Monday, 4 January 2016

ZAP Newsletter: 2016 January

Introduction

Happy New Year!
For the first newsletter of 2016 we have a special feature on a new vulnerability “XCOLD Information Leak” that caught the eye of one of our key contributors, how he found it and how you can use a new ZAP rule to detect it.

Table of Contents:

News

Steve Springett (@stevespringett) has implemented a ZAP Sonar plugin which integrates ZAP into SonarQube v5.1 or higher. He’s also looking for anyone interested in maintaining this going forwards, so please have a play with it and get in touch with Steve and/or myself if you might be interested in keeping it going. Don't worry if you don't know much about the ZAP side of things, we can help with that!

A new release of the ZAP jenkins plugin is now available. You can download it here : https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin.
This release implements the form based authentication method and fixes some issues.

Do you want to know things like:
  • How many downloads ZAP gets?
  • What are the most popular ZAP add-ons?
  • How ZAP performs against wavsep and wivet?
You can find all of that out via:
http://zapbot.github.io/zap-mgmt-scripts/index.html
These stats are maintained by zapbot, which now even has its own icon :)

New / Improved Add-ons

This section details add-ons that have been added or significantly updated since the last newsletter.
Add-ons are available to download and install within ZAP.
Just click on the ‘Manage Add-ons’ toolbar button and select the Marketplace tab:



Note that all add-ons on the Marketplace are completely free and open source and anyone can publish add-ons to it - see the zap-extensions wiki for details.

The Selenium add-on has been updated to include the latest version of the selenium jar - this fixes problems with the latest version of Firefox so update asap.

The Passive scan rules - alpha have been updated to include a new scanner for identifying info leaks via X-ChromeLogger-Data or X-ChromePhp-Data. See the special feature below.

Special Feature: XCOLD Information Leak

This special feature from Kingthorin (kingthorin) explains how functionality aimed at assisting developers caught the eye of an IT Security Professional:

Ottawa ended up with an uncharacteristically green Christmas this year, but finally got snow as I’m drafting this (Dec 29th), so I'm going to dub this the XCOLD Info Leak (X-ChrOmeLogger-Data).

It all started rather innocently when an item in the Firefox 43 release notes caught my eye:



With my penetration tester hat on all I could think was: “Huh? What? I can get server logs in a client? Sweet, I can think of all sorts of Low to Pwned scenarios … Yay!”

Off I went to read further:
Basically it boils down as follows:
  • Decide you want server side messages available to clients.
  • Stick some code into your web app.
    • Support seems to be quite extensive: Python, PHP, Ruby, Node.js, .NET, ColdFusion, Go, Java, and Perl. Though the majority of the existing install/usage seems to be PHP.
  • Boom get messages in the browser (Chrome requires an extension, while Firefox now has native support).
Curious to see if this was already in Production use I headed over to Shodan, to see what there was to see. The following images are courtesy of Shodan, via www.shodan.io .


Ok so X-ChromeLogger-Data is in use. Not extensively but the numbers are increasing. The image here is from 2015-12-29, I had previously poked around on this topic around the 18th. Though I don’t remember the specific number I’d previously queried there seems to have been an increase in a short period and over the holidays.


















It also seems that X-ChromePhp-Data is in use to a much lesser extent. So off I go to see what kind of data people might be exposing.



























Keep in mind the following findings are based on public data, I’m not revealing anything here that the site(s) haven’t already revealed to the world.

Below I’ve just copied the Base64 encoded header values from the Shodan results and run them through the handy online decoder at https://www.base64decode.org/.

Alternative 1: Proxy your shodan result browsing through ZAP, select the base64 string and use the “Encode/Decode/Hash” context menu:







Alternative 2: You could also pop the dev tools console (F12) and do a atob(“”); and hit enter. For example atob(“ZW5jb2RlIHRoaXM=”); returns encode this. I used the online service below since the dev tools console doesn’t line wrap :(

Picking the first X-ChromePhp-Data shodan result I got the following:

Ok not terribly revealing, however it does give the entire disk location of AppController.php. Might be able to leverage that in other attacks or use the knowledge to social engineer something.

Here’s another example that’s really verbose, note Undefined index: admin references:

 

Here’s another, note the failures in processing various tokens, PREBODY, and HTTP_USER_AGENT. Those details might lead a pentester to another useful finding such as UA specific response or UA injection of some sort.
Here’s one that appears to be a WordPress plugin:
Here’s what seems to be a windows host running some WordPress gallery:
To top it off, here’s an example leaking raw SQL details:
I guess that’s enough examples. As you can see a ton of information is and can be leaked via this functionality.

While the benefits to a developer are obvious I would suggest that the following considerations or implementation choices be made if using the functionality:

  1. Do you want this turned on for Production use?
  2. If you do want it on for Production use can you ensure that you don’t leak information that might be leveraged by an attacker or malicious individual?
  3. Can you tie it to your authorization framework so that the information (header + content) is returned only to admins and support personnel not “all” users?
Curious if your app or site is exposing anything similar to the examples above? Do you have the XCOLD Info Leak? Checkout the new ZAP passive plugin that looks for and identifies information leaks via X-ChromeLogger-Data and X-ChromePhp-Data. This is included in the latest Passive scan rules - alpha available from the ZAP Marketplace.

Update: Here's a slide deck from a presentation kingthorin recently did on XCOLD with OWASP-Ottawa: http://files.meetup.com/12990252/XCOLD-OWASP-Ottawa-20160125.pdf

Upcoming Talks and Training

Akash Mahajan (@makash, the founder of The App Sec Lab) will be running a hands on workshop: "Application #SecurityTesting with OWASP ZAP" at the Open Source Summit on February 6th in Bangalore: https://www.facebook.com/joinunicom/photos/a.10151206545805033.498192.288931845032/10153652426465033/?type=1&theater

Featured Contributor: Paulo Brito

Each month we introduce you to one of the many ZAP contributors.

Q: Who are you?
A:
Paulo Brito (aka PB, @pbrito1), computer security enthusiast, computer science student.

