OWASP Zed Attack Proxy Scan Task

Visual Studio Team Services build/release task for running OWASP ZAP automated security tests. Run active scan against a target with security risk thresholds and ability to generate the scan report.

Using OWASP Zed Attack Proxy Scan Task

Follow the instructions given below to add and configure OWASP Zed Attack Proxy Task in your build/release pipeline.

Prerequisites

• You need to have OWASP Zed Attach Proxy installed (eg. On a Virtual Machine) and exposed so it can be accessed over the internet. The following article Installing & Configuring OWASP ZAP on an Azure Virtual Machine will provide a detailed guide on how to do it.
• Obtain the API Key required to access the ZAP API by following the instructions on the Official Documentation.

Add the OWASP Zed Attack Proxy Scan Task

Install the OWASP Zed Attack Proxy Scan Task in to your Visual Studio Team Services account and search for the task in the available tasks. The task will appear in the Test section of the task list. Add it to your build/release task.

Required Configuration

OWASP Zed Attack Proxy Scan task has some required configuration options that needed to be provided.

These configurations are found in the ZAP API Configuration section.

Required Options

• ZAP API Url : The fully qualified domain name (FQDN) with out the protocol. (Eg. zap.example.com)
• API Key : The API key for ZAP. Details about obtaining the API can be found on the Official Documentation
• Target URL : Target URL where the active scan is performed against.

Spider Scan Options

This configuration section includes the parameters that need to be sent to perform the active scan against the target.

Available Options

• Execute Spider Scan : Enable to run a spider scan on the target.
• Recurse : (Optional) Enable to use the nodes underneath the one specified target to seed the spider.
• Subtree Only : (Optional) Enable to restrict the spider under the target url subtree.
• Context Name : (Optional) Set to constrain the scan to a Context.
• Max Children To Crawl : (Optional) Set to limit the number of children scanned.

Active Scan Options

This configuration section includes the parameters that need to be sent to perform the active scan against the target.

Available Options

• Execute Active Scan : Enable to run a active scan on the target.
• Context ID : (Optional) Context identifier of the Scan context.
• Recurse : (Optional) Set recurse option to scan URLs under the given target URL.
• In Scope Only : (Optional) Set In Scope only to true to constrain the scan to URLs that are in scope (ignored if a Context is specified).
• Scan Policy Name : (Optional) Scan Policy Name allows to specify the scan policy (if none is given it uses the default scan policy).
• Method : (Optional) Allow you to select a given request in conjunction with the given URL.
• POST Data : (Optional) Allow you to select a given request in conjunction with the given URL.

Configure Verification

This configuration section includes the parameters that need to be sent to perform the active scan against the target.

Available Options

• Enable Verifications : Enable to add thresholds for security risk types and fail the build if the threshold is exceeded.
• High Risk Alert Threshold : Number of Maximum allowed High Risk Alerts. If the number of high risk alerts equals or exceeds, the build will fail.
• Medium Risk Alert Threshold : Number of Maximum allowed High Medium Alerts. If the number of high risk alerts equals or exceeds, the build will fail.
• Low Risk Alert Threshold : Number of Maximum allowed Low Risk Alerts. If the number of high risk alerts equals or exceeds, the build will fail.

Configure Reports

This configuration section includes the parameters that need to be sent to perform the active scan against the target.

Available Options

• Report Type : Select the type of report you want generated. Available types are HTML, XML & Markdown.
• Destination Folder : The destination folder that the report file is created. You can use variables. Eg. $(agent.builddirectory).
• Report Filename : Name of the report file, without the extension. Extension is determined by the Report Type. Eg. OWASP-ZAP-Report-2017-00-00.

Contributing to OWASP Zed Attack Proxy Scan Task

Found a Bug?

• Check currently listed Issues to make sure its not already listed.
• If not Open a New Issue for the Bug. Include a detailed description including a proper title that is meaningful and a clear description with as much relevant details regarding the issue as possible.

Fixed a Bug?

• Open a New Pull Request with the fix.
• We are using a strict commit guideline with the OWASP Zed Attack Proxy Scan Task project. Please read the details in the Commit Guideline before you make commits.

Add/Suggest a New Feature, or Change Existing One?

• Add your suggestions to the Gitter Chat for the project.
• After getting a discussion going, Create a new Issue related to the feature in the Issues section. Add detailed description with a title for the issue.
• Follow the Commit Guideline mentioned bellow when committing.
• Create a Pull Request when you are done with the feature.

Have Questions?

• All of your questions are welcome. Post them in the Gitter chat for the project.

Current Contributors

A special thanks to all the Contributors of the OWASP Zed Attack Proxy Scan Task Project. Your valuable contributions are most welcome. :)