Loading...
Loading...
Perform dynamic application security testing with OWASP ZAP, Burp Suite, and Nikto. Test running applications for security vulnerabilities through automated and manual testing. Use when testing web applications, APIs, or performing penetration testing.
npx skill4agent add bagelhole/devops-security-agent-skills dast-scanning| Tool | Type | Best For |
|---|---|---|
| OWASP ZAP | OSS | Automated scanning, CI |
| Burp Suite | Commercial | Manual testing, advanced |
| Nikto | OSS | Web server scanning |
| Nuclei | OSS | Template-based scanning |
| Arachni | OSS | Comprehensive scanning |
# Run ZAP in daemon mode
docker run -d --name zap \
-p 8080:8080 \
-v $(pwd)/reports:/zap/reports \
ghcr.io/zaproxy/zaproxy:stable \
zap.sh -daemon -host 0.0.0.0 -port 8080 \
-config api.addrs.addr.name=.* \
-config api.addrs.addr.regex=true# Quick baseline scan
docker run --rm -v $(pwd):/zap/wrk \
ghcr.io/zaproxy/zaproxy:stable \
zap-baseline.py -t https://target.example.com \
-r baseline-report.html
# With authentication
docker run --rm -v $(pwd):/zap/wrk \
ghcr.io/zaproxy/zaproxy:stable \
zap-baseline.py -t https://target.example.com \
-r report.html \
--auth-login-url https://target.example.com/login \
--auth-username user \
--auth-password pass# Comprehensive scan
docker run --rm -v $(pwd):/zap/wrk \
ghcr.io/zaproxy/zaproxy:stable \
zap-full-scan.py -t https://target.example.com \
-r full-report.html \
-J full-report.json# OpenAPI specification scan
docker run --rm -v $(pwd):/zap/wrk \
ghcr.io/zaproxy/zaproxy:stable \
zap-api-scan.py -t https://target.example.com/openapi.json \
-f openapi \
-r api-report.html# zap-automation.yaml
env:
contexts:
- name: "Default Context"
urls:
- "https://target.example.com"
includePaths:
- "https://target.example.com/.*"
excludePaths:
- "https://target.example.com/logout.*"
authentication:
method: "form"
parameters:
loginUrl: "https://target.example.com/login"
loginRequestData: "username={%username%}&password={%password%}"
verification:
method: "response"
loggedInRegex: "\\QWelcome\\E"
users:
- name: "testuser"
credentials:
username: "test@example.com"
password: "password123"
jobs:
- type: spider
parameters:
context: "Default Context"
user: "testuser"
maxDuration: 10
- type: spiderAjax
parameters:
context: "Default Context"
user: "testuser"
maxDuration: 10
- type: passiveScan-wait
parameters:
maxDuration: 5
- type: activeScan
parameters:
context: "Default Context"
user: "testuser"
policy: "Default Policy"
- type: report
parameters:
template: "traditional-html"
reportDir: "/zap/reports"
reportFile: "zap-report"# Run automation
docker run --rm -v $(pwd):/zap/wrk \
ghcr.io/zaproxy/zaproxy:stable \
zap.sh -cmd -autorun /zap/wrk/zap-automation.yamlname: DAST Scan
on:
workflow_dispatch:
schedule:
- cron: '0 2 * * *'
jobs:
dast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Start Application
run: |
docker-compose up -d
sleep 30 # Wait for app to be ready
- name: OWASP ZAP Scan
uses: zaproxy/action-full-scan@v0.8.0
with:
target: 'http://localhost:8080'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
- name: Upload Report
uses: actions/upload-artifact@v4
if: always()
with:
name: zap-report
path: report_html.htmldast:
stage: security
image: ghcr.io/zaproxy/zaproxy:stable
variables:
TARGET_URL: $DAST_TARGET_URL
script:
- mkdir -p /zap/wrk/reports
- zap-baseline.py -t $TARGET_URL -r /zap/wrk/reports/zap-report.html -I
artifacts:
paths:
- reports/
expire_in: 1 week
rules:
- if: $CI_COMMIT_BRANCH == "main"import requests
class BurpScanner:
def __init__(self, api_url, api_key):
self.api_url = api_url
self.headers = {'Authorization': api_key}
def create_scan(self, target_url):
"""Create and start a new scan."""
payload = {
'scan_configurations': [
{'name': 'Crawl and Audit - Balanced'}
],
'scope': {
'include': [{'rule': target_url}]
},
'urls': [target_url]
}
response = requests.post(
f'{self.api_url}/v0.1/scan',
json=payload,
headers=self.headers
)
return response.headers.get('Location')
def get_scan_status(self, scan_id):
"""Get scan status."""
response = requests.get(
f'{self.api_url}/v0.1/scan/{scan_id}',
headers=self.headers
)
return response.json()
def get_issues(self, scan_id):
"""Get scan issues."""
response = requests.get(
f'{self.api_url}/v0.1/scan/{scan_id}/issues',
headers=self.headers
)
return response.json()
# Usage
scanner = BurpScanner('http://burp:1337', 'api-key')
scan_id = scanner.create_scan('https://target.example.com')
while True:
status = scanner.get_scan_status(scan_id)
if status['scan_status'] == 'succeeded':
break
time.sleep(30)
issues = scanner.get_issues(scan_id)# Install
apt-get install nikto
# Basic scan
nikto -h https://target.example.com
# With specific options
nikto -h https://target.example.com \
-ssl \
-Tuning 123bde \
-output nikto-report.html \
-Format html
# Scan specific ports
nikto -h target.example.com -p 80,443,8080owasp_findings:
A01_Broken_Access_Control:
- IDOR vulnerabilities
- Missing function-level access control
- Privilege escalation
A02_Cryptographic_Failures:
- Sensitive data in URLs
- Missing HTTPS
- Weak ciphers
A03_Injection:
- SQL injection
- Command injection
- XSS
A05_Security_Misconfiguration:
- Default credentials
- Verbose error messages
- Missing security headers
A07_Auth_Failures:
- Weak passwords accepted
- Session fixation
- Missing MFA# Check security headers
curl -I https://target.example.com | grep -i "x-\|content-security\|strict"
# Expected headers:
# X-Content-Type-Options: nosniff
# X-Frame-Options: DENY
# X-XSS-Protection: 1; mode=block
# Content-Security-Policy: default-src 'self'
# Strict-Transport-Security: max-age=31536000# Test authentication
tests:
- name: "Authentication Bypass"
steps:
- Access protected resource without auth
- Verify 401/403 response
- Access with valid auth
- Verify 200 response
- name: "Session Management"
steps:
- Login and capture session token
- Logout
- Attempt to use old session
- Verify session invalidated
- name: "Input Validation"
steps:
- Submit XSS payload in all inputs
- Submit SQL injection in all inputs
- Verify proper sanitization