Q: Where are you based?
A:
Campinas, Brazil

Q: What do you do in your day job?
A:
I am a journalist. I work as a free lancer, writing mainly IT and business stories for a couple of brazilian newspapers and magazines. I also publish a blog on computer security at www.cibersecurity.com.br.

Q: Why do you contribute to ZAP?
A:
ZAP is a fantastic security tool. As I localize it for PT BR I help to make ZAP resources available for all portuguese speaking students and information security professionals. I'd love to also contribute writing code but I'm still learning, so the best way I could contribute to the ZAP community was localizing the framework.

Q: How do you contribute to ZAP?
A:
I am currently translating the help files and the user interface. At this moment roughly 70% of the work is done. It's a lot of text, so it's taking also a lot of time. Sometimes I have to step back and retranslate when an improvement is deployed, and this will happen forever, because ZAP will always being improved.

Q: What would you like to contribute in the future?
A:
I will certainly be available to keep the localization updated.

Q: What do you like about the ZAP community?
A:
I like the fact that ZAP is a community with an important goal, developing an extremely important tool for web/computer security pros, and that really cares about its members, maintaining them always informed on what's going on.

Q: What do you get out of contributing?
A:
I get the pleasure of contributing to a build a superb computer security framework, besides learning how to use ZAP and understanding how each feature is designed to check a security flaw. I also get a better understanding on how these flaws need to be fixed.

Q: Do you have any advice for people who would like to contribute to ZAP?
A:
I would say that this is a project that's worth to contribute to. The project has a clear objective and its development is of great value to the community of information security professionals. Its members are talented people, dedicated to a good cause and deserve all the help we can give, contributing to strengthening the ZAP project.

Q: Do you contribute to any other open source projects?
A:
No. ZAP is the only project I am currently contributing to.

Q: What do you do outside of work?
A:
Outside of my work I like to listen classical music – I am a fan of Mozart and Bach -, watch aviation documentaries and traveling when possible.

Q: What do you [most] dislike about the ZAP development?
A:
I don't see any point I could dislike regarding the development. To the contrary, what I see is all the coders/testers working all the time to improve the framework

Q: What do you think could be done [a lot] better?
A:
I don't exactly how, but may be OWASP could start (if didn't yet) evangelizing on ZAP to universities faculty and students, besides doing some PR (public relations) to enlarge the users base and the volunteers community as well.

Feedback

Please fill in this quick Feedback Form so that we can make sure this newsletter is as useful to you as possible.

Coming next month…

That depends on you!
Let us know what you would like to see using the above feedback form.
If you would like to write content for the newsletter then please get in touch - anything ZAP related, such as talks / training you are giving, a 3rd party tool you develop or maybe an add-on you’d like to explain in more detail.
And we’re also looking for one or more editors for the ZAP newsletter - you don't need any detailed ZAP knowledge, just a bit of time each month you can dedicate to chasing up people for content and bashing it into something that reads better than this one :P Think thats you? Get in touch!

Simon Bennetts (ZAP Project Lead)

Tuesday, 15 December 2015

ZAP Newsletter: 2015 December

Introduction

Welcome to the second ZAP Newsletter.
And apologies for the delay - 2.4.3 took longer than expected, and last week I was away at a Mozilla work week.

Table of Contents:

News

The big news is that ZAP 2.4.3 is now available to download
This is a development and bugfix release, for more details of all of the changes see the release notes.

In other news, you can now buy ZAP stickers on StickerMule
We don't make any money from these stickers - they are just for promoting ZAP:)
If you’re a ZAP contributor then you can get one for free (just ping me first) and if you’re getting a load for a ZAP talk or training session then get in touch as well - we’ll do our best to help cover the costs.

And please vote for ZAP in the Toolswatch Top Security Tools of 2015!

New / Improved Add-ons

This section details add-ons that have been added or significantly updated since the last newsletter.
Add-ons are available to download and install within ZAP.
Just click on the ‘Manage Add-ons’ toolbar button and select the Marketplace tab:



Note that all add-ons on the Marketplace are completely free and open source and anyone can publish add-ons to it - see the zap-extensions wiki for details.

Many add-ons have been updated in ZAP 2.4.3, but in most cases these have been for relatively minor enhancements and bug fixes.
The add-ons that have had significant changes include:

Fuzzer

This includes lots of changes, including:
  • Add HTTP processor for tagging fuzz results.
  • Show the number of payloads from the script in Fuzzer dialogue (1887).
  • Improve memory usage (2051).
  • Allow to preview payloads generated or from external sources (1896)
  • Allow to modify the selected Payload Processor script.
  • Show current payloads when adding/modifying processors (1898).
  • Allow to preview processing of payloads (1931).
  • Allow to save (to file) String, Regex, File and Script payloads (1932).
  • Add support for regex repetitions (1885).
  • Allow to modify the payloads of File and File Fuzzers (1897).

Active scan rules - release

  • Promoted Format String to release

Active scan rules - beta

  • Demoted LDAP rule to alpha due to performance issues

Active scan rules - alpha

  • Added Integer Overflow scanner
  • Added User Agent Fuzzer

Passive scanner rules - alpha

  • Image Location Scanner detects more GPS tag varieties, scans png & tiff files, adds i18n.

New Features

The Docker weekly and stable containers now support virtual displays.
The zap.sh script works as before, but a new zap-x.sh script has been added which starts xvfb (X virtual framebuffer) in the background and means that you can use Selenium based add-ons like the Ajax Spider and DOM XSS scanner with ZAP in daemon mode.

