DevSecCon London 2017: zap scripting workshop by Simon Bennetts
-
Upload
devseccon-limited -
Category
Technology
-
view
181 -
download
2
Transcript of DevSecCon London 2017: zap scripting workshop by Simon Bennetts
Join the conversat ion #DevSecCon
By Simon Bennetts
Scripting OWASP ZAP
● Session 1 : 2pm– Introduction– Standard Scripts (JavaScript, Python, Ruby)– Proxy and Http Sender Scripts– Passive and Active Scan rule Scripts
● Session 2 : 3pm– Zest Scripts– Standalone and Targeted Scripts
The Plan
● Session 3 : 4pm– How to use scripts in automation– How to add scripting support in add-ons (overview)– Authentication Scripts– More chance to write any or all of the above types
● Session 4 : 5pm– Optional – keep writing scripts, ask more questions...
The Plan
● We want more script examples● Submit PRs to https://github.com/zaproxy/community-scripts● Can be anything useful – eg copies of existing scripts in different
languages :)● Anything useful will earn a ZAP Contributor sticker (max one per
person) ● Lots of useful scripts will earn a ZAP T-shirt!● Only valid for this workshop
Competition Time!
● Advantages:– Quick to write and test– Full access to ZAP classes and data structures– No need for separate development environment
● Disadvantages– Documentation could be (much) better– No auto complete– No sandbox – only run scripts you trust!
Introduction – why do we need scripts?
● JavaScript – built in● Python – optional add-on● Ruby – optional add-on● Zest – built in, macro language on steroids● JSR 223 languages relatively easy to add● Beanshell – optional, no longer really maintained
Introduction – What languages are supported?
● Stand Alone– Run manually
● Targeted– Run manually against a specified requests
● Proxy– Change proxied browser requests on the fly
● HTTP Sender– Change any request on the fly (proxy, spider, active scanner ...)
Script types (built in)
● Passive Scan Rule– Detect potential issues just by looking
● Active Scan Rule– Detect potential issues by attacking
● Authentication– Automatically login to sites
● Script Input Vector– Define exactly what ZAP will attack
Script types (built in)
● Fuzzer HTTP Processor– Called before and after HTTP messages are fuzzed
● Fuzzer Websocket Processor– Called before and after Websocket messages are fuzzed
● Payload Generator– Generate attacks to be used in the fuzzer
● Payload Processor– Change fuzzer payloads before they are used
● Sequence– Define sequences of requests to be attacked (alpha)
Script types (add-ons)
● All roughly equivalent● All have good Java integration● JavaScript (ECMAScript)
– Java 7 – Rhino– Java 8 – Nashhorn– Can write to local filestore via Java classes– Use load("nashorn:mozilla_compat.js"); for Rhino scripts in Nashorn
● JavaScript Nashhorn – supports loading scripts from files– https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions
● Python – supports modules path
‘Standard’ Script languages
● Scripts group: https://groups.google.com/group/zaproxy-scripts ● Dev group: https://groups.google.com/group/zaproxy-develop● Community Scripts: https://github.com/zaproxy/community-scripts ● JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0
Useful links
● Fire up ZAP● Check for Updates (Help / Check for Updates...)● Update everything● Install Community Scripts● Optionally install Python / Ruby Scripting● Demo: “Hello world”
Getting started
● Scripts tab– Shows all of the scripts an templates– Allows you to select, add, remove, duplicate, enable, disable and save scripts– Icons show state – enabled / disabled, error and not saved
● Script Console tab– Top pane – edit scripts– Bottom pane – output and error messages– Run and Stop buttons – enabled when appropriate– Output pane buttons – control that pane– Right click for lots more options!
