"Security is a process, not a product" Bruce Schneier
We’ve recently completed a web development project that implied intense penetration testing. Today, there’s a plethora of automated tools available for this type of testing, which allow you to run your software product scan for a few hours in order to detect potential hazards such as cross-site scripting or XSS-attacks, SQL / PHP injections, etc.
Having considered several paid and free, online, desktop and Cloud tools, we made our choice in favor of OWASP Zed Attack Proxy (ZAP) Project.
OWASP is an open online community that creates methodologies and instructions on how to deliver highly secure software applications. It’s a collaborative initiative comprised of both individuals and corporations from all over the world. The project aims to standardize security approaches in software development and spread knowledge about them.
So, for starters, you need to download and install OWASP ZAP scanner and set it up correctly. This app is meant to be used by both cyber security professionals and people with little or no experience with building IT security. It is platform agnostic and it runs equally well on Windows, Mac OS, Linux and other platforms. Besides, ZAP functionality is scalable with diverse extensions that are publicly accessible on GitHub.
Once you’ve completed setting up your ZAP scanner, we recommend that you perform manual testing or “catalogization”, i.e. when you scan manually as many webpages as possible while having your proxy connected.
To filter out traffic we want to analyze, we use ZAP filters, the so-called “context”. You can add one or several hosts to context to eliminate / hide data you don’t need to analyze. You can also bring it back to view again whenever you need it.
Having completed manual testing, you can perform 3 types of automated scanning: passive, active and fuzzing. Each of them has own pros and cons.
Passive scanning only scans your web app’s responses without altering them. Once a potential hazard has been detected on a particular web page, your passive scanner will give you a heads up.
Intersog's advice: If you aren’t an experienced IT security tester or if you have no specific testing environment and test in production (TiP), stick to passive scanning, as it won’t affect your product and its performance, unlike active scanning and fuzzing!
When it comes to active scanning, ZAP both scans AND attacks the target URLs in search of potential cyberrisks.
Fuzzing allows for response modification (e.g. GET or POST) and instant result viewing.
ZAP comes fitted with an URL crawler that can find all URLs on a website, including the hidden and broken ones.
Upon scanning completion, ZAP generates a report providing a heatmap of the most and least dangerous website areas. Besides this, you can get detailed description of detected vulnerabilities and an action plan on how to resolve them.
In our project case, Remote OS Command Injection was identified as one of the most dangerous vulnerabilities. The hazard consisted in the following: due to a poor validation of input data, a cybercriminal could use our custom-built app to run random commands on user’s OS. To fix this issue, we made input validation methods more rigorous.
Finally, it should be noted that scanner-detected vulnerabilities and their hazard levels don’t always correspond with reality, and sometimes a tiny vulnerability can turn to become a huge issue, while a serious danger may not present too much risk.
That being said, ZAP OWASP and similar penetration testing tools help increase security of your web or mobile solution and make necessary steps to prevent and eliminate cyberattacks. Remember - forewarned is forearmed!