Tutorial: Break Points

This section will teach you more about a different ZAP feature every month, starting with the Check for Updates functionality.
ZAP in an intercepting proxy, which means that you can intercept and change anything that is proxied through ZAP.
In order to tell ZAP that you want to intercept requests or responses you need to use break points.
Break points are controlled using the following buttons on the main toolbar:
/ Break on all requests and responses - the icon turns red when active
Submit and step to the next request or response
Submit and continue to the next break point
Bin the request or response
Add a custom HTTP break point

The easiest option is the ‘global’ break point which you can set using the ‘break’ button (the green ball). Initially it will be green - pressing it will change the colour to red and means that all requests and responses will now be intercepted. You can change the toolbar to show 2 break buttons - one for requests and one for responses - this was the only option in older versions of ZAP:
/ Break on all requests - the icon turns red when active
/ Break on all responses - the icon turns red when active
All break point options are configured via the Options/Breakpoints screen.

Once a break point is hit the request or response that was intercepted is displayed in the ‘Break’ tab:

You can change anything you like in the Break tab, you can even change binary data using the Hex views.
The intercepted message will stay in the Break tab until you press either the ‘Submit and step’ button (which will submit the message and intercept the next request or response), the ‘Submit and continue’ button (which will submit the message and unset the global break point) or the ‘Bin’ button which will drop the message.

By default the global break point affects all messages - you can change it to just apply to messages that are in scope via the options.

You may find that some applications continually make requests, making it difficult to find and intercept the one you are interested in.
If you encounter this situation then you can use custom break points.
There is a button on the main toolbar for custom HTTP break points, this launches the custom HTTP break point dialog:

This dialog allows you to create a custom HTTP break point that will only be hit when specific conditions are met. You can perform exact or regex matches against the URL, request header, request body, response header or response body.
You can have as many custom break points as you need - they are listed in the ‘Break Points’ tab from where they can be enabled, disabled, edited or deleted.

Break points are not restricted to HTTP(S) traffic - they are also supported for websockets and client side messages. Both of these also support custom break points via buttons on the tool bars for the respective tabs.

If custom break points still don’t provide you with enough flexibility then you can trigger break points from within proxy scripts.
Calling msg.setForceIntercept(true) in either of the proxyRequest(msg) or proxyResponse(msg) functions will trigger the break point, and this will work in any text based scripting language. Zest (which is graphically based) also includes a ‘break’ action statement that has the same effect.
Being able to trigger break points via scripts means that you can trigger them for exactly the conditions you are interested in, however complex they might be.

3rd Party Tool: ThreadFix

Each month we plan to cover a 3rd party tool that is related to ZAP in some way. These tools can be open source, closed source, free or commercial.
This month we’re covering ThreadFix, ℅ Dan Cornell (@danielcornell)
ThreadFix
ThreadFix is an application vulnerability management platform that allows organizations to create a consolidated view of their applications and vulnerabilities, prioritize application risk decisions based on data, and then translate vulnerabilities to developers in the tools they’re already using.

With ThreadFix and OWASP ZAP, a security analyst can keep track of their application portfolio – laying out the various teams developing software and the applications each team is developing. Then, for each application, results from application scanning with ZAP can be uploaded and tracked over time. These results can be de-duplicated and correlated with other static and dynamic scanners, providing a comprehensive view of the results of security testing. In addition, ThreadFix can bundle vulnerabilities together and create bugs and software change requests in defect trackers such as JIRA and Bugzilla.

ThreadFix also provides a plugin for ZAP allowing security analysts to:
  • Directly export ZAP scan results into ThreadFix, saving time.
  • Pre-seed ZAP scans with application attack surface information when given access to application source code. This allows application testers to increase the coverage of scans by identifying “hidden” landing pages and input parameters that might not be found by a standard application spider/crawl.
In addition to the capabilities of the open source ThreadFix Community edition described above, ThreadFix Enterprise provides security teams the ability to schedule and execute scans with headless ZAP clients and have those results fed directly to the ThreadFix server. This allows security analysts to set a baseline level of scheduled scans and allows development teams to self-serve ZAP scans via the ThreadFix API.

More information can be found at:

Upcoming Talks and Training

Aaron Guzman will be running a training session titled "Web Pentesting Using OWASP Tools" (which will, of course, include ZAP) at AppSec California in Santa Monica on January 25 9:00am-5:00pm: http://sched.co/4Ouf

Featured Contributor: Yuho Kameda

And each month we plan to introduce you to one of the many ZAP contributors.
My profile
Yuho Kameda
About my activities (job)
I am a security engineer in Japan.

My works are following.
  • Vulnerability assessment
  • Incident Response
  • Various analysts
I was web application developer. I make use of my past experience to spread ZAP in Japan.

About my activities (private)
Capture the Flag:
  • I am participating in the security competition called Capture the Flag (CTF) as the Japanese team. I has participated domestic and foreign countries competition(such as DEFCON).
To participate various working group:
  • Mainly in Japan, I participate various working group in OWASP Japan Local Chapter.
  • For example, I made skill mapping of vulnerable assessment, and requirement definition document of web application or system.


About activity of ZAP
Mainly, I am working activity of ZAP about the three points.
  • How to use ZAP and find vulnerable of web application.
  • good publicity of ZAP.
  • presentation and hands-on session of ZAP in Japan.
Yuho Kameda demonstrating ZAP

My contribute to ZAP (until)
My activity mainly spread ZAP knowledge in Japan. There is OWASP Japan Local Chapter in Japan.
Mainly, I introduce ZAP in OWASP Japan. In other, I made Japanese ZAP Manual. OWASP Japan released this manual on web site.
I recognized to be used ZAP on many users in Japan. I am so happy to be able to contribute.
OWASP ZAP Hands-On

My contribute to ZAP (from now on)
I continue to spread activity. And then, I will go ahead with translate of ZAP. I want everybody to know that ZAP is easy to use. I'd like to contribute to ZAP project.

Finally
I like ZAP project. I'd like to contribute with other contributor in ZAP project.
And then, I hope that many user will use ZAP.
Thank you for your time reading.

最後に
ZAP Evangelistとして活動している亀田 勇歩です。
ここまで英語の記事に目を通して頂きありがとうございます。

セキュアなWebアプリケーション/システムを構築できるように、
今後もZAPに関する様々な情報を日本でお届けしていきます。
みなさんのZAPコミュニティへの参加をお待ちしております。

Feedback

So … did you find that useful?
Please fill in this quick Feedback Form so that we can make sure this newsletter is as useful to you as possible.

