Download - Security Testing using ZAP in SFDC
![Page 1: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/1.jpg)
SECURITY TESTING USING ZAP IN SFDC
- MUSTAFA JHABUAWALA
![Page 2: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/2.jpg)
Overview
• What is ZAP ?
• Introduction
• Features
• Benefits of Security Testing using ZAP
• Installation
• Troubleshooting Errors
• How to use ZAP
• Report analysis
![Page 3: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/3.jpg)
What is ZAP ?
• OWASP ZAP (short for Zed Attack Proxy)
• The Zed Attack Proxy (ZAP) is penetration testing tool for finding vulnerabilities in web applications
• Web application security scanner
![Page 4: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/4.jpg)
Introduction to ZAP
• Open-Source web application security scanner
• Intended to be used by both those new to application security as well as professional penetration testers.
• When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.
• This cross-platform tool is written in Java and is available in all of the popular operating systems including Microsoft Windows, Linux and Mac OS X.
![Page 5: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/5.jpg)
Introduction to ZAP
• ZAP can be configured as a proxy.
• ZAP records the traffic and use that traffic for a replay attack while modifying the request parameters
![Page 6: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/6.jpg)
Features of ZAP
• Intercepting Proxy
• Automated Scanner
• Passive Scanner
• Brute Force Scanner
• Fuzzer
• Port Scanner
• Spider
• Web Sockets
• REST API
![Page 7: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/7.jpg)
Benefits of Security Testing using ZAP
• Identify issues and problems with the implementation of business security policies.
• Better coverage over the entire code base.
• Improvement in the quality of the application before going live.
• Report will have the complete information, so no experts are required.
• Does not affect the QA schedule or activities.
![Page 8: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/8.jpg)
Installation of ZAP
• Download Link:• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
![Page 9: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/9.jpg)
Double click on the installation file which you have downloaded and follow below steps1. Accept the license agreement and click Next to continue2. Browse to local directory where you want to store the program files for ZAP3. Select appropriate options and click next to continue4. To confirm click on Install to proceed further
3 4
1 2
![Page 10: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/10.jpg)
5. To confirm click on Install to proceed further6. Successfully Installed.. Click finish7. Double click on the OWASP ZAP icon and accept the license
7
65
![Page 11: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/11.jpg)
Installing Certificates
• Since all requests and responses are proxied by ZAP, the certificate verification will fail for sites using SSL (HTTPS) and the connection will be terminated.
• To prevent this from happening, ZAP generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate.
• This CA certificate is generated the first time ZAP is run, and is stored locally.
• To use the ZAP Proxy with these websites, you will need to install ZAP’s CA certificate as a trusted root in your browser.
![Page 12: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/12.jpg)
Click on Tools –Options –Dynamic SSL Certificates
![Page 13: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/13.jpg)
Click on Generate, click on yes to overwrite the certificate
![Page 14: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/14.jpg)
Browse to local directory where you want to store certificate
![Page 15: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/15.jpg)
Click on Import (which will import your latest certificate in ZAP registry), click yes to overwrite the certificate
![Page 16: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/16.jpg)
Browse to the location where certificate is located and click on Open
![Page 17: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/17.jpg)
Now you are done with Generating and Importing certificates, click on OK
![Page 18: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/18.jpg)
Open your browser(Note – Firefox browser screens are shown here, similarly it can be configured in other browsers)
Click on Advanced –Network – Settings beside the Connection panel
![Page 19: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/19.jpg)
Click on Manual Proxy Configurations, enter the HTTP proxy as shown and port number similar to the one which you have entered in ZAP
![Page 20: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/20.jpg)
Click on Advanced –CertificatesSettings should be same as mentioned below
Click on View Certificates button to import the certificate in browser
![Page 21: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/21.jpg)
Once you click on View Certificate below screen will be displayedClick on Import button, browse the certificate which you have generated through ZAP tool
![Page 22: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/22.jpg)
YOU ARE DONE You have successfully installed and configured ZAP tool
![Page 23: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/23.jpg)
TROUBLESHOOT ERRORS
![Page 24: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/24.jpg)
An error occurred while starting the proxy: Address already in use: JVM_Bind
If you are facing similar kind of error, then you need to change the port of ZAP because it has been used by some other process.
![Page 25: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/25.jpg)
Click on Tools –Options –Local ProxyChange you port (Note –Remember the port number you have entered here)
Click OK
![Page 26: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/26.jpg)
HOW TO USE ZAP ?
![Page 27: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/27.jpg)
How to Use ZAP ?
• Once you have configured certificates and port in your browser
• Enter the URL in browser on which you want to perform security testing, ZAP will start analyzing the site
• URL can be your SFDC ORG link, or a Visual force page link, lightning page link, it can be any link
![Page 28: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/28.jpg)
Open your browser on which you have imported the certificates Type URL and hit Enter
![Page 29: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/29.jpg)
Observe the ZAP tool, sites will be under the tree
![Page 30: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/30.jpg)
REPORT ANALYSIS
![Page 31: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/31.jpg)
Generating Reports
• Reports generated by ZAP contains different risk levels• High
• Medium
• Low
• Informational
• Details with description, URL, Solution will be mentioned in report by ZAP
• Sample errors are as follows• Session ID in URL Rewrite
• X-Frame-Options Header Not Set
• Referrer Exposes Session ID
• Application Error Disclosure and many others..
![Page 32: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/32.jpg)
Click on Report –Generate HTML Report
![Page 33: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/33.jpg)
Report Sample
![Page 34: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/34.jpg)
References
• https://en.wikipedia.org/wiki/OWASP_ZAP
• https://security.secure.force.com/security/tools/webapp/zapbrowsersetup
![Page 35: Security Testing using ZAP in SFDC](https://reader038.vdocument.in/reader038/viewer/2022102811/5871995a1a28ab044e8b558d/html5/thumbnails/35.jpg)
THANK YOU !!!