The tabs
● Proxy Scripts– Only affect requests and responses proxied via a browser
● HTTP Sender Scripts– Affect all requests and responses (proxy active scan, spider …)– Initiator param gives the component that initiated the request– Provides helper to make new requests
● Both– Must enable scripts before they will take effect– Will be disabled on error
Proxy and HTTP Sender scripts
● Key ZAP class: org/parosproxy/paros/network/HttpMessage.html● Provides methods like
– getRequestBody()– getRequestHeader()– getResponseBody()– getResponseHeader()
● See JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0● Or the code: https://github.com/zaproxy/zaproxy
Script parameter: HttpMessage - msg
● Proxy Scripts– Replace in request or response body.js– Drop requests not in scope.js– Return fake response.js
● HTTP Sender Scripts– Alert in HTTP Response Code Errors.js– Alert on Unexpected Content Types.js– Capture and Replace Anti CSRF Token.js
Proxy and HTTP Sender scripts - examples
Suggestions:
● Replace headers● Auto redirect from one page to another● Do different things based on content, eg:
– Replace different content– Redirect to different pages
Exercise – write Proxy &/ HTTP Sender scripts
● Passive Rule Scripts– Can only view requests and responses (should not change anything)
● Active Rule Scripts– Attack nodes or specific parameters– Can do pretty much anything you like :)– Must Enable Script Input Vectors
● Both– Can raise alerts– Must enable scripts before they will take effect– Will be disabled on error
Passive and Active Rule scripts
● Passive Rule Scripts– Server Header Disclosure.js– Find emails.js
● Active Rule Scripts– User defined attacks.js– gof_lite.js
● Demo: testing passive and active rule scripts
Passive and Active Rule scripts - examples
● Hacking ZAP Blog posts– https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html– https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html
● Java code– https://github.com/zaproxy/zap-extensions– master branch – org/zaproxy/zap/extension/ascanrules and pscanrules– beta branch – org/zaproxy/zap/extension/ascanrulesBeta and pscanrulesBeta– alpha branch – org/zaproxy/zap/extension/ascanrulesAlpha and pscanrulesAlpha
Passive and Active Rule links
● Global Variables– Variables can be shared between all scripts
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value")
org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name")
● Script Variables– Variables can be shared between separate invocations of the same script
org.zaproxy.zap.extension.script.ScriptVars.setScriptVar(
this.context, "var.name","value")
org.zaproxy.zap.extension.script.ScriptVars.getScriptVar(
this.context, "var.name")
Variables (all script types)
Suggestions:
● Rewrite existing java rules (see previous links)● Alert on anything that ZAP doesn’t currently find :)
Exercise – write Passive &/ Active Rule scripts
● Domain Specific Language (DSL)● Its domain is security and automation● Closer to a macro language .. on steroids :)● Format – JSON :O● Intended to be ‘written’ graphically● Its tool independent (no access to ZAP internals)● Demo: “Hello world”
Zest Scripts
● Creating from templates● Duplicating existing script● Recording● Selecting and adding requests● Manually● Demo: playing with BodgeIt
Zest Scripts - creating
● Double click to edit nodes● Right click:
– Add and delete nodes– Delete nodes– Surround with loops, conditionals– Cut, copy and paste– Comment– Move up / down
● Drag and drop● Selecting and adding requests
Zest Scripts - editing
● Request – make requests (and make assertions)● Action – scan, script, print, fail, sleep● Assignment – assign things to variables● Client – launch and control browsers● Conditions – and, or, equals, length, etc ...● Loop – though strings, files, integers, regexes, client elements● Comment – comment :)● Controls – return, break, next
Zest Scripts – statement types
● Paste Zest variables (right click in Zest text boxes)● Parameterize strings (right click in requests)● Redact strings (right click in requests)● Drag and drop● Change prefix – applies to all requests● Anti CSRF tokens – automatically handled● Generate Zest script from alert
Zest Scripts – hidden extras
● You have to start by launching a browser in Zest● No record option at the moment :(● Browser - View source / Inspect is your friend● Demo: Persona video …
Zest Scripts – client side
Suggestions:
● Passive script – alert on the presence of 2 strings● Rewrite a script you’ve just written in another language● Rewrite one of the existing a/pscan rules● Record a script and start changing it
Exercise – write Zest scripts
● Both run ‘on-demand’ only● Standalone – run from the console● Targeted – right click on requests● Standard scripts (not Zest) – can access ZAP internals, eg:
– Sites tree– History– Other extensions
Standalone and Targeted scripts
● Standalone Scripts– loop through history table.js– traverse sites tree.js– domainFinder.js– window_creation_template.js
● Targeted Scripts– Resend as a GET request.zst– Find HTML comments.js
Standalone and Targeted scripts - examples
Suggestions:
● Count number of static vs dynamic pages● Detect authentication, registration and password changing?
(1 2 and 3 password fields)
Exercise – Standalone and Targeted scripts
-config script.scripts\(0\).name="Remove STS"
-config script.scripts\(0\).engine="Mozilla Zest"
-config script.scripts\(0\).type=proxy
-config script.scripts\(0\).enabled=true
-config script.scripts\(0\).file="/scripts/Remove STS.zst"
-config script.scripts\(1\).name="Another one..."
Scripts in Automation – set via cmd line
zap.script.load("Remove STS", “proxy”, "Mozilla Zest",
"/scripts/Remove STS.zst")
zap.script.enable("Remove STS")
● Pro Tip: Configure in the UI, look at whats set in config.xml ;)
Scripts in Automation – set via API
● Implement a script interface● Implement one or more templates / examples which implement
the interface● Register a new script type:ExtensionScript extensionScript = Control.getSingleton().
getExtensionLoader().getExtension(ExtensionScript.class);
extensionScript.registerScriptType(new ScriptType(
"newname", "i18nKey", icon, true, true));
Adding script support in add-ons
● Use the enabled scripts:ExtensionScript extensionScript = Control.getSingleton().
getExtensionLoader().getExtension(ExtensionScript.class);
List<ScriptWrapper> scripts = extension.getScripts("newname");
for (ScriptWrapper script : scripts) {
try {
if (script.isEnabled()) {MyScript s = extension.getInterface(
script, MyScript.class);// Do something with it...
}
Adding script support in add-ons
● For when simple form based auth isnt enough● Need to configure context● Demo: BodgeIt authentication● https://github.com/zaproxy/zaproxy/wiki/FAQformauth - auth FAQ
Authentication Scripts
Suggestions:
● Authenticate against any vulnerable app you have installed
Exercise – Authentication scripts
Join the conversat ion #DevSecCon
Many thanksPRs always appreciated ;)