Make cloud base ZAP Scanning Environment Using github-action
zap hacking bugbounty github

Make cloud base ZAP Scanning Environment Using github-action

hahwul

Hi hackers and bugbounty hunters :D Today, I talk about building a github-action-based ZAP scanning environment. As you know, there is no time limit for public repo, so you can configure a cloud-based vulnerability scanner for free ๐Ÿ˜‰

์ €๋Š” ๋ณดํ†ต ๊ฐœ์ธ์ ์ธ ์ž‘์—… ์‹œ ํ™ˆ์„œ๋ฒ„์˜ ZAP์„ ์Šค์บ๋„ˆ๋กœ ๋งŽ์ด ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ ZAP์˜ ์Šค์บ”๋Ÿ‰์ด ๋งŽ์•„์ง€๋Š” ๊ฒฝ์šฐ ์„œ๋ฒ„ ํ”ผ์”จ๊ฐ€ ๊ต‰์žฅํžˆ ํž˜๋“ค์–ดํ•˜๋Š”๊ฑธ ๋Š๋ผ๊ณ  ์žˆ์–ด, ๊ฐ€๋Šฅํ•œ ZAP ์Šค์บ๋‹๋„ ํด๋ผ์šฐ๋“œ ํ™˜๊ฒฝ์œผ๋กœ ๋„˜๊ฒจ๋ณด๋ ค๊ณ  ํ–ˆ์—ˆ์Šต๋‹ˆ๋‹ค. (์ด๋Š” ๋ฒŒ์จ 2๋…„์ „๋ถ€ํ„ฐ ๋น„์šฉ์„ ์ตœ์†Œํ™”ํ•˜๋Š” ๋ฐฉ๋ฒ•๋“ค์„ ์ฐพ๊ณ ์žˆ์—ˆ๋„ค์š”. ๋Œ€ํ‘œ์ ์œผ๋กœ herokuโ€ฆ)

์•„๋ฌดํŠผ ์ตœ๊ทผ github action ์ชฝ์œผ๋กœ ์ž‘์—…์„ ๋งŽ์ด ํ•˜๊ณ ์žˆ๋Š”๋ฐ, ๋ณด๋‹ค๋ณด๋‹ˆ ์ทจ์•ฝ์  ์Šค์บ๋‹ ์ž‘์—…์„ CI/CD DAST์˜ ๋ชฉ์ ์ด ์•„๋‹Œ, ๋‹จ์ˆœํ•œ ๋งค๋‰ด์–ผ ์Šค์บ๋„ˆ๋กœ๋„ ์“ธ ์ˆ˜ ์žˆ์„ ๊ฒƒ ๊ฐ™์•„์„œ ๊ธ€๋กœ ์ž‘์„ฑํ•ด๋ด…๋‹ˆ๋‹ค.

What is Github Actions(workflow)

Github action is automate, customize, and execute software development workflows right in repository. Can discover, create, and share actions to perform any job youโ€™d like, including CI/CD, and combine actions in a completely customized workflow.

Github action์€ github์—์„œ ์ œ๊ณตํ•˜๋Š” CI/CD๋ฅผ ์œ„ํ•œ ์ž๋™ํ™” ํ™˜๊ฒฝ์ž…๋‹ˆ๋‹ค. workflow ํŒŒ์ผ๋กœ ์ˆ˜ํ–‰ํ•  ์•ก์…˜๊ณผ ์กฐ๊ฑด์„ ๋ช…์‹œํ•˜๋ฉด ํ•ด๋‹น ์กฐ๊ฑด์ด ํŠธ๋ฆฌ๊ฑฐ๋  ๋•Œ ์˜๋„ํ•œ ์•ก์…˜(๋นŒ๋“œ/๋ฐฐํฌ/ํ…Œ์ŠคํŒ… ๋“ฑ๋“ฑ)์ด ์ˆ˜ํ–‰๋ฉ๋‹ˆ๋‹ค.

ZAP workflow for CI/CD DAST Scanning

ZAP, the representative of DAST, is also adding and managing github action. Typically, it is divided into baseline scan and fullscan.

DAST์˜ ๋Œ€ํ‘œ์ฃผ์ž์ธ ZAP์€ github action ๋˜ํ•œ ์ถ”๊ฐ€ํ•˜๊ณ  ๊ด€๋ฆฌ์ค‘์ž…๋‹ˆ๋‹ค. ๋Œ€ํ‘œ์ ์œผ๋กœ baseline scan๊ณผ fullscan์œผ๋กœ ๋‚˜๋‰˜์–ด์ ธ ์žˆ์Šต๋‹ˆ๋‹ค.

How? manually scanning

Github action is designed to work only under certain conditions, such as push, pull request, and cron. However, if using workflow_dispatch, can manual workflow triggers.

๊ธฐ๋ณธ์ ์œผ๋กœ github action์€ push, pull request ๋ฐ cron ๋“ฑ ํŠน์ • ์กฐ๊ฑด์—์„œ๋งŒ ๋™์ž‘ํ•˜๋„๋ก ์„ค๊ณ„๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ ‡์ง€๋งŒ workflow_dispatch๋ผ๋Š”๊ฑธ ์ง€์›ํ•ด์ฃผ๋ฉด์„œ, ๋งค๋‰ด์–ผํ•œ workflow ํŠธ๋ฆฌ๊ฑฐ๋„ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

https://www.hahwul.com/2020/10/18/how-to-trigger-github-action-manually

Test ZAP Manual Scanning in git-action

My testing git repository

Make workflow file

Workflow file(.github/workflow/zap-scan.yml)

name: ZAP-SCAN
on:
   schedule:
     - cron: '0 2 * * sun' #
   workflow_dispatch:
      inputs:
         target:
            description: 'target URL'     
            required: true
            default: ''

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: Scan the webapplication
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: main
      - name: ZAP Scan
        uses: zaproxy/action-baseline@v0.4.0
        with:
          token: $
          docker_name: 'owasp/zap2docker-stable'
          target: "$"
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'
  • workflow_dispatch: for manually
  • workflow_dispatch/inputs: value and parameter
  • jobs/zap_scan: zap scanning

Run git-action with parameter

Your repo > Actions > Your action name > Run workflow > Input parameter and run workflow

1414

Running..

1415

Finish

When finished, the results are registered as an issue.

์™„๋ฃŒ๋˜๋ฉด ๊ฒฐ๊ณผ๋Š” issue๋กœ ๋“ฑ๋ก๋ฉ๋‹ˆ๋‹ค. 1416

Referneces



Security engineer, Developer and H4cker

Menu

Tags

Hacking Android Linux AWS Blogger Javascript Programming BurpSuite Design Docker Security Exploit Git Github Golang Metasploit BugBounty ZAProxy iOS Penetration Test PHP Ruby Windows Python Swift Jekyll Atom CSS Heroku VIM MacOS Crystal-Lang PostgreSQL SSL SQL Tools Cloud Diary Cullinan Phoenix