The OWASP Foundation

http://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

Bust a cap in a web app with OWASP ZAP

Adrien de Beaupré

GSEC, GCIH, GPEN, GWAPT, GCIA, GXPN

ZAP Evangelist

Intru-Shun.ca Inc.

SANS Instructor, Penetration Tester, and Consultant

Adapted from slides written by Simon Bennetts (psiinon)

The OWASP Foundation

http://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

About me

32+, 22+, 14+ years

Contributor to OSSTMM 3

Contributor to Hacking Exposed, Linux 3rd Ed

Contributor to SANS Incident Handling Guide

Certified SANS Instructor; 503, 504, 542, 560

ZAP, Nikto, Watcher, OSSAMS and other FOSS projects

Black belt in Gōjū-ryū Okinawan karate

©2013 Intru-Shun.ca Inc.

• The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

• It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

• ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Why use ZAP?

What is ZAP?•An easy to use webapp pentest tool

•Completely free and open source

•An OWASP flagship project

•Ideal for beginners

•But also used by professionals

•Ideal for devs, esp. for automated security tests

•Becoming a framework for advanced testing

•Included in all major security distributions

•Not a silver bullet!

ZAP Principles•Free, Open source

•Involvement actively encouraged

•Cross platform

•Easy to use

•Easy to install

•Internationalized

•Fully documented

•Work well with other tools

•Reuse well regarded components

Statistics•V 2.3.1 released in May 2014

•V 2.2.2 released in Sept 2013

•V 2.1.0 downloaded > 25K times

•Released September 2010, fork of Paros

•Translated into 20+ languages

•Over 50 translators

•Paros code: ~20% ZAP Code: ~80%

Ohloh Statistics•Very High Activity

•The most active OWASP Project

•29 active contributors

•279 years of effort

•Source: http://www.ohloh.net/p/zaproxy

The Main FeaturesAll the essentials for web application testing

•Intercepting Proxy

•Active and Passive Scanners

•Traditional and Ajax Spiders

•WebSockets support

•Forced Browsing (using OWASP DirBuster code)

•Fuzzing (using fuzzdb & OWASP JBroFuzz)

•Online Add-ons Marketplace

Some Additional Features•Auto tagging

•Port scanner

•Script Console

•Report generation

•Smart card support

•Contexts and scope

•Session management

•Invoke external apps

•Dynamic SSL Certificates

More new stuff•New add-ons:

– Technology detection using Wappalyzer

– HTTPS Info

•New / updated Scan rules:

– Command injection

– Code injection

– Xpath injection

– SQL injection (inc a port of SQLMap core)

Even more new stuff

•New active scan targets and formats

– HTTP headers + Cookies

– Multipart Forms

– XML

– JSON

– Google Web Toolkit

– OData

•New features and improvements:

– OWTF - Zest support and ZAP integration

– Advanced access control testing and user access comparison

– Advanced Fuzzing

– SOAP web service scanning

•OWTF - Zest support and ZAP integration

This project will improve integration between the OWTF and external tools such as ZAP. This will be accomplished by adding the features such as Sending HTTP requests/Zest scripts from OWTF to third party tools. Zest scripts will provide an automated mechanism to replicate exploitation of security vulnerabilities in a format that facilitates information exchange between external tools which can reproduce the same vulnerabilities in their own environment.

Deep Shah

•Advanced access control testing and user access comparison

OWASP ZAP already has the capability to allow users to configure authentication methods, session management methods and Users for a web-application in order to automate the authentication/re-authentication process during scans. This project aims to enhance ZAP’s capabilities by adding a set of access control testing features and tools.

Cosmin Stefan

•Advanced Fuzzing

Throughout this project the fuzzing tool of the OWASP ZAP Attack Proxy is going to be reworked to implement several features that have been requested by users. This involves the completion and clean up of the existing packages as well as the implementation of several new ones on top of that.

Sebastian Schulze

•SOAP web service scanning

The purpose of this project is to implement vulnerability scanning functionality for SOAP Web Services into the OWASP ZAP tool, since its current capabilities are very limited for this tasks.

