#3400 Use OWASP ZAP security scanner
Opened 7 years ago by pvoborni. Modified 3 years ago

It might be beneficial to use $subj during development process to test security of our Web UI/Pages.

This effort should be combined with development of Web UI integration tests (probably in Selenium). Tests will serve as a foundation for active scanner.

Currently ZAP can't parse JSON requests [1], we should wait for implementation of this feature otherwise usability of ZAP will be limited.

[1] http://code.google.com/p/zaproxy/issues/detail?id=302&start=100

A sample invocation of skipfish

$ skipfish -MEU -S /usr/share/skipfish/dictionaries/complete.wl \
-W new_dict.wl \
-C "AuthCookie=value" \
-o output_dir1 http://foo.bar.com/dashboard

The cli witches I used for the above scan are fairly minimal and can be fine tuned to get more meaningful reports.

Documentation: https://code.google.com/p/skipfish/wiki/SkipfishDoc

Another related tool is ratproxy -- http://code.google.com/p/ratproxy/ , which also helped me previously.

Metadata Update from @pvoborni:
- Issue assigned to pvoborni
- Issue set to the milestone: Ticket Backlog

3 years ago

Login to comment on this ticket.