DevOps scan doesn't seem to be working

[anredy]

I have added this extension to the Release pipeline https://marketplace.visualstudio.com/items?itemName=CSE-DevOps.zap-scanner

Followed the instructions here to add bash task https://github.com/microsoft/CSEDevOps/tree/master/Zap

The job completes successfully.

For example, there is X-Powered-By in the respond headers of the web application. But the scan shows as PASS. Am I misinterpreting the logs? Also there is no results file created.

[anredy]

This is the log frmo ZAP Scanner

2019-12-05T17:20:27.6578501Z ##[section]Starting: ZAP Scanner 2019-12-05T17:20:27.6581486Z ============================================================================== 2019-12-05T17:20:27.6581532Z Task : OWASP Zap Scanner 2019-12-05T17:20:27.6581556Z Description : Utilize the OWASP/ZAP scanner within Azure DevOps 2019-12-05T17:20:27.6581582Z Version : 1.0.1 2019-12-05T17:20:27.6581646Z Author : Doyle Turner, Anthony Turner 2019-12-05T17:20:27.6581671Z Help : 2019-12-05T17:20:27.6581694Z ============================================================================== 2019-12-05T17:20:27.7787799Z [command]/bin/chmod 777 /home/vsts/work/r1/a/owaspzap 2019-12-05T17:20:27.7850728Z [command]/usr/bin/id -u root 2019-12-05T17:20:27.8052359Z 0 2019-12-05T17:20:27.8088057Z [command]/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker run -u 0 -v /home/vsts/work/r1/a/owaspzap:/zap/wrk/:rw owasp/zap2docker-stable zap-full-scan.py -t https://owaspwebtest.azurewebsites.net:80 -J report.json -r report.html 2019-12-05T17:20:27.8376527Z Unable to find image 'owasp/zap2docker-stable:latest' locally 2019-12-05T17:20:28.5206004Z latest: Pulling from owasp/zap2docker-stable 2019-12-05T17:20:28.5219775Z 6abc03819f3e: Pulling fs layer 2019-12-05T17:20:28.5371871Z 05731e63f211: Pulling fs layer 2019-12-05T17:20:28.5372059Z 0bd67c50d6be: Pulling fs layer 2019-12-05T17:20:28.5372094Z e0e5675bc1c4: Pulling fs layer 2019-12-05T17:20:28.5372358Z 7610ea987458: Pulling fs layer 2019-12-05T17:20:28.5372389Z 89a960a66814: Pulling fs layer 2019-12-05T17:20:28.5372638Z 12aa7fbae3d5: Pulling fs layer 2019-12-05T17:20:28.5372671Z 532f36148ad4: Pulling fs layer 2019-12-05T17:20:28.5372700Z 27e30970ed2e: Pulling fs layer 2019-12-05T17:20:28.5372761Z 0764d1a946a5: Pulling fs layer 2019-12-05T17:20:28.5372833Z c7a9c063fa4f: Pulling fs layer 2019-12-05T17:20:28.5372864Z 242f0a1c4800: Pulling fs layer 2019-12-05T17:20:28.5372892Z b641c12da49c: Pulling fs layer 2019-12-05T17:20:28.5372921Z f8541b98b3a1: Pulling fs layer 2019-12-05T17:20:28.5372951Z c691cb4c57ee: Pulling fs layer 2019-12-05T17:20:28.5373040Z b98c783eb145: Pulling fs layer 2019-12-05T17:20:28.5373069Z 0764d1a946a5: Waiting 2019-12-05T17:20:28.5373100Z e0e5675bc1c4: Waiting 2019-12-05T17:20:28.5373130Z c7a9c063fa4f: Waiting 2019-12-05T17:20:28.5373203Z 242f0a1c4800: Waiting 2019-12-05T17:20:28.5373231Z 7610ea987458: Waiting 2019-12-05T17:20:28.5373738Z b641c12da49c: Waiting 2019-12-05T17:20:28.5373996Z f8541b98b3a1: Waiting 2019-12-05T17:20:28.5374109Z 89a960a66814: Waiting 2019-12-05T17:20:28.5374337Z 12aa7fbae3d5: Waiting 2019-12-05T17:20:28.5374367Z c691cb4c57ee: Waiting 2019-12-05T17:20:28.5374466Z b98c783eb145: Waiting 2019-12-05T17:20:28.5374744Z 532f36148ad4: Waiting 2019-12-05T17:20:28.5375293Z 27e30970ed2e: Waiting 2019-12-05T17:20:28.7908107Z 05731e63f211: Verifying Checksum 2019-12-05T17:20:28.7908608Z 05731e63f211: Download complete 2019-12-05T17:20:28.8201413Z 0bd67c50d6be: Verifying Checksum 2019-12-05T17:20:28.8203184Z 