Alberto

1

6

Scripting

•Previously just supported 'run now' scripts

•Scripting is now embedded into ZAP

•Different types of scripts

– Stand alone As now

– Targeted Specify URLs to run against

– Active Run in Active scanner

– Passive Run in Passive scanner

– Proxy Run 'inline'

Zest - Overview

•An experimental scripting language

•Developed by Mozilla Security Team

•Free and open source (of course)

•Format: JSON – designed to be represented visually in security tools

•Tool independent – can be used in open and closed, free or commercial software

•Is included by default in ZAP from 2.2.0

•Will replace filters – Alessandro's project

Zest – Use cases

•Reporting vulnerabilities to companies

•Reporting vulnerabilities to developers

•Defining tool independent active and passive scan rules

•Deep integration with security tools

How can you use ZAP?

•Point and shoot – the Quick Start tab

•Proxying via ZAP, and then scanning

•Manual pentesting

•Automated security regression tests (headless)

•As a debugger

•As part of a larger security program

Methodology

Logistics and Planning

Open Source Information Gathering

Reconnaissance

Identification / Enumeration / Mapping

Research

Vulnerability Identification / Discovery

Validation / Exploitation

Reporting

©2013 Intru-Shun.ca Inc.

Penetration Testing

Requires methodology AND creativity.

Requires performing a vulnerability assessment correctly first.

Finding alternate means to access functionality or data.

Finding alternate functionality.

Should be goal oriented.

There is no such thing as cheating in a pentest.

©2013 Intru-Shun.ca Inc.

Identification / Enumeration / Mapping

Purpose: Gaining an understanding of the application and its underlying components / infrastructure / technologies.

Inputs: systems and applications known to be live/available.

Outputs: Application map, technology fingerprints.

Tools: Nmap, Nessus, ZAP, Burp, diagramming tool...

©2013 Intru-Shun.ca Inc.

Vulnerability Identification / Discovery

Purpose: identify known or previously unknown vulnerabilities in the identified technologies / application.

Inputs: IP addresses, ports, services, applications.

Outputs: listing of potential vulnerabilities.

Tools: interception proxy and scanners such as Skipfish, Burp, W3AF, ZAP…

©2013 Intru-Shun.ca Inc.

Validation / Exploitation

Purpose: assign a confidence value and validate potential vulnerabilities. Have FUN!!

Inputs: listing of all potential vulnerabilities.

Outputs: listing of validated vulnerabilities and confidence rating values.

Tools: penetration testing (Metasploit, Core Impact, Canvas…), manual validation, ZAP, Burp...

©2013 Intru-Shun.ca Inc.

Exploitation!

Pillaging.

Identification of previously unknown vulnerabilities through fuzzing.

Post exploitation and pivoting.

Iterative process, returning to mapping, discovery, exploitation...

The best hack is just logging in...

Tools: brain power

©2013 Intru-Shun.ca Inc.

Why Automate?

Laziness ☺.

Consistent results over time.

Allows for scheduling and trending.

Embed into the dev/build process

Streamlined and more efficient.

Engineering a process that can be run and maintained by an operational group.

Allows the test team to concentrate on the areas that are not automated.

©2013 Intru-Shun.ca Inc.

Workflow

Methodology is broken down into modules.

Output from one is the input to the next.

Unfortunately most tools do not follow the methodology flow precisely, or may not allow for data extraction / sharing / integration between modules.

Which means that either we must run each tool multiple times with different configurations, or different tools for each module.

©2013 Intru-Shun.ca Inc.

2

9

DemoTime

Conclusion

•ZAP is changing rapidly

•New features are being introduced which exceed the capabilities of other tools

•We're implementing functionality so that it can be reused in other tools

•It’s a community based tool – get involved!

•We want feedback - fill in the Questionnaire!(linked off ZAP homepage)

•Use ZAP to bust a cap in your web apps!

Questions?https://www.owasp.org/index.php/ZAP

THANK YOU!

ADRIEN@INTRU-SHUN.CA

TWITTER @ADRIENDB

613 797-3912