AgentSkillsCN

dast-scanning

利用OWASP ZAP、Burp Suite与Nikto进行动态应用安全测试,通过自动化与手动测试,检验运行中的应用是否存在安全漏洞。在测试Web应用、API接口,或开展渗透测试时加以运用。

SKILL.md
--- frontmatter
name: dast-scanning
description: Perform dynamic application security testing with OWASP ZAP, Burp Suite, and Nikto. Test running applications for security vulnerabilities through automated and manual testing. Use when testing web applications, APIs, or performing penetration testing.
license: MIT
metadata:
  author: devops-skills
  version: "1.0"

DAST Scanning

Test running applications for security vulnerabilities through dynamic analysis.

When to Use This Skill

Use this skill when:

  • Testing deployed applications
  • Performing automated security scans
  • Finding runtime vulnerabilities
  • Testing authentication flows
  • Validating API security

Prerequisites

  • Running application instance
  • Network access to target
  • Testing authorization
  • Understanding of web security

Tool Overview

ToolTypeBest For
OWASP ZAPOSSAutomated scanning, CI
Burp SuiteCommercialManual testing, advanced
NiktoOSSWeb server scanning
NucleiOSSTemplate-based scanning
ArachniOSSComprehensive scanning

OWASP ZAP

Docker Setup

bash
# Run ZAP in daemon mode
docker run -d --name zap \
  -p 8080:8080 \
  -v $(pwd)/reports:/zap/reports \
  ghcr.io/zaproxy/zaproxy:stable \
  zap.sh -daemon -host 0.0.0.0 -port 8080 \
  -config api.addrs.addr.name=.* \
  -config api.addrs.addr.regex=true

Baseline Scan

bash
# Quick baseline scan
docker run --rm -v $(pwd):/zap/wrk \
  ghcr.io/zaproxy/zaproxy:stable \
  zap-baseline.py -t https://target.example.com \
  -r baseline-report.html

# With authentication
docker run --rm -v $(pwd):/zap/wrk \
  ghcr.io/zaproxy/zaproxy:stable \
  zap-baseline.py -t https://target.example.com \
  -r report.html \
  --auth-login-url https://target.example.com/login \
  --auth-username user \
  --auth-password pass

Full Scan

bash
# Comprehensive scan
docker run --rm -v $(pwd):/zap/wrk \
  ghcr.io/zaproxy/zaproxy:stable \
  zap-full-scan.py -t https://target.example.com \
  -r full-report.html \
  -J full-report.json

API Scan

bash
# OpenAPI specification scan
docker run --rm -v $(pwd):/zap/wrk \
  ghcr.io/zaproxy/zaproxy:stable \
  zap-api-scan.py -t https://target.example.com/openapi.json \
  -f openapi \
  -r api-report.html

ZAP Automation Framework

yaml
# zap-automation.yaml
env:
  contexts:
    - name: "Default Context"
      urls:
        - "https://target.example.com"
      includePaths:
        - "https://target.example.com/.*"
      excludePaths:
        - "https://target.example.com/logout.*"
      authentication:
        method: "form"
        parameters:
          loginUrl: "https://target.example.com/login"
          loginRequestData: "username={%username%}&password={%password%}"
        verification:
          method: "response"
          loggedInRegex: "\\QWelcome\\E"
      users:
        - name: "testuser"
          credentials:
            username: "test@example.com"
            password: "password123"

jobs:
  - type: spider
    parameters:
      context: "Default Context"
      user: "testuser"
      maxDuration: 10
      
  - type: spiderAjax
    parameters:
      context: "Default Context"
      user: "testuser"
      maxDuration: 10
      
  - type: passiveScan-wait
    parameters:
      maxDuration: 5
      
  - type: activeScan
    parameters:
      context: "Default Context"
      user: "testuser"
      policy: "Default Policy"
      
  - type: report
    parameters:
      template: "traditional-html"
      reportDir: "/zap/reports"
      reportFile: "zap-report"
bash
# Run automation
docker run --rm -v $(pwd):/zap/wrk \
  ghcr.io/zaproxy/zaproxy:stable \
  zap.sh -cmd -autorun /zap/wrk/zap-automation.yaml

CI/CD Integration

GitHub Actions

yaml
name: DAST Scan

on:
  workflow_dispatch:
  schedule:
    - cron: '0 2 * * *'

jobs:
  dast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Start Application
        run: |
          docker-compose up -d
          sleep 30  # Wait for app to be ready

