Using OWASP DeepViolet within OWASP ZAP

OWASP DeepViolet has been included and available in OWASP ZAP for awhile now as an additional add-on component.  Briefly the background is that DeepViolet is a TLS/SSL scanning API and set of tools.  OWASP ZAP is a Flagship application security scanner and includes some DeepViolet features for it’s TLS/SSL scanning.  I decided to post this blog update since it was not clear to me how to use this scanning with ZAP.  The following is a short post about how to install and use HttpsInfo(a.k.a DeepViolet) within your ZAP scanning projects.

I mentioned the the DeepViolet TLS/SSL scanning capability has been included within the ZAP HttpInfo add-on.  This add-on code is maintained by the OWASP project.  To include HttpsInfo and TLS/SSL scanning to your ZAP project click on the toolbar icon circled in blue, preceding screenshot.  Next, click on the Marketplace tab.  Scroll down to the HttpsInfo line, select it, and click update to update ZAP to include the add-on.  This will add HttpsInfo to ZAP, shown on the following screenshot.

To use the add-on right click the server with the flag.  On the popup menu run the add-on, circled in blue.

When HttpsInfo runs the previous screen shot shows a example of the scan output.  Keep in mind, the output displayed from HttpsInfo is a subset of available TLS scan metadata.  More information is available like the current web server certificate metadata and metadata for all intermediary certificates chaining back to the root, revocation status, expiration status, and more.  You can get this additional information by running the standalone UI and command line version of the tool.

Author: milton

For bio see, https://www.securitycurmudgeon.com/about/

Leave a Reply