Vulnerability Assessment Automation by Matia Cornejo
Before running the program, the necessary libraries must be installed for it to function, and the Zap application must be available in a container
To install the dependencies, there is a Makefile that automates the process
makepip install virtualenv
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: virtualenv in /usr/lib/python3/dist-packages (20.13.0+ds)
Requirement already satisfied: platformdirs<3,>=2 in /usr/lib/python3/dist-packages (from virtualenv) (2.5.1)
Requirement already satisfied: filelock<4,>=3.2 in /usr/lib/python3/dist-packages (from virtualenv) (3.6.0)
Requirement already satisfied: six<2,>=1.9.0 in /usr/lib/python3/dist-packages (from virtualenv) (1.16.0)
Requirement already satisfied: distlib<1,>=0.3.1 in /usr/lib/python3/dist-packages (from virtualenv) (0.3.4)
Ceating virtual env...
python3 -m virtualenv virtualenv
created virtual environment CPython3.10.12.final.0-64 in 140ms
creator CPython3Posix(dest=/home/red/Documents/Work/SoftServe/Vulnerability-Assessment-Automation/virtualenv, clear=False, no_vcs_ignore=False, global=False)
seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/home/red/.local/share/virtualenv)
added seed packages: pip==22.0.2, setuptools==59.6.0, wheel==0.37.1
activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
Virtual environment created in the directory virtualenv
Installing dependencies from requirements.txt
virtualenv/bin/pip install -r requirements.txt
Collecting certifi==2024.12.14
Using cached certifi-2024.12.14-py3-none-any.whl (164 kB)
Collecting charset-normalizer==3.4.1
Using cached charset_normalizer-3.4.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (146 kB)
Collecting idna==3.10
Using cached idna-3.10-py3-none-any.whl (70 kB)
Collecting Jinja2==3.1.5
Using cached jinja2-3.1.5-py3-none-any.whl (134 kB)
Collecting MarkupSafe==3.0.2
Using cached MarkupSafe-3.0.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (20 kB)
Collecting python-dotenv==1.0.1
Using cached python_dotenv-1.0.1-py3-none-any.whl (19 kB)
Collecting requests==2.32.3
Using cached requests-2.32.3-py3-none-any.whl (64 kB)
Collecting urllib3==2.3.0
Using cached urllib3-2.3.0-py3-none-any.whl (128 kB)
Installing collected packages: urllib3, python-dotenv, MarkupSafe, idna, charset-normalizer, certifi, requests, Jinja2
Successfully installed Jinja2-3.1.5 MarkupSafe-3.0.2 certifi-2024.12.14 charset-normalizer-3.4.1 idna-3.10 python-dotenv-1.0.1 requests-2.32.3 urllib3-2.3.0
Installed
virtualenv/bin/python3 ./src/main.py -h
usage: main.py [-h] [--API] [--SCAN {zap,test} [{zap,test} ...]] [--PROXY PROXY]
Vulnerability Assessment Automation
options:
-h, --help show this help message and exit
--API Select this argument to interact with the API.
--SCAN {zap,test} [{zap,test} ...]
Select the tool to perform the scan.
--PROXY PROXY Proxy URL for debugging or network rules.Then, the virtual environment must be activated to run the project
source virtualenv/bin/activate(virtualenv)In the zap folder, the zap.sh file is available, which downloads the official image of the application and runs it. The configuration was designed for a completely isolated environment, so do not perform this process on a server that is exposed
Beforehand, check if the user has privileges over Docker or run the command with elevated privileges
./zap.shUsing default tag: latest
latest: Pulling from zaproxy/zap-stable
fd674058ff8f: Pull complete
21961f586e6a: Pull complete
12f2f012d853: Pull complete
7b0b4d85c822: Pull complete
a56ef1b1d26d: Pull complete
3d0f22cf6e72: Pull complete
4f4fb700ef54: Pull complete
d10c75316373: Pull complete
8c9d3ac7acfb: Pull complete
6d9b29b71826: Pull complete
f1a5cb7480b5: Pull complete
f87193c30643: Pull complete
2868e684fece: Pull complete
22a27e82acfe: Pull complete
1bfd47d99274: Pull complete
55768fbcbcd3: Pull complete
2dae6163c8d8: Pull complete
f9bde43419ed: Pull complete
cf0c17088a54: Pull complete
6ad32049201d: Pull complete
Digest: sha256:5c96ceee30d214641a871deb690a4671bf873d7265ac1b386094d163f7d71e9b
Status: Downloaded newer image for zaproxy/zap-stable:latest
docker.io/zaproxy/zap-stable:latest
ef419be9133d40fa0687ccf2878b2ffd340458c7597e7128e71b57d186375963
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ef419be9133d zaproxy/zap-stable "zap.sh -daemon -por…" 1 second ago Up Less than a second (health: starting) 0.0.0.0:8090->8090/tcp, :::8090->8090/tcp zaproxyThe project retrieves the resources from a .env file. You can create one based on the example file, example-env
HOST=https://dummyjson.com
API_URL=https://dummyjson.com
ZAP=http://localhost:8090
TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
REFRESH=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
EMAIL_USER = example@gmail.com
EMAIL_PASSWORD = qsca...
