OWASP ZAP Container
OWASP ZAP Container Detail
The OWASP ZAP container was created for VNS3 version 4.8.3+. If you are using an VNS3 version prior to 4.8.3, please upgrade your VNS3 to the latest version (5.x) https://docs.cohesive.net/docs/upgrading/vns3-v4
Getting Started with VNS3 Plugin System
The OWASP ZAP container is deployed to VNS3 (version 4.8.3+) as a plugin using the container system.
Please be familiar with the VNS3 Plug-In Configuration Guide.
OWASP ZAP Container - What does it do?
The OWASP ZAP container displays a web-based virtual security scanner that you can use to scan your private and/or public network. You can either use the OWASP ZAP container as a full-fledged OWASP ZAP Web UI or you can run an automated baseline scan for a specific website/URL. Some of the OWASP ZAP Web UI features include AJAX Spider, SQL injection, automated scanner, fuzzer, penetration testing, and forced browsing.
OWASP ZAP Container - What does it need?
- You will need the following inbound/outbound ports and protocols open in the Security Group(s) that are associated with your VN33 controller.
- TCP port 8080 to 0.0.0.0/0
- TCP port 80 to 0.0.0.0/0
- POSTROUTING MASQUERADE-ONCE firewall rule to SNAT all the container traffic to the VNS3 IP (this can be automated via the Plugin Manager)
- Port 8080 forwarding rules to forward traffic to the container IP.
- ONLY when running the automated baseline scan will you need to define an “attach_website_or_ip” in the parameters.conf file.
Uploading the OWASP ZAP container image
From the Container —> Images menu item, choose Upload Image.
Image URL: https://vns3-containers-read-all.s3.amazonaws.com/OWASP_Zap/OWASP_ZAP_v1.export.tar.gz
To use the pre-configured plugin, paste the URL into the Image File URL box.
When the Image has imported it will say Ready in the Status Column.
Launching the OWASP ZAP Container
After selecting Allocate from the Actions menu, name your container, provide a description and the command used to execute the container.
The name and description should be something meaningful within the context of your organization and it’s policies.
In most cases, the command used to run plugin containers will be: /usr/bin/supervisord
However, this may vary with individual containers, please consult each plug-in’s specific documentation.
The command to run the WAF container is: /usr/bin/supervisord
Accessing the OWASP ZAP Web UI
Once the container is allocated and running you will need to add port forwarding rules. In the Actions menu, navigate to the Plugin Manager page.
Plugin Manager:
Under the Ports section, select “Map Port
In the pop-up window, the VNS3 port and the Container port should both be set to 8080 as shown below. Click Create firewall rule.
plugins-owasp-port-mappings.png
Now that you have your port mapping rule in place, click on the Executables menu. Under the Executables tab, select “Start Web UI”. Then select” Run: Start Web UI” as shown below
NOTE: The Web UI is a CPU-intense application so we recommend using a t3.medium or larger instance size(2+ CPU cores and 4GB + of memory required).
Now that the Web UI is running, open(View) the /var/log/owasp_zap.log. Copy and paste the URL into your web browser to access the Owasp Zap Web UI.
Once the Web UI is opened, select “Non-persistent session”. You can now use all the features of OWASP ZAP Web UI to attack your cloud and on-premise resources, as well as VNS3 itself. To attack/scan VNS3 itself, you will need to run an Authenticated Scan. Please follow along with this video if you would like to run an Authenticated Scan against VNS3: OWASP ZAP Authenticated Scan
As mentioned, the OWASP ZAP Web UI is very CPU intensive so make sure you “Stop Web UI” in the Executables menu when you are done using the Web UI.
Running the OWASP Baseline Scan
To run a more basic Scan against a site/ip/URL that the VNS3 has access to, you can simply run the baseline scan executable.
First, navigate to the Plugin Manager Console and follow the directions in the parameters.conf file on the right-hand side. Uncomment the “attack_ip_or_website” line and edit the URL/IP accordingly. Save this as a new version.
Uncomment and define the “attack_website_or_ip” variable in the parameters.conf file.
After it is saved, you can now run the “Baseline Scan” Executable. Once the baseline scan is finished running (~1 minute), open the /var/log/owasp_zap.log file and copy and paste the URL into your web browser to view the output.
Authenticated Scan against VNS3
Video link: https://youtu.be/4SXMoum7LPg
If you have any questions, please feel free to email support@cohesive.net.