安全测试自动化与持续集成

zap自动化

  • docker
  • zap-cli
  • api
  • webswing

docker版本的zap

docker run -v $(pwd):/zap/wrk/:rw \
-t owasp/zap2docker-weekly zap-baseline.py \
-t https://dvwa.ceshiren.com/ \
-g gen.conf \
-r testreport.html

web界面的zap

命令行版本的zap

https://github.com/Grunny/zap-cli

pip install --upgrade zapcli
seveniruby:zap seveniruby$ zap-cli --help
Usage: zap-cli [OPTIONS] COMMAND [ARGS]...

  ZAP CLI v0.10.0 - A simple commandline tool for OWASP ZAP.

Options:
  --boring            Remove color from console output.
  -v, --verbose       Add more verbose debugging output.
  --zap-path TEXT     Path to the ZAP daemon. Defaults to /zap or the value of
                      the environment variable ZAP_PATH.
  -p, --port INTEGER  Port of the ZAP proxy. Defaults to 8090 or the value of
                      the environment variable ZAP_PORT.
  --zap-url TEXT      The URL of the ZAP proxy. Defaults to http://127.0.0.1
                      or the value of the environment variable ZAP_URL.
  --api-key TEXT      The API key for using the ZAP API if required. Defaults
                      to the value of the environment variable ZAP_API_KEY.
  --log-path TEXT     Path to the directory in which to save the ZAP output
                      log file. Defaults to the value of the environment
                      variable ZAP_LOG_PATH and uses the value of --zap-path
                      if it is not set.
  --help              Show this message and exit.

Commands:
  active-scan  Run an Active Scan.
  ajax-spider  Run the AJAX Spider against a URL.
  alerts       Show alerts at the given alert level.
  context      Manage contexts for the current session.
  exclude      Exclude a pattern from all scanners.
  open-url     Open a URL using the ZAP proxy.
  policies     Enable or list a set of policies.
  quick-scan   Run a quick scan.
  report       Generate XML, MD or HTML report.
  scanners     Enable, disable, or list a set of scanners.
  scripts      Manage scripts.
  session      Manage sessions.
  shutdown     Shutdown the ZAP daemon.
  spider       Run the spider against a URL.
  start        Start the ZAP daemon.
  status       Check if ZAP is running.

ZAP API使用

https://www.zaproxy.org/docs/api/

sqlmap

http://sqlmap.org/

        ___
       __H__
 ___ ___[']_____ ___ ___  {1.4.6#stable}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

Usage: python3.7 sqlmap.py [options]

Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)

  Target:
    At least one of these options has to be provided to define the
    target(s)

    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -g GOOGLEDORK       Process Google dork results as target URLs

  Request:
    These options can be used to specify how to connect to the target URL

    --data=DATA         Data string to be sent through POST (e.g. "id=1")
    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
    --random-agent      Use randomly selected HTTP User-Agent header value
    --proxy=PROXY       Use a proxy to connect to the target URL
    --tor               Use Tor anonymity network
    --check-tor         Check to see if Tor is used properly

  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts

    -p TESTPARAMETER    Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to provided value

  Detection:
    These options can be used to customize the detection phase

    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)

  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques

    --technique=TECH..  SQL injection techniques to use (default "BEUSTQ")

  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables

    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --passwords         Enumerate DBMS users password hashes
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate

  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system

    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

  General:
    These options can be used to set some general working parameters

    --batch             Never ask for user input, use the default behavior
    --flush-session     Flush session files for current target

  Miscellaneous:
    These options do not fit into any other category

    --sqlmap-shell      Prompt for an interactive sqlmap shell
    --wizard            Simple wizard interface for beginner users

sqlmap的使用命令

./sqlmap.py --batch \
--cookie="PHPSESSID=ot1n70vi2m070dcf4f3d5g8lb7; security=low; " \
--url 'https://dvwa.ceshiren.com/vulnerabilities/sqli/?id=1&Submit=Submit#' 

总结

  • 推荐使用zap-cli,功能强大,扫描全面,支持持续集成

SDL

https://www.microsoft.com/en-us/securityengineering/sdl/practices

SDL简化实施文档

Chinese_Simplified Implementation of the SDL.docx (653.3 KB)

ZAP in ten

https://www.zaproxy.org/docs/guides/zapping-the-top-10/

安全测试流程与工具

  • 编译器级别的:参考SDL提供的一些工具,scan-build之类的工具、IDE自带编译器
  • 代码检查工具:sonarqube、findbugs
  • 自动化安全测试:ZAP、sqlmap
  • 手工安全测试与渗透测试:burpsuite、zap,appscan、wvs

渗透测试通常是专业团队或者个人执行

商业测试工具与服务