0bd67c50d6be: Download complete 2019-12-05T17:20:29.0819494Z 6abc03819f3e: Verifying Checksum 2019-12-05T17:20:29.0823775Z 6abc03819f3e: Download complete 2019-12-05T17:20:29.2411689Z 7610ea987458: Verifying Checksum 2019-12-05T17:20:29.2412578Z 7610ea987458: Download complete 2019-12-05T17:20:29.4420815Z 89a960a66814: Verifying Checksum 2019-12-05T17:20:29.4421531Z 89a960a66814: Download complete 2019-12-05T17:20:29.5533283Z 12aa7fbae3d5: Verifying Checksum 2019-12-05T17:20:29.5533434Z 12aa7fbae3d5: Download complete 2019-12-05T17:20:29.7036072Z 532f36148ad4: Verifying Checksum 2019-12-05T17:20:29.7036382Z 532f36148ad4: Download complete 2019-12-05T17:20:29.7944236Z 27e30970ed2e: Verifying Checksum 2019-12-05T17:20:29.7944957Z 27e30970ed2e: Download complete 2019-12-05T17:20:30.1597296Z c7a9c063fa4f: Verifying Checksum 2019-12-05T17:20:30.1604990Z c7a9c063fa4f: Download complete 2019-12-05T17:20:30.5624210Z 242f0a1c4800: Verifying Checksum 2019-12-05T17:20:30.5624568Z 242f0a1c4800: Download complete 2019-12-05T17:20:30.9913843Z b641c12da49c: Verifying Checksum 2019-12-05T17:20:30.9914196Z b641c12da49c: Download complete 2019-12-05T17:20:31.3062616Z f8541b98b3a1: Verifying Checksum 2019-12-05T17:20:31.3063526Z f8541b98b3a1: Download complete 2019-12-05T17:20:31.5337225Z 0764d1a946a5: Verifying Checksum 2019-12-05T17:20:31.5340835Z 0764d1a946a5: Download complete 2019-12-05T17:20:31.6508132Z c691cb4c57ee: Verifying Checksum 2019-12-05T17:20:31.6508827Z c691cb4c57ee: Download complete 2019-12-05T17:20:31.7704894Z e0e5675bc1c4: Verifying Checksum 2019-12-05T17:20:31.7705026Z e0e5675bc1c4: Download complete 2019-12-05T17:20:31.8457079Z b98c783eb145: Verifying Checksum 2019-12-05T17:20:31.8458201Z b98c783eb145: Download complete 2019-12-05T17:20:35.8046511Z 6abc03819f3e: Pull complete 2019-12-05T17:20:36.4634075Z 05731e63f211: Pull complete 2019-12-05T17:20:36.6271903Z 0bd67c50d6be: Pull complete 2019-12-05T17:20:59.5700999Z e0e5675bc1c4: Pull complete 2019-12-05T17:21:07.7478872Z 7610ea987458: Pull complete 2019-12-05T17:21:07.8940451Z 89a960a66814: Pull complete 2019-12-05T17:21:08.0188332Z 12aa7fbae3d5: Pull complete 2019-12-05T17:21:08.2540456Z 532f36148ad4: Pull complete 2019-12-05T17:21:08.3864345Z 27e30970ed2e: Pull complete 2019-12-05T17:21:10.1915459Z 0764d1a946a5: Pull complete 2019-12-05T17:21:10.3313520Z c7a9c063fa4f: Pull complete 2019-12-05T17:21:10.4792449Z 242f0a1c4800: Pull complete 2019-12-05T17:21:10.6101818Z b641c12da49c: Pull complete 2019-12-05T17:21:10.8114762Z f8541b98b3a1: Pull complete 2019-12-05T17:21:10.9439829Z c691cb4c57ee: Pull complete 2019-12-05T17:21:11.0830032Z b98c783eb145: Pull complete 2019-12-05T17:21:11.1090884Z Digest: sha256:68930bedd1fb3b2ce13a1730510cb559687066b204d83fcbbdc123cc8ddfdfb6 2019-12-05T17:21:11.1411940Z Status: Downloaded newer image for owasp/zap2docker-stable:latest 2019-12-05T17:21:22.5589352Z 2019-12-05 17:21:22,551 Params: ['zap-x.sh', '-daemon', '-port', '38519', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=0', '-addonupdate', '-addoninstall', 'pscanrulesBeta'] 2019-12-05T17:21:25.1506040Z Dec 05, 2019 5:21:25 PM java.util.prefs.FileSystemPreferences$1 run 2019-12-05T17:21:25.1506170Z INFO: Created user preferences directory. 