Skip to main content

Tutorial: DAST app scans using Zed Attack Proxy

Zed Attack Proxy (ZAP) is a free, open-source penetration tool for testing web applications. ZAP runs as a "man-in-the-middle proxy" between the tester's browser and the web app. You can use ZAP to run penetration testing to simulate a malicious external attack and use the results to protect your app from unauthorized access and denial-of-service attacks.

In this tutorial, you'll set up a simple pipeline with a Zap step that scans the app and ingests the results into STO.

Prerequisites
  • This tutorial has the following prerequisites:

    • A Harness account and STO module license.
    • A basic understanding of key STO concepts and good practices.
    • A working instance of the web app you want to scan. Your app must be accessible from your Harness pipeline.
    • Docker requirements:
      • A Docker Hub account and access token.
      • A Docker connector is required to push the image.
      • Your Docker Hub access token must be stored as a Harness secret.

Set up your app instance

If you don't have your web app running yet, you can go through this tutorial by scanning an instance of the Google Gruyere app.

To create an instance of this app for scanning, go to Start Gruyere.

Set up your pipeline

Do the following:

  1. Select Security Testing Orchestration (left menu, top) > Pipelines > Create a Pipeline. Enter a name and click Start.

  2. In the new pipeline, select Add stage > Security.

  3. Set up your stage as follows:

    1. Enter a Stage Name.

    2. Unselect Clone Codebase.

  4. Go to Infrastructure and select Cloud, Linux, and AMD64 for the infrastructure, OS, and architecture.

    You can also use a Kubernetes or Docker build infrastructure, but these require additional work to set up. For more information, go to Set up a build infrastructure for STO.

Add the Zap step

Harness provides a set of customized steps that make it easy to set up popular scanners such as ZAP.

  1. In Execution, add a Zap step.

  2. Configure the step as follows:

    1. Name = dast_scan_my_web_app

    2. Scan Mode = Orchestration

    3. Scan Configuration

    4. Set the following fields based on the app you're scanning.

      For example, suppose you're scanning version 8.1.2 of https://myorg.org:9090/welcome. You could then set the fields like this:

      • Target Name = myorg.org/welcome

      • Target Variant = 8.1.2

      • Instance Domain = myorg.org/welcome

      • Instance Protocol = https

      • Instance Port = 9090

      If you're scanning a Google Gruyere instance, set the fields like this:

      • Target Name = https://google-gruyere.appspot.com/

      • Target Variant = MY_APP_INSTANCE_ID

      • Instance Domain = https://google-gruyere.appspot.com/MY_APP_INSTANCE_ID

      • Instance Protocol = https

    5. Fail on Severity = Critical

      Zap step palette example

Run the pipeline and check your results

  1. Run the pipeline and then wait for the execution to finish.

  2. Select Security Tests and examine any issues detected by your scan.

    view scan results

Specify the baseline

tip

It is good practice to specify a baseline for every target. Defining a baseline makes it easy for developers to drill down into "shift-left" issues in downstream variants and security personnel to drill down into "shift-right" issues in the baseline.

  1. Select Test Targets (left menu).

  2. Select the baseline you want for your target.

set the baseline

YAML pipeline example

Here's an example of the pipeline you created in this tutorial. If you copy this example, replace the placeholder values with appropriate values for your project, organization, and app instance ID.

pipeline:
name: v1-dast-zap-scan-gruyere-test
identifier: v1dastzapscangruyeretest
projectIdentifier: YOUR_HARNESS_PROJECT_ID
orgIdentifier: YOUR_HARNESS_ORGANIZATION_ID
tags: {}
stages:
- stage:
name: dast_stage_scan_gruyere
identifier: dast_stage_scan_gruyere
description: ""
type: SecurityTests
spec:
cloneCodebase: false
platform:
os: Linux
arch: Amd64
runtime:
type: Cloud
spec: {}
execution:
steps:
- step:
type: Zap
name: zap_step_scan_gruyere
identifier: zap_step_scan_gruyere
spec:
mode: orchestration
config: standard
target:
name: https://google-gruyere.appspot.com
type: instance
variant: YOUR_APP_INSTANCE_ID
advanced:
log:
level: info
fail_on_severity: critical
instance:
domain: https://google-gruyere.appspot.com/YOUR_APP_INSTANCE_ID
protocol: https