Embed Size (px)
Citation preview
OWASP Zed Attack ProxyFADI ABDULWAHAB FABDULWAHAB.COM
Overview
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Pen Testing tool for web applications Easy to install (required Java as prerequisites) Free and open source (World contribution) Ideal for beginners and professionals Support automation Cross platform(Windows , Linux and Mac) Fully documented and Integrated with other tools
Overview
Intercepting tool Active /Passive scanning Spider to crawl the site (also support Ajax spider for heavy JavaScript applications) Report Generation with useful information and recommendation Brute force (based on OWASP DirBuster tool)
https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project It is now included in the ZAP Marketplace as a ZAP add-on rather than as a stand-alone tool to brute force directories and files names on web/application servers
Fuzzing (using fuzzdb and OWASP JBroFuzz) https://github.com/fuzzdb-project/fuzzdb https://www.owasp.org/index.php/JBroFuzz
Overview
Auto tagging (hidden filed , cookie …) Port scanning Parameters analysis Support Web socket
http://browserquest.mozilla.org/ Support HTTP Sessions Has REST API (Tools >> Browse API) Has Dynamic SSL certificate to generate root certificate for browsers Support Anti-CSRF token Framework for other tools
Overview
Quick Test No authentication Spider not covering everything
Add extensions/update as marketplace (Add-ons) Debug and breakpoints Support Context(Scopes)
Exclude/Include URLs Authentication
Modes Safe (passive), Protected(within scope) and Standard
You can scan Subtree only
Overview
You can write Java or python codes ZAP embedded into ThreadFix (Denim Group) and Minion (Mozilla) Integrated with Firefox as Plug-in-Hack Intercept client side GET/POST requests Use less memory and has minimum false positive risks
Installation and Configuration
Download it Install it Configure browser proxy (local proxy)
Run ZAP Browser your application manually (No one know the application functionalities
like you) Use spider for more hidden content (beside manual browsing also find logical
tests) Run Attacks to find vulnerabilities
Initial Setup
Configure Proxy(Options >> Local Proxy…) Import SSL certificate (.cer) to certificate manger in your browser if you
need to intercept SSL websites (Options >> Dynamic SSL…) chrome://settings/search#ssl
Open Sites Tab to view resources which have been visited Check Request/Response Vulnerable Site https://github.com/psiinon/bodgeit
Security Testing in Dev and QA
Consider security in all phases of project It’s a risk to postpone this testing at the end of project lifecycle Most important phases are Dev and QA Beside testing functionality test also inject ZAP for security Test https://github.com/zaproxy/zaproxy/wiki/SecRegTests
Security Testing in Dev and QA
Authentication
Context A set of URLs together Good to Categories your web applications
Session Management Cookie based HTTP Header based
Authentication methods Form , HTTP Header or oAuth authentication
User Management Define users and map them to HTTP sessions
HTTP Sessions
Browser your site with different accounts All sessions are recorded to HTTP Session tab You can switch between them using “Set as active”
Refresh the page after switching the session Flag login page (username , password and indicators for login and
logout) Then click resend
HTTP Sessions
Demo Browse the site anonymously Login from the browser
Go to login page and flag as Context Define Username , passwords
Create Users Spider the site as User
HTTP Sessions
This force ZAP to login again Try to resend a page after removing session cookie from header You can add session manually
HTTP Sessions
With Ajax site , maybe the session is not recorded You can identify it manually
Right click and Flag as Session token Right click and make it active Then logout from the site and login again
Sometime you need to exclude logout page to avoid session termination
Attacks and Attacks Strength
You can control the attacks and attacks strength
Statistics – ZAP Innovations
Released Sept 2010 ZAP 2.4.3 (Current Version) V 2.1 downloaded > 25k times Translated into 20+ languages Most Active OWASP project 28 active contributors
Zest
Scripting language developed by Mozilla team Free and open source Represent JSON Included with ZAP from 2.0
Fuzzing
Highlight the text (user input/parameters) Select Fuzz category Run it and see the browser You can use multiple fuzz payloads
Injection
Highlight the found text You can get information from failed requests Also use your patterns
Hashing and New UI
Included with ZAP
New UI: Hide or Show all tabs (also advanced options) You can add note and use filter in history tab Persistent Session to resume your work Define Scan policy to control the attacks
Don’t stick with one tool , use more because each one has its advantages
References
https://www.youtube.com/watch?v=eH0RBI0nmww&list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB
