OWASP ZAP (Zed Attack Proxy)

DevSecOps#2

Webgoat is a dirty application, go through penetration testing.

gained access to the Owasp ZAP instance, you may run the scan by executing the shell script as follows:

After the WebGoat server has been prepared the student should use the terminal emulator of their choice to access the EC2 Instance that will be used to run the OWASP ZAP program. This can be done through the following command:

$ cat run-zap.sh
docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly:w2019-01-21 zap-baseline.py -I -j -t http://$1:8080/WebGoat -r zapreport.html  --hook=/zap/auth_hook.py -z "auth.loginurl=http://$1:8080/WebGoat/login.mvc auth.username="clouduser" auth.password="password" auth.auto=1"

*Note: You must pass the script to the PRIVATE IP ADDRESS of the WebGoat server as the first execution argument.

Running the shell:

$ sudo sh run-zap.sh 10.0.1.26

Will run that on the local Ip

When it's completed, we will see the two files gen.conf and zapreport.html

$ ls -l
total 20
-rw-r--r--. 1 cloud_user cloud_user     1 Aug 13  2021 init_pass
-rw-r--r--. 1 root       root         286 May  5 21:15 run-zap.sh
-rw-r--r--. 1 cloud_user cloud_user 11872 May  5 23:20 zapreport.html

After the OWASP ZAP program has run, the student should copy the HTML report to the Apache Web Server root directory. This can be done with the command:

$ sudo cp zapreport.html /var/www/html

Report: