Zed Attack Proxy (OWASP - ZAP) - XML Connector

OWASP ZAP (Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It is one of the most active Open Web Application Security Project projects, and is maintained by a team of international volunteers.

 

Setting up the ZAP Connector

To import your data from ZAP to the AppSec module, you will need to leverage the ZAP Connector under the Dynamic Assessment tools on the Connectors Page. The ZAP Connector is an XML connector at this time. To learn about XML vs API connectors, click here.

The Connector is a full run connector and does not support incremental runs (non-API Connector).

User Prerequisites/Connector Setup:

  • Given that the Connector is an XML connector the Virtual Tunnel or Kenna Agent is NOT required.

  • The user account you are leveraging must have access to the reports you would like to export.
     

Configuring your Connector in Cisco Vulnerability Management

To set up the Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select the ZAP connector.

 

Screen_Shot_2021-10-26_at_3.46.24_PM.png

Once you select the ZAP Connector the following screen will appear:

 

ZAP1.png

  • Name: Enter a name for the connector, or leave it as “Zed Attack Proxy".

  • Asset Inactivity Limit (days): Use this if you wish to set an inactivity limit for assets ingested by this connector.
    • Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. See Setting Asset Inactivity Limits
    • We recommend an asset inactivity limit of 2-3x the scan cadence of your ZAP Scans if you plan to upload regularly.
  • Save and Verify

Important:

  • When ZAP runs, it can see other sites even if they are out of scope. The returned data from those sites are included in the exported data.

    • Example: You scan mycompany.com and it has a reference link to a Google API. Therefore, the first link to api.google.api is included in the ZAP data therefore it comes over to Cisco Vulnerability Management. To workaround this item, you will want to remove/delete sites that are not in scope.

  • The export format should be XML, but ZAP does not add the XML extension by default in certain cases, and thus you will need to manually add the XML extension information and save before loading the data to Cisco Vulnerability Management.

    • If you attempt to load the source file without the xml extension, we will reject the file for improper format.

 

Steps to export data from ZAP and load data to Cisco Vulnerability Management

After following the pre-requisite of enabling the connector listed above, go back into ZAP.

  • Run scans in accordance with your established scanning process.

  • Delete sites that are out of scope from the Sites Window

    ZAP2.png

  • Go to ‘Report’ → General XML Report

    • Save the file with a unique file name.

  • Take the file and Add the XML extension if not already present

  • Load the file to the Connector via Drag and Drop, or search for and upload.

 

What ZAP Items does Cisco Vulnerability Management Import?

ZAP Field Cisco Vulnerability Management Field Notes
none auto-mapped Application identifier Search for Application identifier in Cisco Vulnerability Management by using the custom query box and typing application:"*"
current_instance > uri value URL  
current_site > hostname Hostname Note: Hostname can be reported in the form of an IP Address from ZAP. Thus, you can search for ip via the hostname:”*” search in Explore.
plugin_id Unique_IDs (Vulnerability)  
plugin_id + port Scanner ID we combine the plugin ID information with the reported Port information for the Scanner ID
is_open=true? Vulnerability Status Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are no longer present in these reports and Cisco Vulnerability Management will auto-close the vulnerability.
  Vulnerability Name Mapped from plugin_ids
  scanner_score Not pulled in. Cisco Vulnerability Management maps scores from our Scoring Database
cwe_id CWE  
wasc_id WASC ID  
current_element > “desc”text
Description  
current_instance > “solution” text Solution  
found_date Found On  
method + evidence
Details  
  Tags These items are turned into Tags in Cisco Vulnerability Management.

Items Cisco Vulnerability Management does not import:

  • Other Info node

  • Risk Code

  • Confidence Level

 

Optional Settings

The following settings can be enabled on the backend for ZAP Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.

  • Exclude Informationals

    • When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.

  • Skip Tags

    • This setting will prevent the creation of tags within Cisco Vulnerability Management based on the connector metadata. Since the ZAP connector does not import tags, this setting is likely irrelevant. 

  • Ignore Scanner Last Seen Time

    • Use this setting if you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

  • Custom Ordered Locators

    • Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see Understanding Locator Order.

 

Common Reasons for ZAP Connector Run Failures

  • Bad XML Formatting

    • This one is pretty self explanatory. If Cisco Vulnerability Management receives a bad XML input for the connector, we will not be able to properly parse, and then load, the data.

  • If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector Run

There may be several reasons for a failed connector run. First check the error code by clicking on the name of the connector from the Connectors page. This will open a window with a "Connector Status Message". Though this is a different connector, the format in the example is the same:

Screen_Shot_2021-10-26_at_2.06.11_PM.png

Additional Assistance:

Please contact Support should you require any additional assistance with the ZAP Connector(s).

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.