Coming next month…

That depends on you!
Let us know what you would like to see using the above feedback form.
If you would like to write content for the newsletter then please get in touch - anything ZAP related, such as talks / training you are giving, a 3rd party tool you develop or maybe an add-on you’d like to explain in more detail.
And we’re also looking for one or more editors for the ZAP newsletter - you don't need any detailed ZAP knowledge, just a bit of time each month you can dedicate to chasing up people for content and bashing it into something that reads better than this one :P Think thats you? Get in touch!

Simon Bennetts (ZAP Project Lead)

Monday, 2 November 2015

ZAP Newsletter: 2015 November

Introduction

Welcome to the first monthly ZAP newsletter.
We plan to cover pretty much anything ZAP related in these newsletters, including newly created or updated add-ons, new features just implemented and 3rd party tools.
We also encourage contributions from people like yourself - see the last section for details.
Oh, and please let us know what you think of this newsletter via the Feedback Form!

Table of Contents:

News

The big news this month is that we will be releasing ZAP 2.4.3 very soon, ie hopefully in the first week of November. This will be an enhancement and bug fix release, and as always we recommend you update asap.

In other news, I ran the first online ZAP Q&A session last month. You can listen to a recording of it here: http://zaproxy.blogspot.com/2015/10/zap-q-session-tuesday-13th-octobr-2015.html
If you do listen to it then please fill out the feedback form linked off that page.

New / Improved Add-ons

This section details add-ons that have been added or significantly updated since the last newsletter (or in the last couple of months in this case;)
Add-ons are available to download and install within ZAP.
Just click on the ‘Manage Add-ons’ toolbar button and select the Marketplace tab:



Note that all add-ons on the Marketplace are completely free and open source and anyone can publish add-ons to it - see the zap-extensions wiki for details.

The following new add-ons have been recently released:

DOM XSS - Alpha

An Active Scan rule for detecting DOM XSS vulnerabilities.
It launches browser windows and sends attack payloads to all of the relevant DOM elements.
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsDomxssDomxss

Context Alert Filters - Alpha

Context Alert Filters allow you to automatically override the risk levels of any alerts raised by the active and passive scan rules within a context.
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAlertFiltersAlertFilter

Revisit - Alpha

Have you ever wanted to be able to browse an application you tested with ZAP at a specific time, perhaps when you dont have access to it, or after its been changed in some way? If so then this add-on is for you!
The add-on allows you to instruct ZAP to return content from the ZAP history between specified dates rather than forwarding the requests to the site. This allows you to apparently browse and use a website that you no longer have access to. It also allows you to see what it looked like at between specific times, which is useful if the application has since changed.
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsRevisitRevisit

New Features

The following new features have been implemented are available in the weekly releases: https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly

Updating Add-ons from the Command Line

The ZAP command line has been enhanced to support updating add-ons.
There are 2 new options:
  • -addoninstall <addon> Install the specified add-on from the ZAP Marketplace
  • -addonupdate Update all changed add-ons from the ZAP Marketplace
These options take effect before other command line options such as ‘-quickurl’ so that add-ons will be installed and updated before attacking a target application.

Data Driven Content

ZAP has been enhanced to add the concept of ‘data driven content’ - path elements that represent data rather than the structure of an application.
For example, these 3 URLs represent the same page but with different data:
  • https://www.example.com/app/company1/p1?ddd=eee
  • https://www.example.com/app/company2/p1?ddd=fff
  • https://www.example.com/app/company3/p1?ddd=ggg
By default ZAP will represent them as three separate leaf nodes:
  • https://www.example.com
    • app
      • company1
        • GET:p1(ddd)
      • company2
        • GET:p1(ddd)
      • company3
        • GET:p1(ddd)
This is a problem because ZAP will now attack all 3 pages when it only needs to attack one of them.
In this case attacking the same page 3 times is not a big problem, but if you have hundreds or thousands of pages like this then the default behaviour will significantly increase the time it takes to scan the application.

The 'company' nodes are 'data driven content' - URL parameters that contain data instead of representing part of the application structure.
You can now define data driven content by adding the application to a Context and then configuring them via the Context Structure page.
Once you have done this the pages will be correctly represented as 1 leaf node:
  • https://www.example.com
    • app
      • «company»
        • GET:p1(ddd)
The characters « and » are used to indicate that this is a 'special' node and the node name (in this case 'company') can be set by you to indicate what that node represents.

Tutorial: Check for Updates

This section will teach you more about a different ZAP feature every month, starting with the Check for Updates functionality.
ZAP is currently the most actively developed open source web application security tool, and we are continually adding new features and fixing bugs.
ZAP is made up of the ‘core’ and an ever growing number of add-ons. Anyone can develop ZAP add-ons, not just the ZAP 'core team'.
In order to update the core we have to release a new version of ZAP, but add-ons can be updated at any time.
For this reason we are trying to move as much functionality into add-ons as possible, even features that you might think of as being essential to ZAP, like the scanner rules.

Add-ons have an associated ‘quality’:
  • Release : which can be expected to be of high quality and fit for purpose
  • Beta : which are of reasonable quality and mostly fit for purpose
  • Alpha : which are typically at an early stage of development - they may be incomplete, contain significant issues or cause stability problems
All new add-ons start off as alpha and only progress to beta and release after suitable reviews.

The Check for Updates component is the way you can keep your copy of ZAP up to date.
You can configure it via the “Check for Updates” Options screen:


The following options are available:

Check for Updates on start up
You must select this option in order for the Check for Updates functionality to work. This is very strong recommended - see below for the details of what will happen if you select this option.

Automatically download new ZAP releases
If selected then new versions of ZAP will be downloaded when available. You will be prompted to install them when you restart ZAP, but you can choose not to.