NOTIFICATION_EMAIL = notification@gmail.comTOKEN and REFRESH are the variables associated with the API. These can be omitted, and the program will perform the login interaction to obtain a new session token and a refresh token.
HOST is the target on which the vulnerability scan will be performed, API_URL is the address of the API to interact with, and ZAP is the address of the container that holds the scanning application.
Important: Email sending is supported using the Gmail service. The password must be a token generated for this purpose, and the sender email must correspond to Gmail
This section shows how to use the project and includes some examples
The project has two main options, which can be listed using the help menu
python main.py -husage: main.py [-h] [--API] [--SCAN {zap,test} [{zap,test} ...]] [--PROXY PROXY]
Vulnerability Assessment Automation
options:
-h, --help show this help message and exit
--API Select this argument to interact with the API.
--SCAN {zap,test} [{zap,test} ...]
Select the tool to perform the scan.
--PROXY PROXY Proxy URL for debugging or network rules.To interact with the API, the --API option must be used. The program will obtain an access token if needed, display the user information, and provide a refresh token for future session revalidations
python main.py --API[!]Starting interaction with the API
[+]Getting token using credentials
Status 200: https://dummyjson.com/users
Status 200: https://dummyjson.com/auth/login
Login using sophiab credentials
Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Refresh token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
[+]Getting user information using token
Status 200: https://dummyjson.com/auth/me
firstName: Sophia
lastName: Brown
data: sophia.brown@x.dummyjson.com
role: admin
[+]Getting new token using refresh
Status 200: https://dummyjson.com/auth/refresh
Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Refresh token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...To start the scan, the --SCAN option must be used, followed by the scanner to be used. This will perform the assessment, display the main vulnerabilities, and send an email for those that are high or critical risk
python main.py --SCAN zap[!]Starting scan of https://dummyjson.com using zap
ZAP its running
Target https://dummyjson.com added
Crawler on https://dummyjson.com started
Crawler on https://dummyjson.com finished
Scan on https://dummyjson.com started
Scan on https://dummyjson.com finished
JSON report obtained about https://dummyjson.com
HTML report obtained about https://dummyjson.com
[+]Saving reports of https://dummyjson.com
JSON report saved on ./reports/fullReport.json
HTML report saved on ./reports/fullReport.html
JSON report saved on ./reports/dummyjson.com.json
[+]Sumary of https://dummyjson.com
Name: Content Security Policy (CSP) Header Not Set
Risk: Medium (High)
Instances: 15
Description: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Name: Cross-Domain Misconfiguration
Risk: Medium (Medium)
Instances: 98
Description: Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.
Name: Cross-Domain JavaScript Source File Inclusion
Risk: Low (Medium)
Instances: 62
Description: The page includes one or more script files from a third-party domain.
Name: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
Risk: Low (Medium)
Instances: 98
Description: The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.
Name: Timestamp Disclosure - Unix
Risk: Low (Low)
Instances: 99
Description: A timestamp was disclosed by the application/web server. - Unix
Name: Information Disclosure - Suspicious Comments
Risk: Informational (Medium)
Instances: 2
Description: The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.
Name: Re-examine Cache-control Directives
Risk: Informational (Low)
Instances: 24
Description: The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
Notification email sended
To perform debugging or due to network rule requirements, a proxy has been added, which can be used and assigned with the --PROXY option
python main.py --SCAN zap --PROXY http://127.0.0.1:8080