Bust a cap in a web app with ZAP-from SimonOWASP ZAP Attack Proxy is going to be reworked to...
Transcript of Bust a cap in a web app with ZAP-from SimonOWASP ZAP Attack Proxy is going to be reworked to...
The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Bust a cap in a web app with OWASP ZAP
Adrien de Beaupré
GSEC, GCIH, GPEN, GWAPT, GCIA, GXPN
ZAP Evangelist
Intru-Shun.ca Inc.
SANS Instructor, Penetration Tester, and Consultant
Adapted from slides written by Simon Bennetts (psiinon)
The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
About me
32+, 22+, 14+ years
Contributor to OSSTMM 3
Contributor to Hacking Exposed, Linux 3rd Ed
Contributor to SANS Incident Handling Guide
Certified SANS Instructor; 503, 504, 542, 560
ZAP, Nikto, Watcher, OSSAMS and other FOSS projects
Black belt in Gōjū-ryū Okinawan karate
©2013 Intru-Shun.ca Inc.
• The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
• It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
• ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Why use ZAP?
What is ZAP?•An easy to use webapp pentest tool
•Completely free and open source
•An OWASP flagship project
•Ideal for beginners
•But also used by professionals
•Ideal for devs, esp. for automated security tests
•Becoming a framework for advanced testing
•Included in all major security distributions
•Not a silver bullet!
ZAP Principles•Free, Open source
•Involvement actively encouraged
•Cross platform
•Easy to use
•Easy to install
•Internationalized
•Fully documented
•Work well with other tools
•Reuse well regarded components
Statistics•V 2.3.1 released in May 2014
•V 2.2.2 released in Sept 2013
•V 2.1.0 downloaded > 25K times
•Released September 2010, fork of Paros
•Translated into 20+ languages
•Over 50 translators
•Paros code: ~20% ZAP Code: ~80%
Ohloh Statistics•Very High Activity
•The most active OWASP Project
•29 active contributors
•279 years of effort
•Source: http://www.ohloh.net/p/zaproxy
The Main FeaturesAll the essentials for web application testing
•Intercepting Proxy
•Active and Passive Scanners
•Traditional and Ajax Spiders
•WebSockets support
•Forced Browsing (using OWASP DirBuster code)
•Fuzzing (using fuzzdb & OWASP JBroFuzz)
•Online Add-ons Marketplace
Some Additional Features•Auto tagging
•Port scanner
•Script Console
•Report generation
•Smart card support
•Contexts and scope
•Session management
•Invoke external apps
•Dynamic SSL Certificates
More new stuff•New add-ons:
– Technology detection using Wappalyzer
– HTTPS Info
•New / updated Scan rules:
– Command injection
– Code injection
– Xpath injection
– SQL injection (inc a port of SQLMap core)
Even more new stuff
•New active scan targets and formats
– HTTP headers + Cookies
– Multipart Forms
– XML
– JSON
– Google Web Toolkit
– OData
•New features and improvements:
– OWTF - Zest support and ZAP integration
– Advanced access control testing and user access comparison
– Advanced Fuzzing
– SOAP web service scanning
•OWTF - Zest support and ZAP integration
This project will improve integration between the OWTF and external tools such as ZAP. This will be accomplished by adding the features such as Sending HTTP requests/Zest scripts from OWTF to third party tools. Zest scripts will provide an automated mechanism to replicate exploitation of security vulnerabilities in a format that facilitates information exchange between external tools which can reproduce the same vulnerabilities in their own environment.
Deep Shah
•Advanced access control testing and user access comparison
OWASP ZAP already has the capability to allow users to configure authentication methods, session management methods and Users for a web-application in order to automate the authentication/re-authentication process during scans. This project aims to enhance ZAP’s capabilities by adding a set of access control testing features and tools.
Cosmin Stefan
•Advanced Fuzzing
Throughout this project the fuzzing tool of the OWASP ZAP Attack Proxy is going to be reworked to implement several features that have been requested by users. This involves the completion and clean up of the existing packages as well as the implementation of several new ones on top of that.
