OWASP ZAP (Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It is one of the most active Open Web Application Security Project projects, and is maintained by a team of international volunteers.
Setting up the ZAP Connector
To import your data from ZAP to the Application Security Module, you will need to leverage the ZAP Connector under the Dynamic Assessment section of the Cisco Vulnerability Management UI. The ZAP Connector is an XML connector at this time. To learn about XML vs API connectors, see the information here.
The Connector is a full run connector and does not support incremental runs (non-API Connector).
Prerequisites
-
Since the Connector is an XML connector, the Virtual Tunnel or Agent is required.
-
The user account that you are using must have access to the reports you would like to export.
- You must be a Cisco Vulnerability Management administrator.
Configuring your Connector in Cisco Vulnerability Management
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Dynamic Assessment section, click Zap.
On the Zed Attack Proxy page, enter the following information:
-
Name: Enter a name for the connector, or leave it as “Zed Attack Proxy".
-
Asset Inactivity Limit (days): enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your connector scans.
-
Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. See Setting Asset Inactivity Limits.
-
Connector-level asset inactivity limits take precedence over the global inactivity limit. If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. See Setting Asset Inactivity Limits.
5. Click Save.
Important
-
When ZAP runs, it can see other sites even if they are out of scope. The returned data from those sites are included in the exported data.
-
For example: You scan
mycompany.comand it has a reference link to a Google API. Therefore, the first link to api.google.api is included in the ZAP data and it comes over to Cisco Vulnerability Management. To workaround this item, you will want to remove/delete sites that are not in scope.
-
-
The export format should be XML, but ZAP does not add the XML extension by default in certain cases, and you will need to manually add the XML extension information and save before loading the data to Cisco Vulnerability Management.
-
If you attempt to load the source file without the XML extension, we will reject the file for improper format.
-
Steps to export data from ZAP and load data to Cisco Vulnerability Management
1. In Zap, run scans in accordance with your established scanning process.
2. Delete sites that are out of scope from the Sites Window.
3. Go to ‘Report’ → General XML Report.
4. Save the file with a unique file name.
5. Take the file and add the XML extension if not already present.
6. Load the file to the Connector via drag-and-drop, or search for and upload it.
What ZAP Items does Cisco Vulnerability Management Import?
| ZAP Field | Cisco Vulnerability Management Field | Notes |
| none auto-mapped | Application identifier | Search for Application identifier in Cisco Vulnerability Management by using the custom query box and typing application:"*" |
| current_instance > uri value | URL | |
| current_site > hostname | Hostname | Note: Hostname can be reported in the form of an IP Address from ZAP. Thus, you can search for ip via the hostname:”*” search in Explore. |
| plugin_id | Unique_IDs (Vulnerability) | |
| plugin_id + port | Scanner ID | we combine the plugin ID information with the reported Port information for the Scanner ID |
| is_open=true? | Vulnerability Status | Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are no longer present in these reports and Cisco Vulnerability Management will auto-close the vulnerability. |
| Vulnerability Name | Mapped from plugin_ids | |
| scanner_score | Not pulled in. Cisco Vulnerability Management maps scores from our Scoring Database | |
| cwe_id | CWE | |
| wasc_id | WASC ID | |
|
current_element > “desc”text |
Description | |
| current_instance > “solution” text | Solution | |
| found_date | Found On | |
|
method + evidence |
Details | |
| Tags | These items are turned into Tags in Cisco Vulnerability Management. |
Items Cisco Vulnerability Management does not import:
-
Other Info node
-
Risk Code
-
Confidence Level
Optional Settings
The following settings can be enabled on the backend for ZAP Connectors. To have these settings enabled, or for more information, contact Cisco Support, or your Customer Success Engineer.
Exclude Informationals
When you enable this option, Cisco Vulnerability Management will only import vulnerabilities that include a CVE, CWE, or WASC ID.
Skip Tags
This setting enables you to not create any Tags in Cisco Vulnerability Management based on the scanner metadata.
Ignore Scanner Last Seen Time
Select this setting if you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
Custom Ordered Locators
Locators (such as IP, Netbios, and FQDN) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information, see the help article here.
Common Reasons for ZAP Connector Run Failures
Bad XML Formatting: This one is pretty self explanatory. If Cisco Vulnerability Management receives a bad XML input for the connector, it will not be able to properly parse, and then load, the data.
If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector Run
There may be several reasons for a failed connector run. First check the error code by clicking on the name of the connector from the Connectors page. This will open a window with a "Connector Status Message". Though this is a different connector, the format in the example is the same:
Additional Assistance
Contact Cisco Support if you require any additional assistance with the ZAP Connector(s).
Comments
Please sign in to leave a comment.