Check for updates to the add-ons you have installed
If selected then you will be notified when you run the ZAP UI whenever there are newer versions of any of the add-ons you have installed. This is strongly recommended.

Automatically install updates to the add-ons you have installed
If selected then ZAP will automatically download and install updates to the add-ons you have installed. This is recommended, but we understand that not everyone will want to do this.

Automatically install updates to the scanner rules you have installed
If selected then ZAP will automatically download and install updates to only the scanner rules you have installed. This is very useful when using ZAP in a Continuous Integration environment.

Report new release/beta/alpha quality add-ons
If selected then you will be notified whenever new or updated add-ons of the relevant quality are available, even if you don’t have them installed. This is an easy way for you to learn about new functionality as soon as it becomes available.

If you do choose to “Check for Updates on startup” then ZAP will make one request to a ‘Bitly’ URL. The only information about you that is included in this request is the version of ZAP you are running - we need this to be able to determine which add-ons and associated versions are suitable for you.
The Bitly URL resolves to an XML file on GitHub which gives full details of the latest ZAP release and the add-ons available for the release you are using.
The current file is: https://github.com/zaproxy/zap-admin/blob/master/ZapVersions-2.4.xml
All downloads are served over HTTPS and are checked against the hash included in the XML file.

ZAP will not install any add-ons downloaded over HTTP or which do not match the specified hash.

The Check for Updates code is in the zaproxy org.zaproxy.zap.extension.autoupdate package - if you have any questions on how it works then just ask on the ZAP Developers Group.

3rd Party Tool: BDD-Security

Each month we plan to cover a 3rd party tool that is related to ZAP in some way. These tools can be open source, closed source, free or commercial.
This month we’re covering BDD-Security, ℅ Stephen de Vries (@stephendv)



BDD-Security is a security testing framework that takes the principles of Behaviour Driven Development (BDD) and applies them to security testing. It aims to solve two key problems:
How to automatically perform automated security testing of a web application and have those tests run as part of a continuous integration/deployment pipeline?
How to define the security requirements of a web application so that they are visible and useful to developers and don't become out of date as the application grows?

By using a BDD framework like JBehave (www.jbehave.org), we can write automated acceptance tests for security in a natural language syntax that is understood by all members of a technical team: developers, operations, security, QA and business analysts. At the same time these tests can be run as if they were normal JUnit tests and included in a build pipeline, allowing the test owners to decide on the passing and failing criteria for each test. The framework includes a default “baseline” set of tests which are broadly applicable to a range of web applications and includes tests against the SSL configuration, HTTP server headers, Authentication, Session Management as well as automated vulnerability scanning using ZAP and Nessus.

BDD-Security uses OWASP ZAP as a key component to performing the non-functional security tests aimed at the web tier, and uses ZAP's extensive API to perform spidering, scanning and re-sending of captured requests. The other key component is WebDriver (Selenium) which allows the tests to navigate the application and submit forms. Combining these two components means that it's possible to mimic the behaviour of a security analyst and any test cases that they could perform manually, can now be recorded using JBehave + WebDriver + ZAP.



More information including a getting started guide can be found at: http://www.continuumsecurity.net/bdd-intro.html

Upcoming Talks and Training

Bill Matthews will be giving a hands on ZAP session titled “OWASP ZAP: From zero to hero” at the EUROstar Software Testing Conference in Maastricht on November 5th 10:45-11:30:
http://conference.eurostarsoftwaretesting.com/conference/social/test-lab/

Aaron Guzman will be running a training session titled "Web Pentesting Using OWASP Tools" (which will, of course, include ZAP) at AppSec California in Santa Monica on January 25 9:00am-5:00pm: http://sched.co/4Ouf

Featured Contributor: Kingthorin

And each month we plan to introduce you to one of the many ZAP contributors.
Q: Who are you?
A:
Rick (aka Kingthorin). AppSec guy, breaker of things.

Q: Where are you based?
A:
Canada!

Q: What do you do in your day job?
A:
In my day job I break stuff: I do Vulnerability Assessment and Penetration Testing. Developers or SysAdmins having a bad day is generally a good day for me.

Q: Why do you contribute to ZAP?
A:
It's different from my day job. I spend all day figuring out how other people's systems and apps are or can be broken. Contributing to ZAP gives me a chance to build something. The contrast is nice to have, plus it forces me to grow in different ways and see technology from a different angle.

Q: How do you contribute to ZAP?
A:
I do some development work, take part in the user and dev forums. Ask lots of questions, rock the boat (a little ;).

Q: What would you like to contribute in the future?
A:
Hmmmm that's an interesting question. I have ideas for a few different extensions that I haven't had time to tackle yet. Hopefully in late 2015 or sometime in 2016 I'll talk myself into tackling those.

Q: What do you like about the ZAP community?
A:
Everyone is supportive and encouraging!

Q: What do you get out of contributing?
A:
I get to make a great Open Source tool do things I can use in my day job, and help others to do things they need in their jobs. It also forces me to learn about things like Git/Github, and simple web development tasks in generating content for ZAP PoC testing, etc. Of course it helps me learn about Java and software development itself.

Q: Do you have any advice for people who would like to contribute to ZAP?
A:
Just do it! Jump in with both feet, deep end of the pool. There's no time like the present. People here will help you, support you, encourage you, and in a good way (a great way) challenge you. There are so many ways you can contribute - Community Scripts, fixing or enhancing code based on issue tracker on Github (or your own ideas), developing your own extensions, writing tutorials, making training videos, etc.

Q: Do you contribute to any other open source projects?
A:
I've also contributed to the OWASP Testing Guide and OSSTMM in the past. As for other Open Source software projects, no yet, though because of ZAP I have plans and a few ideas floating around the back of my head.

Q: What do you do outside of work?
A:
Outside of work I like camping, gaming (I started playing WoW on day one of release and still play), geocaching, and cooking.

Q: What do you [most] dislike about the ZAP development?
A:
There really isn't much I dislike about it. Most of the things I dislike on are my side of the equation. Not having enough time and not actually being a Java dev.