Sebastian Schulze
•SOAP web service scanning
The purpose of this project is to implement vulnerability scanning functionality for SOAP Web Services into the OWASP ZAP tool, since its current capabilities are very limited for this tasks.
Alberto
1
6
Scripting
•Previously just supported 'run now' scripts
•Scripting is now embedded into ZAP
•Different types of scripts
– Stand alone As now
– Targeted Specify URLs to run against
– Active Run in Active scanner
– Passive Run in Passive scanner
– Proxy Run 'inline'
Zest - Overview
•An experimental scripting language
•Developed by Mozilla Security Team
•Free and open source (of course)
•Format: JSON – designed to be represented visually in security tools
•Tool independent – can be used in open and closed, free or commercial software
•Is included by default in ZAP from 2.2.0
•Will replace filters – Alessandro's project
Zest – Use cases
•Reporting vulnerabilities to companies
•Reporting vulnerabilities to developers
•Defining tool independent active and passive scan rules
•Deep integration with security tools
How can you use ZAP?
•Point and shoot – the Quick Start tab
•Proxying via ZAP, and then scanning
•Manual pentesting
•Automated security regression tests (headless)
•As a debugger
•As part of a larger security program
Methodology
Logistics and Planning
Open Source Information Gathering
Reconnaissance
Identification / Enumeration / Mapping
Research
Vulnerability Identification / Discovery
Validation / Exploitation
Reporting
©2013 Intru-Shun.ca Inc.
Penetration Testing
Requires methodology AND creativity.
Requires performing a vulnerability assessment correctly first.
Finding alternate means to access functionality or data.
Finding alternate functionality.
Should be goal oriented.
There is no such thing as cheating in a pentest.
©2013 Intru-Shun.ca Inc.
Identification / Enumeration / Mapping
Purpose: Gaining an understanding of the application and its underlying components / infrastructure / technologies.
Inputs: systems and applications known to be live/available.
Outputs: Application map, technology fingerprints.
Tools: Nmap, Nessus, ZAP, Burp, diagramming tool...
©2013 Intru-Shun.ca Inc.
Vulnerability Identification / Discovery
Purpose: identify known or previously unknown vulnerabilities in the identified technologies / application.
Inputs: IP addresses, ports, services, applications.
Outputs: listing of potential vulnerabilities.
Tools: interception proxy and scanners such as Skipfish, Burp, W3AF, ZAP…
©2013 Intru-Shun.ca Inc.
Validation / Exploitation
Purpose: assign a confidence value and validate potential vulnerabilities. Have FUN!!
Inputs: listing of all potential vulnerabilities.
Outputs: listing of validated vulnerabilities and confidence rating values.
Tools: penetration testing (Metasploit, Core Impact, Canvas…), manual validation, ZAP, Burp...
©2013 Intru-Shun.ca Inc.
Exploitation!
Pillaging.
Identification of previously unknown vulnerabilities through fuzzing.
Post exploitation and pivoting.
Iterative process, returning to mapping, discovery, exploitation...
The best hack is just logging in...
Tools: brain power
©2013 Intru-Shun.ca Inc.
Why Automate?
Laziness ☺.
Consistent results over time.
Allows for scheduling and trending.
Embed into the dev/build process
Streamlined and more efficient.
Engineering a process that can be run and maintained by an operational group.
Allows the test team to concentrate on the areas that are not automated.
©2013 Intru-Shun.ca Inc.
Workflow
Methodology is broken down into modules.
Output from one is the input to the next.
Unfortunately most tools do not follow the methodology flow precisely, or may not allow for data extraction / sharing / integration between modules.
Which means that either we must run each tool multiple times with different configurations, or different tools for each module.
©2013 Intru-Shun.ca Inc.
2
9
DemoTime
Conclusion
•ZAP is changing rapidly
•New features are being introduced which exceed the capabilities of other tools
•We're implementing functionality so that it can be reused in other tools
•It’s a community based tool – get involved!
•We want feedback - fill in the Questionnaire!(linked off ZAP homepage)
•Use ZAP to bust a cap in your web apps!
Questions?https://www.owasp.org/index.php/ZAP