OWASP ZAP Container

OWASP ZAP Container Detail

The OWASP ZAP container was created for VNS3 version 4.8.3+. If you are using an VNS3 version prior to 4.8.3, please upgrade your VNS3 to the latest version (5.x) https://docs.cohesive.net/docs/upgrading/vns3-v4

Getting Started with VNS3 Plugin System

The OWASP ZAP container is deployed to VNS3 (version 4.8.3+) as a plugin using the container system.

Please be familiar with the VNS3 Plug-In Configuration Guide.

OWASP ZAP Container - What does it do?

The OWASP ZAP container displays a web based virtual security scanner that you can use to scan your private and/or public network. You can either use the OWASP ZAP container as a full fledged OWASP ZAP Web UI or you can run an automated baseline scan for a specific website/URL. Some of the OWASP ZAP Web UI features include: AJAX Spider, SQL injection, automated scanner, fuzzer, penetration testing, and forced browsing.

OWASP ZAP Container - What does it need?

  • You will need the following inbound/outbound ports and protocols open in the Security Group(s) that are associated to your VN33 controller.
    • TCP port 8080 to 0.0.0.0/0
    • TCP port 80 to 0.0.0.0/0
  • A Postrouting MASQUERADE-ONCE firewall rule to SNAT all the container traffic to the VNS3 IP (this can be automated via the Plugin Manager)
  • Port 8080 forwarding rules to forward traffic to the container IP.
  • ONLY when running the automated baseline scan will you need to define an “attach_website_or_ip” in the parameters.conf file.

Uploading the OWASP ZAP container image

From the Container —> Images menu item, choose Upload Image.

Image URL: https://vns3-containers-read-all.s3.amazonaws.com/OWASP_Zap/OWASP_ZAP_v1.export.tar.gz

To use the pre-configured plugin paste the URL into the Image File URL box.

Getting the OWASP ZAP plugin When the Image has imported it will say Ready in the Status Column.

Launching the OWASP ZAP Container

After selecting Allocate from the Actions menu, name your container, provide a description and the command used to execute the container.

The name and description should be something meaningful within the context of your organization and it’s policies.

In MOST cases the command used to run plugin containers will be: /usr/bin/supervisord

However, this may vary with individual containers, please consult each plug-in’s specific documentation.

The command to run the WAF container is: /usr/bin/supervisord

Launching a OWASP Container

Accessing the OWASP ZAP Web UI

Once the container is allocated and running you will need to add port forwarding rules. In the Actions menu, navigate to the Plugin Manager page.

OWASP Container plugin manager menu

Plugin Manager:

OWASP Container plugin manager console

Under the Ports section, select “Map Port

In the pop-up window the VNS3 port and the Container port should both be set to 8080 as shown below. Click Create firewall rule.

OWASP Container port mapping plugins-owasp-port-mappings.png

Now that you have your port mapping rule in place, clikc on the Executables menu. Under the Exectuables tab, select “Start Web UI”. Then select” Run: Start Web UI” as shown below

Starting the OWASP ZAP Web UI

NOTE: The Web UI is a CPU intense application so we reccomend using a t3.medium or larger instance size(2+ CPU cores and 4GB + of memory reqiured).

Now that the Web UI is running, open(View) the /var/log/owasp_zap.log. Copy and past the URL into your web browser to access the Owasp Zap Web UI.

Opening the OWASP ZAP Web UI

Once the Web UI is opened, select “Non persistant session”. You can now use all the features of OWASP ZAP Web UI to attack your cloud and on premises resources, as well as VNS3 itself. In order to attack VNS3 itself you will need to run an Authenticated Scan. Please follow along with this video if yo uwould like to run an Authenitcated Scan against VNS3: –link to video–

As mentioned The OWASP ZAP Web UI is very CPU intensive so make sure you “Stop Web UI” in the Executables menu when you are done using the Web UI.

Running the OWASP Baseline Scan

To run a more basic Scan against a site/ip/URL that the VNS3 has access to, you can simply run the baseline scan executable.

First, navigate to the Plugin Manager Console and follow the directions in the paramters.conf file on the rigth hand side. Uncommment the “attack_ip_or_website” line and edit the url/IP accordingly. Save this as a new version.

Uncomment and define the “attack_website_or_ip” varaible in the parameters.conf file.

After it is saved, you can now run the “Baseline Scan” Executable. Once the baseline scan is finished running (~1 minute), open the /var/log/owasp_zap.log file and copy and paste the URL into your web browser to view the output.

Running the OWASP Baseline Scan

Authenticated Scan against VNS3

Video link: https://youtu.be/4SXMoum7LPg

If you have any questions, please feel free to email support@cohesive.net.