Posted on

API Security Weekly: Issue 172

This week, we have news of a vulnerability in Argo CD that allowed leaking application secrets, a survey of the state of API security across three regions, a quick read on how to use Postman and OWASP Zap for API security testing, and finally, views on how to distribute authorization services in a microservice architecture.

Vulnerability: Argo CD Path-Traversal Vulnerability Enables Leaking Data

This week’s major news has been the vulnerability discovered in Argo CD, a popular continuous delivery platform.

Posted on

Automated Pen Testing With ZAP CLI

In the previous post, you learnt how to execute an automated penetration test by means of Zed Attack Proxy (ZAP). This time, you will learn how to execute the test via a Command Line Interface (CLI) which will make it possible to add the test to your CI/CD pipeline.

1. Introduction

In the previous post, the different steps were explained how to execute an automated penetration test. The application under test being used was WebGoat, a vulnerable application developed by OWASP in order to learn security vulnerabilities. This application will be used in this post also. The steps to be executed for a penetration test with ZAP are:

Posted on

Automate ZAP Security Tests With Selenium Webdriver

OWASP ZAP (Zed Attack Proxy) is an open-source and easy-to-use penetration testing tool for finding security vulnerabilities in the web applications and APIs. As a cross-platform tool with just a basic Java installation pre-requisite, it provides vulnerability scanning for beginners and penetration testing for professionals. It can be downloaded and installed as a standalone application or Docker image.

Additionally, the OWASP community has exposed ZAP APIs, which allows ZAPs to integrate with other tools/frameworks.