zap自动化
- docker
- zap-cli
- api
- webswing
docker版本的zap
docker run -v $(pwd):/zap/wrk/:rw \
-t owasp/zap2docker-weekly zap-baseline.py \
-t https://dvwa.ceshiren.com/ \
-g gen.conf \
-r testreport.html
web界面的zap
命令行版本的zap
https://github.com/Grunny/zap-cli
pip install --upgrade zapcli
seveniruby:zap seveniruby$ zap-cli --help
Usage: zap-cli [OPTIONS] COMMAND [ARGS]...
ZAP CLI v0.10.0 - A simple commandline tool for OWASP ZAP.
Options:
--boring Remove color from console output.
-v, --verbose Add more verbose debugging output.
--zap-path TEXT Path to the ZAP daemon. Defaults to /zap or the value of
the environment variable ZAP_PATH.
-p, --port INTEGER Port of the ZAP proxy. Defaults to 8090 or the value of
the environment variable ZAP_PORT.
--zap-url TEXT The URL of the ZAP proxy. Defaults to http://127.0.0.1
or the value of the environment variable ZAP_URL.
--api-key TEXT The API key for using the ZAP API if required. Defaults
to the value of the environment variable ZAP_API_KEY.
--log-path TEXT Path to the directory in which to save the ZAP output
log file. Defaults to the value of the environment
variable ZAP_LOG_PATH and uses the value of --zap-path
if it is not set.
--help Show this message and exit.
Commands:
active-scan Run an Active Scan.
ajax-spider Run the AJAX Spider against a URL.
alerts Show alerts at the given alert level.
context Manage contexts for the current session.
exclude Exclude a pattern from all scanners.
open-url Open a URL using the ZAP proxy.
policies Enable or list a set of policies.
quick-scan Run a quick scan.
report Generate XML, MD or HTML report.
scanners Enable, disable, or list a set of scanners.
scripts Manage scripts.
session Manage sessions.
shutdown Shutdown the ZAP daemon.
spider Run the spider against a URL.
start Start the ZAP daemon.
status Check if ZAP is running.
ZAP API使用
https://www.zaproxy.org/docs/api/
sqlmap
___
__H__
___ ___[']_____ ___ ___ {1.4.6#stable}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
Usage: python3.7 sqlmap.py [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--sqlmap-shell Prompt for an interactive sqlmap shell
--wizard Simple wizard interface for beginner users
sqlmap的使用命令
./sqlmap.py --batch \
--cookie="PHPSESSID=ot1n70vi2m070dcf4f3d5g8lb7; security=low; " \
--url 'https://dvwa.ceshiren.com/vulnerabilities/sqli/?id=1&Submit=Submit#'
总结
- 推荐使用zap-cli,功能强大,扫描全面,支持持续集成
SDL
https://www.microsoft.com/en-us/securityengineering/sdl/practices
SDL简化实施文档
Chinese_Simplified Implementation of the SDL.docx (653.3 KB)
ZAP in ten
https://www.zaproxy.org/docs/guides/zapping-the-top-10/
安全测试流程与工具
- 编译器级别的:参考SDL提供的一些工具,scan-build之类的工具、IDE自带编译器
- 代码检查工具:sonarqube、findbugs
- 自动化安全测试:ZAP、sqlmap
- 手工安全测试与渗透测试:burpsuite、zap,appscan、wvs
渗透测试通常是专业团队或者个人执行