Skip to content

feat(lab5): ZAP baseline + auth + Semgrep + correlationgit#6

Open
StefFashka wants to merge 1 commit into
mainfrom
feature/lab5
Open

feat(lab5): ZAP baseline + auth + Semgrep + correlationgit#6
StefFashka wants to merge 1 commit into
mainfrom
feature/lab5

Conversation

@StefFashka

Copy link
Copy Markdown
Owner

Goal

Complete Lab 5 by performing static (SAST) and dynamic (DAST) security analysis of OWASP Juice Shop, comparing the results, and documenting the findings.

Changes

  • submissions/lab5.md β€” added the Lab 5 report with OWASP ZAP and Semgrep analysis, severity breakdowns, comparison, and SAST/DAST correlation.

Testing

OWASP ZAP (Baseline)

docker compose -f labs/lab5/docker-compose.yml up -d

# Run baseline scan
docker run --rm `
  -v "${PWD}/labs/lab5/results:/zap/wrk" `
  ghcr.io/zaproxy/zaproxy:stable `
  zap-baseline.py `
  -t http://host.docker.internal:3000 `
  -J baseline-report.json

Expected: baseline report generated with approximately 10 alerts.

OWASP ZAP (Authenticated)

docker run --rm `
  -v "${PWD}/labs/lab5:/zap/wrk" `
  ghcr.io/zaproxy/zaproxy:stable `
  zap.sh -cmd -autorun /zap/wrk/zap-auth.yaml

Expected: authenticated report generated with additional findings, including SQL Injection.

Semgrep

docker run --rm `
  -v "${PWD}:/src" `
  semgrep/semgrep `
  semgrep scan `
  --config=p/owasp-top-ten `
  --json `
  --output=/src/labs/lab5/results/semgrep.json `
  /src/labs/lab5/semgrep/juice-shop

Expected: 22 findings (12 ERROR, 10 WARNING).

Artifacts & Screenshots

  • Submission report: submissions/lab5.md

Required checklist

  • Task 1 β€” ZAP baseline + auth + 10-20Γ— ratio analysis
  • Task 2 β€” Semgrep top-10 + triage shortcut
  • Bonus β€” Correlation table with 1+ confirmed cross-tool finding

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant