ZSec

Automating security audits: learn how easy it is to #beSecure with ZSec or regret it later!

Comment

http://zsec.zitec.ro/ http://zsec.zitec.ro/docs/#/

Inspiration

We were inspired by our love for automating things together with our passion and curiosity for security.

What it does

Our applications provides a flow of actions that allows one to take steps to #beSecure

You can:

  • scan your website;
  • set up periodic scans;
  • receive email notifications when it's done;
  • have issues written automatically in Redmine with your scan results;

How to test it

email: zsec@zitec.com pw: Admin2018!

  • Go to http://zsec.zitec.ro/
  • Click on Dashboard and log in with the abovementioned credentials
  • Go to Profiles
  • Create a profile and make sure you set scan depth to 0 (important at this stage)
  • Insert your Redmine API key and project ID in order to link ZScan to Redmine - use ID 3 to add tickets to Test Project (make sure you have rights to see the project in Redmine)
  • The Profile will be created and now you can choose which scanner to use: currently only OWASP ZAP is fully functional => click Create OWASP ZAP Scanner
  • In the following screen, click Create OWASP ZAP Scanner again
  • The scanning process will be added to the queue and begin shortly
  • Back in the Profile screen you will see your newly added profile - click on the view icon to see details about its progress/results
  • If the scan has been processed, you will both receive the report by email and be able to view it in Redmine (if you linked Redmine via the API key)
  • In the sidebar, you can also click on Documentation to view the project documentation, current functionalities and roadmap (you can also jump straight into the documentation by clicking here: http://zsec.zitec.ro/docs/#/ )

How we built it

  • we've installed Kali Linux in a Docker container;
  • we've setup OWASP ZAP in this configuration;
  • we've built a dashboard with Laravel Nova;
  • we've created a flow that consumes the ZAP API inside Docker.

Challenges we ran into

  • formatting scan alert description in Redmine

Accomplishments that we're proud of

  • we can make a full vulnerability scan with ZAP using our application;
  • we can create Redmine issues for your project when the scan is complete;
  • we've styled the Laravel Nova dashboard to be really really cool ;)

What we learned

  • PHP_EOL ruins strings and your life
  • Laravel Nova is quite awesome
  • tinkering with SQLMap, Arachni and ZAP is not just fun and games
  • thou shalt not scan websites without their consent #metoo
  • how to tame Docker and ride it like a pony

What's next for ZSEC

  • viewing logs in realtime
  • integrating with Arachni and SQLMap
  • integrating with AD
  • integrating with Jenkins and adding the option to launch scheduled and/or recurrent scans

Built With

+ 6 more
Share this project:

Updates