Run an automated scan:
zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' https://your-target-app
Automated Scanning
The project includes GitHub Actions workflows for automated scanning that run on:
- Pull requests
- Scheduled intervals
- Manual triggers
Configuration
zap-config.yaml: Main configuration file for ZAP scans.github/workflows/security-scan.yml: GitHub Actions workflow configuration
Reports
Scan reports are generated in:
- HTML format:
reports/zap-report.html - Markdown format:
reports/zap-report.md
Security Considerations
-
Environment Safety:
- Never run scans against production environments without explicit permission
- Always use appropriate scan policies based on the target environment
- Review and understand scan results before taking action
-
Scan Configuration:
- Use appropriate scan policies for different environments
- Configure scan depth based on the target system
- Set appropriate timeouts and resource limits
-
Best Practices:
- Schedule regular security scans
- Document all findings and remediation steps
- Maintain an up-to-date scan configuration
- Review and update scan policies regularly
Integration with Development Workflow
-
Pre-deployment Scans:
- Automated scanning in CI/CD pipeline
- Manual verification for critical changes
- Regular scheduled scans
-
Reporting and Documentation:
- Maintain scan history
- Document remediation steps
- Track security improvements
Historical Context
The penetration testing framework was established to provide:
- Automated security testing capabilities
- Integration with our development workflow
- Consistent security scanning across environments
Current Status (April 2024)
Our penetration testing framework is actively maintained and includes:
- Automated scanning in CI/CD
- Regular scheduled scans
- Manual testing capabilities
- Comprehensive reporting