2019-12-05T17:21:43.4470997Z Total of 1 URLs 2019-12-05T17:21:43.4471135Z PASS: Directory Browsing [0] 2019-12-05T17:21:43.4471225Z PASS: Cookie No HttpOnly Flag [10010] 2019-12-05T17:21:43.4471255Z PASS: Cookie Without Secure Flag [10011] 2019-12-05T17:21:43.4471876Z PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] 2019-12-05T17:21:43.4471961Z PASS: Web Browser XSS Protection Not Enabled [10016] 2019-12-05T17:21:43.4472449Z PASS: Cross-Domain JavaScript Source File Inclusion [10017] 2019-12-05T17:21:43.4472617Z PASS: Content-Type Header Missing [10019] 2019-12-05T17:21:43.4472779Z PASS: X-Frame-Options Header Scanner [10020] 2019-12-05T17:21:43.4472990Z PASS: X-Content-Type-Options Header Missing [10021] 2019-12-05T17:21:43.4473169Z PASS: Information Disclosure - Debug Error Messages [10023] 2019-12-05T17:21:43.4473362Z PASS: Information Disclosure - Sensitive Information in URL [10024] 2019-12-05T17:21:43.4473652Z PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] 2019-12-05T17:21:43.4473726Z PASS: HTTP Parameter Override [10026] 2019-12-05T17:21:43.4474080Z PASS: Information Disclosure - Suspicious Comments [10027] 2019-12-05T17:21:43.4474111Z PASS: Viewstate Scanner [10032] 2019-12-05T17:21:43.4474304Z PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] 2019-12-05T17:21:43.4474377Z PASS: Secure Pages Include Mixed Content [10040] 2019-12-05T17:21:43.4474562Z PASS: Source Code Disclosure - /WEB-INF folder [10045] 2019-12-05T17:21:43.4474594Z PASS: Cookie Without SameSite Attribute [10054] 2019-12-05T17:21:43.4474622Z PASS: CSP Scanner [10055] 2019-12-05T17:21:43.4474830Z PASS: X-Debug-Token Information Leak [10056] 2019-12-05T17:21:43.4474863Z PASS: Username Hash Found [10057] 2019-12-05T17:21:43.4475182Z PASS: X-AspNet-Version Response Header Scanner [10061] 2019-12-05T17:21:43.4475215Z PASS: Timestamp Disclosure [10096] 2019-12-05T17:21:43.4475427Z PASS: Cross-Domain Misconfiguration [10098] 2019-12-05T17:21:43.4475459Z PASS: Weak Authentication Method [10105] 2019-12-05T17:21:43.4475620Z PASS: Absence of Anti-CSRF Tokens [10202] 2019-12-05T17:21:43.4475650Z PASS: Private IP Disclosure [2] 2019-12-05T17:21:43.4475708Z PASS: External Redirect [20019] 2019-12-05T17:21:43.4475736Z PASS: Session ID in URL Rewrite [3] 2019-12-05T17:21:43.4475763Z PASS: Buffer Overflow [30001] 2019-12-05T17:21:43.4475789Z PASS: Format String Error [30002] 2019-12-05T17:21:43.4475998Z PASS: CRLF Injection [40003] 2019-12-05T17:21:43.4476030Z PASS: Parameter Tampering [40008] 2019-12-05T17:21:43.4476057Z PASS: Server Side Include [40009] 2019-12-05T17:21:43.4476083Z PASS: Cross Site Scripting (Reflected) [40012] 2019-12-05T17:21:43.4476151Z PASS: Cross Site Scripting (Persistent) [40014] 2019-12-05T17:21:43.4476364Z PASS: Cross Site Scripting (Persistent) - Prime [40016] 2019-12-05T17:21:43.4476552Z PASS: Cross Site Scripting (Persistent) - Spider [40017] 2019-12-05T17:21:43.4476623Z PASS: SQL Injection [40018] 2019-12-05T17:21:43.4476652Z PASS: Script Active Scan Rules [50000] 2019-12-05T17:21:43.4476678Z PASS: Script Passive Scan Rules [50001] 2019-12-05T17:21:43.4476704Z PASS: Path Traversal [6] 2019-12-05T17:21:43.4476731Z PASS: Remote File Inclusion [7] 2019-12-05T17:21:43.4476799Z PASS: Insecure JSF ViewState [90001] 2019-12-05T17:21:43.4476826Z PASS: Charset Mismatch [90011] 2019-12-05T17:21:43.4476852Z PASS: Server Side Code Injection [90019] 2019-12-05T17:21:43.4476879Z PASS: Remote OS Command Injection [90020] 2019-12-05T17:21:43.4476953Z PASS: Application Error Disclosure [90022] 2019-12-05T17:21:43.4476980Z PASS: Loosely Scoped Cookie [90033] 2019-12-05T17:21:43.4477184Z FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 0 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 50 2019-12-05T17:21:45.0521329Z ##[section]Finishing: ZAP Scanner