      - name: OWASP ZAP Scan
        uses: zaproxy/action-full-scan@v0.8.0
        with:
          target: 'http://localhost:8080'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

      - name: Upload Report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: zap-report
          path: report_html.html

GitLab CI

yaml
dast:
  stage: security
  image: ghcr.io/zaproxy/zaproxy:stable
  variables:
    TARGET_URL: $DAST_TARGET_URL
  script:
    - mkdir -p /zap/wrk/reports
    - zap-baseline.py -t $TARGET_URL -r /zap/wrk/reports/zap-report.html -I
  artifacts:
    paths:
      - reports/
    expire_in: 1 week
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

Burp Suite Automation

REST API Usage

python
import requests

class BurpScanner:
    def __init__(self, api_url, api_key):
        self.api_url = api_url
        self.headers = {'Authorization': api_key}
    
    def create_scan(self, target_url):
        """Create and start a new scan."""
        payload = {
            'scan_configurations': [
                {'name': 'Crawl and Audit - Balanced'}
            ],
            'scope': {
                'include': [{'rule': target_url}]
            },
            'urls': [target_url]
        }
        response = requests.post(
            f'{self.api_url}/v0.1/scan',
            json=payload,
            headers=self.headers
        )
        return response.headers.get('Location')
    
    def get_scan_status(self, scan_id):
        """Get scan status."""
        response = requests.get(
            f'{self.api_url}/v0.1/scan/{scan_id}',
            headers=self.headers
        )
        return response.json()
    
    def get_issues(self, scan_id):
        """Get scan issues."""
        response = requests.get(
            f'{self.api_url}/v0.1/scan/{scan_id}/issues',
            headers=self.headers
        )
        return response.json()

# Usage
scanner = BurpScanner('http://burp:1337', 'api-key')
scan_id = scanner.create_scan('https://target.example.com')

while True:
    status = scanner.get_scan_status(scan_id)
    if status['scan_status'] == 'succeeded':
        break
    time.sleep(30)

issues = scanner.get_issues(scan_id)

Nikto

Basic Scanning

bash
# Install
apt-get install nikto

# Basic scan
nikto -h https://target.example.com

# With specific options
nikto -h https://target.example.com \
  -ssl \
  -Tuning 123bde \
  -output nikto-report.html \
  -Format html

# Scan specific ports
nikto -h target.example.com -p 80,443,8080

Common DAST Findings

OWASP Top 10

yaml
owasp_findings:
  A01_Broken_Access_Control:
    - IDOR vulnerabilities
    - Missing function-level access control
    - Privilege escalation
    
  A02_Cryptographic_Failures:
    - Sensitive data in URLs
    - Missing HTTPS
    - Weak ciphers
    
  A03_Injection:
    - SQL injection
    - Command injection
    - XSS
    
  A05_Security_Misconfiguration:
    - Default credentials
    - Verbose error messages
    - Missing security headers
    
  A07_Auth_Failures:
    - Weak passwords accepted
    - Session fixation
    - Missing MFA

Security Headers Check

bash
# Check security headers
curl -I https://target.example.com | grep -i "x-\|content-security\|strict"

# Expected headers:
# X-Content-Type-Options: nosniff
# X-Frame-Options: DENY
# X-XSS-Protection: 1; mode=block
# Content-Security-Policy: default-src 'self'
# Strict-Transport-Security: max-age=31536000

Custom Test Cases

yaml
# Test authentication
tests:
  - name: "Authentication Bypass"
    steps:
      - Access protected resource without auth
      - Verify 401/403 response
      - Access with valid auth
      - Verify 200 response
    
  - name: "Session Management"
    steps:
      - Login and capture session token
      - Logout
      - Attempt to use old session
      - Verify session invalidated
    
  - name: "Input Validation"
    steps:
      - Submit XSS payload in all inputs
      - Submit SQL injection in all inputs
      - Verify proper sanitization

Common Issues

Issue: False Positives

Problem: Scanner reports non-vulnerabilities Solution: Configure scan policy, review findings manually

Issue: Missing Authentication

Problem: Cannot scan authenticated areas Solution: Configure authentication context, use session tokens

Issue: Incomplete Coverage

Problem: Scanner misses endpoints Solution: Import API specs, improve spidering, use authenticated scanning

Best Practices

  • Test in staging environment first
  • Configure proper authentication
  • Import API specifications for complete coverage
  • Review findings before reporting
  • Combine with manual testing
  • Run regular scans (weekly minimum)
  • Track findings over time
  • Coordinate with development team

Related Skills