クラウド時代のパートナー 株式会社 pnop

Azure Marketplace "Web Application Vulnerability Scanner" Users manual

Select a language: [English] [日本語]

Introduction

This is the simplified manual for "Web Application Vulnerability Scanner" from Azure Marketplace.

What's "Web Application Vulnerability Scanner"

"Web Application Vulnerability Scanner" is a vulnerability scanner tool for web based applications using OWASP™ Zed Attack Proxy(ZAP).

This tool is on a Azure Virtual Machine.

Main feature of Web Application Vulnerability Scanner

  • OWASP™ ZAP 2.10.0
  • Can connect from Microsoft Remote Desktop client. (xrdp installed)
  • Added Japanese, Korean, Chinese fonts.
  • Ubuntu 20.04 LTS
  • Provided as Azure virtual machine image.

System requirements

  • Virtual machine can connect through TCP/3389. (If you want to operate with GUI in Windows Remote Desktop)
  • Virtual machine can connect through TCP/22. (If you want to operate with CLI in SSH)

How to build

Access to "Web Application Vulnerability Scanner" and Create.

Network Security Group (NSG) is applied to the NIC on the Azure virtual machines.

The following rules have been added to the NSG inbound security rules:

  • Allow RDP(TCP/3389) from any connection source
  • Allow SSH(TCP/22) from any connection source

You should change this NSG settings to only allow connections from where you need it.

If you have created a Public IP address, you permit these connections from all over the Internet by default.

How to use

Select your preferred type of operation, GUI with Remote Desktop or CLI with SSH.

* "How to use OWASP™ ZAP" is not included in this document. See this document.

Use for GUI

  1. Remote Desktop Connection

    1. Connect with Remote Desktop (RDP) from the client PC.

      • Computer field : Input the Public IP Address found from the previous 'How to use' Section. It can also be found on the Summary Blade.
    2. The Remote Desktop screen appears and a dialog box of "Login to (virtual machine name)" is displayed. Set the following information and click [OK]

      • Session : Xorg
      • username : The user name you specified when you deployed from Marketplace
      • password : The password you specified when you deployed from Marketplace
  2. Start OWASP™ ZAP application

    1. Double-click [OWASP ZAP] on the remote desktop screen.

    2. After selecting any line on the confirmation screen ZAP Session, click [Start] to show an initial screen.

    3. The Add-ons package update confirmation screen may be displayed at the first startup, but add-ons will be updated if necessary.

    4. Select [Options...] in [Tools] menu, you can change your language settings from [Language] in the menu list of Options (you need to restart OWASP™ ZAP).

If you specified "SSH Shared key" as the Authentication type at the time of deployment, you need to log in to virtual machine with ssh and set the password before logging in with the GUI.

(login from ssh)
$ sudo passwd $USER
New password: <<enter password>>
Retype new password: <<re-enter password>>
passwd: password updated successfully

Use for CLI

Please connect and operate with SSH.
To use command line, see this document.

OWASP™ ZAP Path: /usr/local/bin/zap.sh

Otherwise

Update for softwares

For the software version of Ubuntu and OWASP™ ZAP, the latest version at the time of registration in Marketplace has already been applied.

Please update Ubuntu and software as necessary.

FAQ

  • Can't connect to virtual machine with Remote Desktop

    • You need to be able to connect to virtual macine via TCP/3389 port.
      Please check the following.
      • Is it set to allow TCP/3389 inbound rule with Azure NSG assigned to subnet or NIC?
      • In the case of via Azure LoadBalancer, is the LoadBalancer properly forwarding to TCP/3389 of the virtual machine?
  • OS does not start normally / Can't login to Remote Desktop

    • 2GB or more of OS memory is required to operate the virtual machine normally

      Change the Azure Virtual machine to the appropriate size.

Supports

Support is available at a charge.

  • Supported inquiries example
    • The target solution can not be deployed.
    • Virtual machines does not work properly after deployment
  • The following are not supported

If you wish to support services, please contact below.

The OWASP™ Word Mark and OWASP & Design™ Logo are registered or unregistered service marks of OWASP Foundation, Inc. in the United States and other countries. All rights reserved. Unauthorized use strictly prohibited.