Q: What do you think could be done [a lot] better?
A:
From my point of view: The one thing I think we need to get better at is promoting scanners Alpha > Beta > Release.

Sadly I don't have any ideas for solutions, but it would be really nice if we could somehow gather stats or get users to provide feedback on usage, false positives, etc. I often wonder if we have 100s or 1000s of users, how often they use ZAP (everyday, every project, every assessment.....), what functionality they use (mostly proxy, mostly point and shoot, totally active with user auth setup, etc.), only release rules or all 3 qualities. I know we've done surveys/questionnaires in the past, what kind of response rate have we had?

Feedback

So … did you find that useful?
Please fill in this quick Feedback Form so that we can make sure this newsletter is as useful to you as possible.

Coming next month…

That depends on you!
Let us know what you would like to see using the above feedback form.
If you would like to write content for the newsletter then please get in touch - anything ZAP related, such as talks / training you are giving, a 3rd party tool you develop or maybe an add-on you’d like to explain in more detail.
And we’re also looking for one or more editors for the ZAP newsletter - you don't need any detailed ZAP knowledge, just a bit of time each month you can dedicate to chasing up people for content and bashing it into something that reads better than this one :P Think thats you? Get in touch!

Simon Bennetts (ZAP Project Lead)

Tuesday, 6 October 2015

ZAP Q&A Session - Tuesday 13th October 2015

The first online ZAP Q&A Session was held on Tuesday 13th October.

You can listen to a recording of the session here.

Please leave feedback via this Google Form.

Some links to resources mentioned in the session or related to the questions:
* Note that you can download add-ons from within ZAP via the Marketplace.


The original announcement is below for reference:

Do you have questions you would like answered about OWASP ZAP?

If so then you'll want to attend the ZAP Q&A Session with Simon Bennetts, the ZAP project lead, on Tuesday 13th October, 16:00 - 17:00 BST (see in your timezone)

https://global.gotomeeting.com/join/531638173- toll-free numbers given below.

You can either ask questions during the session or submit them in advance via twitter to @psiinon

The meeting will be recorded for those who cannot attend.

This is the first time we'll have tried such a session, but if it proves useful then we may make this a regular event.

Please note that this session is probably not the best forum for detailed support questions.
For those please use the ZAP User Group.

Simon Bennetts

Full session details:

OWASP ZAP Q&A
Tue, Oct 13, 2015 4:00 PM - 5:00 PM BST

    Please join my meeting from your computer, tablet or smartphone.
    https://global.gotomeeting.com/join/531638173

    You can also dial in using your phone.
    United States (Toll-free): 1 877 309 2070
    United States +1 (312) 757-3119

    Access Code: 531-638-173

    More phone numbers
    Argentina (Toll-free): 0 800 444 2385
    Australia (Toll-free): 1 800 191 358
    Austria (Toll-free): 0 800 080061
    Bahrain (Toll-free): 800 81 305
    Belarus (Toll-free): 8 820 0011 0331
    Belgium (Toll-free): 0 800 78881
    Brazil (Toll-free): 0 800 047 4909
    Bulgaria (Toll-free): 00800 120 4413
    Canada (Toll-free): 1 877 777 3281
    Chile (Toll-free): 800 395 146
    China (Toll-free): 4007 160008
    Colombia (Toll-free): 01 800 012 9057
    Czech Republic (Toll-free): 800 500453
    Denmark (Toll-free): 8025 0919
    Finland (Toll-free): 0 800 94473
    France (Toll-free): 0 805 541 052
    Germany (Toll-free): 0 800 723 5274
    Greece (Toll-free): 00 800 4414 4282
    Hong Kong (Toll-free): 30774812
    Hungary (Toll-free): (06) 80 986 259
    Iceland (Toll-free): 800 9993
    India (Toll-free): 000 800 100 8227
    Indonesia (Toll-free): 001 803 020 2563
    Ireland (Toll-free): 1 800 818 263
    Israel (Toll-free): 1 809 453 019
    Italy (Toll-free): 800 792289
    Japan (Toll-free): 0 120 242 200
    Korea, Republic of (Toll-free): 0806180880
    Luxembourg (Toll-free): 800 81016
    Malaysia (Toll-free): 1 800 81 6860
    Mexico (Toll-free): 01 800 123 8367
    Netherlands (Toll-free): 0 800 023 1954
    New Zealand (Toll-free): 0 800 47 0051
    Norway (Toll-free): 800 69 055
    Panama (Toll-free): 001 800 507 2789
    Peru (Toll-free): 0 800 55253
    Philippines (Toll-free): 1 800 1110 1565
    Poland (Toll-free): 00 800 3211434
    Portugal (Toll-free): 800 819 683
    Romania (Toll-free): 0 800 410 025
    Russian Federation (Toll-free): 8 800 100 6216
    Saudi Arabia (Toll-free): 800 844 3636
    Singapore (Toll-free): 800 101 3000
    South Africa (Toll-free): 0 800 988 836
    Spain (Toll-free): 800 900 593
    Sweden (Toll-free): 0 200 330 924
    Switzerland (Toll-free): 0 800 000 452
    Taiwan (Toll-free): 0 800 666 846
    Thailand (Toll-free): 001 800 852 2442
    Turkey (Toll-free): 00 800 4488 29001
    Ukraine (Toll-free): 0 800 50 4691
    United Arab Emirates (Toll-free): 800 044 40444
    United Kingdom (Toll-free): 0 800 389 5276
    Uruguay (Toll-free): 000 405 4459
    Viet Nam (Toll-free): 120 32 148

Wednesday, 27 May 2015

ZAP as a Service (ZaaS)

At OWASP AppSec EU in Amsterdam this year I announced ZAP as a Service (ZaaS).
The slides are here and the video will hopefully be available soon.

The idea behind this development is to enhance ZAP so that it can be run in a ‘server’ mode.
This is different to the current ‘daemon’ mode in that it will be designed to be a long running, highly scalable, distributed service accessed by multiple users with different roles.

