Very recently, on a project we got a notice from one of the clients, they would continue using our application only if we get a “security assesment” done from a 3rd party. Before getting the application hammered by the professionals, we wanted to see where we stand in terms of following security practices.
Now one of the several advantages that you get by using a framework like Laravel, that you get a lot of security features for free like
- Output escaping to prevent XSS,
- Escaping SQL params to prevent SQL injection
- Cookie Encryption
But ours was a behemoth application, been in the business for almost a decade and had a mix of old plain PHP code and newer parts in Laravel, so we knew there would be certain areas of code having “gaps”.
To identify these gaps manually would be a challenging task – thankfully you have tools like Zed Attack Proxy (ZAP) to help with automating this process to an extent.
What is ZAP?
It is a web application security scanner. It consists of a bunch of inbuilt security policies and checks the web application against many of the common known vulnerabilities.
To know what kind of vulnerabilities it checks for, you can click the “Analyse” menu and check the policies.
How does it work?
The basic idea behind ZAP is that you give it some URLs/endpoints to attack and then it gives you back some results on how secure that particular URL is.
Now there are two ways you can give ZAP some endpoints to work with
- Use the Automated Scan – it will run a spider(crawler) and try to explore all the URLs that it can find.
Downside – With a gated site you won’t go very far, as it won’t be able to test any of the gated pages.
- Use Manual Explore – this will open up a “Proxied” browser – which will route every request and response through ZAP. As you keep on exploring the website, ZAP will continue to find new endpoints to work with. If you login to the website, ZAP will automatically get access to the gated pages as well, which will increase the scan surface and will give results for those gated pages as well.
How to test a page for any possible issues with ZAP?
After the first round of scans (manual or automatic), we wouldn’t want to scan every possible page on the website. For new features(pages) the process can be something like:
- Manually explore the pages – this will let ZAP passively scan the pages.
- Active scan(Attack) the specific pages
In general, the more pages that you explore manually, the more data ZAP will have. This will increase the attack surface and uncover more issues.
Learn more about ZAP
How did it go for us on the assessment?
ZAP helped us identify several issues. Majorly, there were XSS issues that were subtle and got ignored while writing the code.
The professionals also found a bunch more, but overall they were impressed by the application. Since we had done several rounds of testing with ZAP, we were very quick to plug any identified vulnerabilities. This was because we mostly knew how to tackle them.
It is always a good idea to pay attention to security from the very beginning. Certain changes will be difficult to fix later. Resulting in a lot of regression testing, as well. One good way to keep up with the latest on security is to visit OWASP. Remember to check the top 10 security risks