[ExpressDead]

The output shows 50 passing tests completed. For example, the specific test you pointed out "X-Powered-By" in the response header indicates that the application passed tests for the vulnerability on the discovered endpoints.

The zap scanner generates 2 reports (report.html & report.json) when the task executes. These are both internal to the scanner and are not available after the agent completes a run unless you publish them. For example, they can be published as build artifacts by adding the following 2 tasks to your pipeline following the extension section:

- task: CopyFiles@2
  condition: always()
  inputs:
    SourceFolder: 'owaspzap/'
    TargetFolder: '$(Build.ArtifactStagingDirectory)'

- task: PublishBuildArtifacts@1
  condition: always()
  inputs:
    ArtifactName: 'owasp_zap_reports'

Take note of the condition: always() bit as that is what ensures the publishing still happens on a failed run.

[anredy]

ok, thank you for the additional tasks. I will add those tasks and try again. But I am still confused. For example, what does this line tells me from the log

2019-12-05T17:21:43.4472779Z PASS: X-Frame-Options Header Scanner [10020]

The things is the test web application that is being scanned is not setting X-Frame-Options. So I expected the ZAP extension to point this out.

When I scan the same URL using the https://github.com/zaproxy/zaproxy/wiki/Downloads then I get a Medium finding, X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

I am trying to understand if I missed any configuration setting in the pipeline task or something else.

[ExpressDead]

I can't offer specific guidance on running the direct scan with the proxy. The baseline scan used by the extension isn't meant to be the final authority on penetration testing an app. It's only a way to grab the low hanging fruit and get quick feedback into the DevSecOps lifecycle for a project.

You can find more details on the baseline https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan, but it's just a brief crawl followed by passive scanning of what is discovered in that time. Running the downloaded proxy you are likely to find more than the extension.

The extension does include an aggressive scanning toggle and the ability to utilize a custom context file. That gives a little more power and flexibility to the scanner, but you would need to be familiar with creating the context-file and scanner for that to be useful. For more information on the full-scan exposed by the 'aggressive-scan' toggle take a look https://github.com/zaproxy/zaproxy/wiki/ZAP-Full-Scan, but keep in mind this could bloat the time your pipeline requires to run.

I'll close this issue as I think we've resolved through discussion.