DAST Automation with Jenkins and OWASP ZAP for Session Based Application

Prerequisites:

1. OWASP ZAP Plugin for Jenkins
2. HTML Publisher Plugin for Jenkins
3. Deployment Jobs Configured

Note: I made this tutorial on Windows, for Linux & Mac you only need to change respective paths, other steps remains the same

Step 1:

Installation of ZAP Plugin & Publish HTML Plugin

Manager Jenkins → Plugin Manager → Available Tab → search for zap and select Official OWASP ZAP Jenkins Plugin

Search in Available Plugins

Manager Jenkins → Plugin Manager → Available Tab → search for html publisher plugin and select HTML Publisher Plugin

Publish report on Jenkins

Save and exit.

Step 2:

Let’s configure ZAP for usage.

Manage Jenkins → Configure Systems

Configure Host & Port for Scan

Next configure Global properties of ZAP

Define variable with Value as shown

Return to Home page.

Step 3:

Creation of Jenkins Job

Browse to New Item → Freestyle project

Provide necessary details for the Job and then,

Scroll down to Build Section and select Execute ZAP from dropdown Menu.

Select Build Steps

Note: I’ve selected only Execute ZAP for this turotial and make sure you add your respective steps while doing for Production

Step 4:

Set up configuration of ZAP as shown in images below:

• Configure Port as per requirement

Work sapce shows space where this build would reside

• Provide details as per platform, Environment Variable was defined in Step 2 earlier

Windows based Path

• Include relevant scope in context and username-password

provide necessary information in Red shaded area

• Credentials for login, and Script for script based authentication. Script in dropdown would be available once it is created and copied after step 10

Starting point defines location of start for Crawling

• Crawl configuration

Select Check Boxes as per your requirement

• Ignore 404 error, this report would be available in C:\jenkins\jobs\ZAP_CI_DEMO\htmlreports

Select Report type

• copy exact configuration as shown in figure below. This tab would be available only when HTML Publisher Plugin for Jenkins is installed. Now, Save this config and move to next steps. For e-mail notifications, make sure you e-mail configuration covered in Global Configuration.

Provide Recipients e-mail ID for Build Notifications

Step 5:

Generate script for session based authentication.

Prerequisites:

• Setup browser proxy to log & intercept traffic
• Use ZEST script using ZAP UI to generate authentication script

Follow screenshot below to capture and generate authentication script

Script Generated

Step 6:

Set up configuration to capture & generate script and click Start Recording

Provide Details before Generating Zest (.zst) Scripts

Step 7:

Now browse to https://www.mywebsite.com and perform Authentication, which would be recorded.

Check Request-Response before generating final script

Step 8:

Select Demo1 and then go to Script Console. Press Run and see for Green Ticks below.

Check if everything is fine

Also, browse Request & Response tab to check for correctness.

Step 9:

Copy Script from Script Console and save it as .zst extension. This script would be used for Script based authentication.

Step 10:

Now, Move/Copy this ZEST script file to ZAP installation directory.

Windows:

C:\Program Files\OWASP\Zed Attack Proxy\scripts\scripts\authentication

Linux & MAC:

Check where installation is made and provide Directory Paths

Step 11:

Now, Open project and select desired script Demo1.zst from dropdown menu which we created in Step 4.

Step 12:

Click Save and Build Now.

Reference:

• https://medium.com/@priyank.it/owasp-zap-automated-pen-test-with-jenkins-e4f155a33f6f
• https://medium.com/faun/security-automation-series-part-2-zap-jenkins-post-integration-actions-c451a6639aae
• https://medium.com/@Gr3g0ire/automatic-security-tests-in-jenkins-with-owasp-zap-d81bdb8e65d6