Table of Contents
OWASP ZAP Container Detail
The OWASP ZAP container was created for VNS3 version 4.8.3+. If you are using an VNS3 version prior to 4.8.3, please upgrade your VNS3 to the latest version (5.x) https://docs.cohesive.net/docs/upgrading/vns3-v4
Getting Started with VNS3 Plugin System
The OWASP ZAP container is deployed to VNS3 (version 4.8.3+) as a plugin using the container system.
Please be familiar with the VNS3 Plug-In Configuration Guide.
OWASP ZAP Container - What does it do?
The OWASP ZAP container displays a web based virtual security scanner that you can use to scan your private and/or public network. You can either use the OWASP ZAP container as a full fledged OWASP ZAP Web UI or you can run an automated baseline scan for a specific website/URL. Some of the OWASP ZAP Web UI features include: AJAX Spider, SQL injection, automated scanner, fuzzer, penetration testing, and forced browsing.
OWASP ZAP Container - What does it need?
- You will need the following inbound/outbound ports and protocols open in the Security Group(s) that are associated to your VN33 controller.
- TCP port 8080 to 0.0.0.0/0
- TCP port 80 to 0.0.0.0/0
- A Postrouting MASQUERADE-ONCE firewall rule to SNAT all the container traffic to the VNS3 IP (this can be automated via the Plugin Manager)
- Port 8080 forwarding rules to forward traffic to the container IP.
- ONLY when running the automated baseline scan will you need to define an “attach_website_or_ip” in the parameters.conf file.
Uploading the OWASP ZAP container image
From the Container —> Images menu item, choose Upload Image.
To use the pre-configured plugin paste the URL into the Image File URL box.
When the Image has imported it will say Ready in the Status Column.
Launching the OWASP ZAP Container
After selecting Allocate from the Actions menu, name your container, provide a description and the command used to execute the container.
The name and description should be something meaningful within the context of your organization and it’s policies.
In MOST cases the command used to run plugin containers will be:
However, this may vary with individual containers, please consult each plug-in’s specific documentation.
The command to run the WAF container is:
Accessing the OWASP ZAP Web UI
Once the container is allocated and running you will need to add port forwarding rules. In the Actions menu, navigate to the Plugin Manager page.
Under the Ports section, select “Map Port
In the pop-up window the VNS3 port and the Container port should both be set to 8080 as shown below. Click Create firewall rule.
Now that you have your port mapping rule in place, clikc on the Executables menu. Under the Exectuables tab, select “Start Web UI”. Then select” Run: Start Web UI” as shown below
NOTE: The Web UI is a CPU intense application so we reccomend using a t3.medium or larger instance size(2+ CPU cores and 4GB + of memory reqiured).
Now that the Web UI is running, open(View) the /var/log/owasp_zap.log. Copy and past the URL into your web browser to access the Owasp Zap Web UI.
Once the Web UI is opened, select “Non persistant session”. You can now use all the features of OWASP ZAP Web UI to attack your cloud and on premises resources, as well as VNS3 itself. In order to attack VNS3 itself you will need to run an Authenticated Scan. Please follow along with this video if yo uwould like to run an Authenitcated Scan against VNS3: –link to video–
As mentioned The OWASP ZAP Web UI is very CPU intensive so make sure you “Stop Web UI” in the Executables menu when you are done using the Web UI.
Running the OWASP Baseline Scan
To run a more basic Scan against a site/ip/URL that the VNS3 has access to, you can simply run the baseline scan executable.
First, navigate to the Plugin Manager Console and follow the directions in the paramters.conf file on the rigth hand side. Uncommment the “attack_ip_or_website” line and edit the url/IP accordingly. Save this as a new version.
Uncomment and define the “attack_website_or_ip” varaible in the parameters.conf file.
After it is saved, you can now run the “Baseline Scan” Executable. Once the baseline scan is finished running (~1 minute), open the /var/log/owasp_zap.log file and copy and paste the URL into your web browser to view the output.
Authenticated Scan against VNS3
Video link: https://youtu.be/4SXMoum7LPg
If you have any questions, please feel free to email firstname.lastname@example.org.