ZaaS is definitely not ready for release yet - there will be loads of changes required to make this a reality, although some changes required for ZaaS have already been made.
However I decided to announce this as a future direction in order to stimulate discussions and hopefully encourage people to get involved.

And I want to stress that it is not a replacement for ‘desktop’ ZAP (as I’ve started calling it).
Desktop ZAP is an important focus for us, and it is the way we expect most people to use ZAP for the foreseeable future.
Instead its just a different way of running ZAP - theres going to be a lot of common code between desktop ZAP and ZaaS.

So how will ZaaS differ from desktop ZAP?

Database

The current HSQLDB is good for a desktop application as it requires no installation, but its not suitable for ZaaS.
In 2.4.0 we introduced a database independence layer so that alternative implementations can be supported, although the only implementation was the current hard coded HSQLDB option.
In the trunk theres now a generic SQL implementation, in which all of the SQL statements have been extracted into property files.
In theory any SQL db should be supportable, and working implementations of both HSQLDB and MySQL are provided.
Although MySQL is intended for daemon or ZaaS modes theres no reason why it cant also be used for the desktop, and in fact thats one of the options thats been tested.
Details of how to configure ZAP to use MySQL will be posted on the ZAP Developer Group soon.
One important aspect that has not been implemented yet is the ability to support multiple database instances in order to better segregate data.

Data Structures

While desktop ZAP uses the database very heavily, it still builds up some big data structures in memory. This is so that the Swing UI can react quickly to user events, such as scrolling through a long list.
Structures like the Sites tree and History table are held in memory and will constantly grow.
This is no good for a long running service, which is why we have introduced a ‘low memory’ option. When this option is used ZAP components that support it will not build up any significant data structures in memory, and those that dont support it will not be enabled.
This has been implemented for most of the core, but some of the add-ons (including some key active scan rules) still need to be changed.
Again, details of how to configure ZAP to use the low memory option will be posted on the ZAP Developer Group soon.

Processes and deployment

We will be restructuring the code so that it will be possible to run multiple ZAP processes across multiple machines.
Desktop ZAP will still be just one process, but we will add the option to run ZAP as multiple distributed processes which are likely to provide specific functionality.
For example we may well have ZAP ‘worker’ processes for long running tasks such as the spider and active scanner.
This work has not been started.

Users and roles

ZaaS will need to support multiple users with different roles. We want to be able to support a hierarchy of users, teams and companies all with access to their own data.
This work has not been started.

Access

In addition to the API we will need to implement a modern HTML5 interface for ZAP.
This is a very big task, and so we’ll need to initially target it at some very specific use cases before gradually expanding it to handle all of the ZAP functionality.
This work has not been started.

Application Lifetime

The target is for ZaaS to be capable of running in a five nines environment.
Achieving that level of uptime is not just a software problem, but even so ensuring that ZaaS can operate at that level is a huge challenge, especially for a product that at the moment typically only runs for a matter of hours.
The MySQL support, distributed architecture and low memory options are key here, but there are many other considerations such as ensuring there are no single points of failure and supporting rolling upgrades.
This is probably going to be the most challenging aspect of ZaaS, and one that several people have questioned.
However designing, implementing and in some cases even running highly available services is exactly what I was doing before I started working on ZAP. I actually started ZAP as a way to learn how to make the services I was working on as secure as possible!

Security

We take the security of Desktop ZAP very seriously, but the security of ZaaS will be even more critical.
Desktop ZAP is typically run on a single machine and only accessible from that machine.
ZaaS will have a remotely accessible HTML5 interface, and this significantly increases the attack service area.
As it will also contain details of the vulnerabilities of other services, it will be a very tempting target for attackers even if it is restricted to a company's internal network.
We will be considering security at all stages of ZaaS development and will ensure that it is thoroughly pentested by experienced security professionals not directly connected with the project.

License

One key thing that will not change between Desktop ZAP and ZaaS is the license.
ZaaS with be released under Apache V2, which means that anyone can use it for anything they like.
You will be able to set up a ZaaS instance for your company, and if you want to you could even set up ZaaS as an online service and charge money for it - thats completely permissible!

Development process

Although we have already implement features required for ZaaS there is still much work to do.
As mentioned at the start of this post, this announcement is to stimulate discussions and hopefully encourage people to get involved.
We are not able to give any idea of a possible release date for ZaaS at this stage, however we will aim to implement features in a way that ensures they can be used even without the full ZaaS solution.

We will be using the ZAP Development group for all of the ZaaS related discussions - please join in!

Wednesday, 3 September 2014

Alberto's GSoC 2014 Project for ZAP: SOAP Scanner Add-On

Hello everybody, my name is Alberto Verza, a 23 year student from Spain, and this summer I have participated in Google Summer of Code 2014. My project was the SOAP Scanner Add-On for ZAP, in which I worked during all the Program. Let me explain you the features it includes.

One of the interesting features this Add-On provides is WSDL file scanning. Until now, ZAP could find these kind of files and it could even search URLs inside them, but further petitions to these URLs had not a valid SOAP format specified by the WSDL file. With the SOAP Scanner Add-On, detected WSDL files are now read and SOAP petitions now follow the correct format. You can provide WSDL files in many ways: using the main window "quickscan" option, through proxy navigation, or even importing single files through tools menu.

However, SOAP Scanner Add-On functionality doesn't end here. It couldn't be called "scanner" if it wasn't capable of scanning vulnerabilities after all. That's why it has some SOAP dedicated scanners, which simulates specifical attack vectors for some known vulnerabilites like SOAP Action Spoofing or XML Injection, and it raises alerts when something unusual is coming from server's response. Moreover, the Add-On not only works with scanners made in this project, but also it is compatible with previous developed ones like SQL Injection Scanner or Cross-Site Scripting Scanner, among others.

SOAP Scanner Add-On has passed GSoC final evaluations in alpha state, so if you want to give it a try, you should take a look to the User Guide [1] first.

