Learn to Hack – Security automation scanning with OWASP ZAP and Docker

Security automation is a big concern for me, especially in an enterprise scenario, where we can have hundreds of App Services and HTTPS endpoints to scan.
OWASP ZAP is a great hacking tool for that, it is free and open-source, and it is actually the most used scanning tool on the planet.
I found very interesting the possibility to use OWASP ZAP with Docker. It is easy and very powerful, I will show in more detail in the next security video and conference, but for now, let dig in with the main useful steps that any hacker needs to start.

First, we need a website to test, something to hack, we can use some of the many available, we can find them in the OWASP VWAD below

https://owasp.org/www-project-vulnerable-web-applications-directory/

If you are new to scanning tools, then I do recommend BodgeIt, because is a traditional web application. BodgeIt it easier to test, especially for scanning tools.
A modern web application is what we normally face in azure, like App Services of Functions etcetera.
Juice Shop it is a modern web application, and a very good one, so let use this one for our first test.

Below the commands we need to execute:

Install Juice Shop in Docker.
docker pull bkimminich/juice-shop

Install the last OWASP ZAP version in docker
docker pull owasp/zap2docker-stable

We now need to enable the zapnet network in order to communicate across the containers (we need that in case of inter -containers communication only)
docker network create zapnet

Now we run the Juice Shop
docker run –rm -p 3000:3000 –net zapnet -i -t bkimminich/juice-shop

Use YourLocalIPAddress:3000 in your browser and check if the Juice Shop website runs properly.

Now we can run OWASP ZAP scanning in baseline mode
docker run -t –net zapnet owasp/zap2docker-stable zap-baseline.py -t http://192.168.0.32:3000

You should have an output like below.

This output is the scan result, and we can also create a different type of output reports adding more flags.

We can go deeper using flags like -a -j for the spider option
docker run -t –net zapnet owasp/zap2docker-stable zap-baseline.py -a -j -t http://192.168.0.32:3000

If you want to check all the params, then run
docker run -t –net zapnet owasp/zap2docker-stable zap-baseline.py -h

You can see all reports type we can create.

I hope this will give you a quick understanding of OWASP ZAP automation, and a quick starting point to play with.
I will discuss more in detail this topic in my next videos and conferences.

Related blog posts