Finally, I want to stress that OWASP ZAP and SOAP Scanner Add-On are Open Source Software under Apache License 2.0, so contributions to the code are always welcome. If you have not worked for ZAP before, then ZAP Developers will be pleased to help anyone who wants to contribute through the Developers' Group [2], so don't hesitate to ask there.

I hope you find this useful :)

------------------------------------------------------------------------------------------------------------
[1] SOAP Scanner Add-On User Guide: https://docs.google.com/document/d/1yy7eZHP0mg46nHC7a2KaOfM08HNb84f5Kn5GF02-v9M/edit?usp=sharing

[2] ZAP Developers' group: https://groups.google.com/forum/#!forum/zaproxy-develop

Wednesday, 30 April 2014

Hacking ZAP #4 - Active scan rules

Welcome to a series of blog posts aimed at helping you “hack the ZAP source code”.
The previous post in this series is: Hacking ZAP #3 - Passive scan rules

Active scan rules are another relatively simple way to enhance ZAP.
Active scan rules attack the server, and therefore are only run when explicitly invoked by the user.
You should only use active scan rules against applications that you have permission to attack.

You can also write active scan rules dynamically using scripts, as we will see later in this series, but even then its very useful to understand some of the concepts underlying classes available to you.

Where to start

As with passive rules, the easiest way to get started is to rip off an existing rule.
Active scan rules can be found in 3 locations in the zap-extensions project, depending on their status:
There are also some simple examples that we will examine in more detail.
These are all in the alpha branch.

The main classes

Unlike passive scan rules there are different classes that you should extend depending on the type of rule you want to implement.

AbstractPlugin - you typically will not extend this class directly, but it provides key methods that you will need to use and abstract methods that will need to be implemented.

AbstractHostPlugin - extend this class if you want your code to be run once against the top node that the user scans. This is ideal for scanning things that are not ‘page’ related, such as the SSL certificate.
The key method you’ll need to implement is the void scan() method inherited from AbstractPlugin - this is where you perform your attacks.

AbstractAppPlugin - extend this class if you want your code to be run against every node (or page) being scanned. This is ideal for scanning elements that are not related to existing parameters, such as trying new debug flags.
The key method you’ll need to implement is the void scan() method inherited from AbstractPlugin - this is where you perform your attacks.

AbstractAppParamPlugin - extend this class if you want your code to run against every parameter in every node being scanned. This is ideal for scanning existing parameters.
The key method you’ll need to implement is void scan(HttpMessage msg, String param, String value) - this is where you attack the specified parameter.

Performing attacks

 

Unlike passive scan rules, active scan rules are expected to make requests to the server.

You should use the AbstractPlugin.getNewMsg() method to get hold of a new HttpMessage that you can use for your attack. If you make multiple requests then call getNewMsg() for each request. The message will be a copy of the original request but with an empty response. You can access the original request and response via the getBaseMsg() but you should not modify it.
You should use one of the AbstractPlugin.sendAndReceive(HttpMessage msg, …) methods to actually make the request. The variants allow you to choose whether the underlying code should handle redirects and/or anti CSRF tokens.
The sendAndReceive methods also handle user controlled features like authenticating as a specified user.
When you find potential issues you can raise them via one of the AbstractPlugin.bingo(..) methods.

Like passive scan rules, active scan rules support AlertThresholds which allow the user to indicate how strictly you should check for vulnerabilities.

Simple example


The ExampleSimpleActiveScanner class implements a very simple active scan rule.
As you will see, it just raises an alert randomly, so it isnt of any practical use.
Like the simple example passive scanner introduced in the previous post it uses the Vulnerabilities class for the documentation associated with the vulnerability.
Most of the methods should be self explanatory, but there are 2 that are worth explaining.
The getCategory() method is used to group related rules in the UI.
And the getRisk() method affects the order the rules are run - the rules which report higher risks are run before those that report lower risks.

File based example

The ExampleFileActiveScanner class implements a slightly more complex active scan rule which is equivalent to the example file passive scan rule introduced in the previous post.
This class introduces another feature, the attack strength, which allows the user to adjust the number of attacks each rule performs.
If you are implementing a rule just for your own use then you dont need to worry about this. However if you plan to publish it for others to use then you should consider supporting it.

The getAttackStrength() method returns an AttackStrength class which can be one of:
  • LOW:         Limit to around 6 requests per scan call
  • MEDIUM:    Limit to around 12 requests
  • HIGH:         Limit to around 24 requests
  • INSANE:    No limit, although 1000s wouldnt be a good idea

You should periodically check to see if the AbstractPlugin.isStop() method returns true - this indicates that the user has stopped the scan so your code should immediately return. The infrastructure will check this before invoking your code to scan a new target (eg page or parameter).

Advanced features

If your rule depends on another rule having been run then you need to specify that via the getDependency() method.
The persistent XSS rules do this, eg in TestPersistentXSSSpider and TestPersistentXSSAttack

If you need to know the exact type of parameter you are scanning, for example to ignore some types that are not relevant, then you can override the AbstractAppParamPlugin.scan(HttpMessage msg, NameValuePair originalParam) method and provide a null scan(HttpMessage msg, String param, String value) method. The NameValuePair class includes the parameter type.

Building and deploying

All ZAP add-ons are build using Apache Ant.
For the alpha active scan rules the build file is: branches/alpha/build/build.xml
All you need to do is run the deploy-ascanrulesAlpha target and the relevant add-on will be built and copied to the correct location, assuming you have a ZAP core project called ‘zaproxy’.
If you want to deploy to a different location then you can change it at the top of the file. 
ZAP automatically extracts the files specified in the manifest into a directory underneath the ZAP user directory.
An knowledgeable user can manually edit these files and any changes will take affect when ZAP is restarted.

Updating the help and manifest

As with passive scan rules its good to add a short description of the rule to the help file: ascanalpha.html and include the new class along with any files it uses in the add-on manifest: ZapAddOn.xml

The next post in this series will be: Hacking ZAP #5: Extensions