The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Bust a cap in a web app
with OWASP ZAP
Adrien de Beaupré
GSEC, GCIH, GPEN, GWAPT, GCIA, GXPN ZAP Evangelist
Intru-Shun.ca Inc.
SANS Instructor, Penetration Tester, and Consultant Adapted from slides written by Simon Bennetts (psiinon)
The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
About me
32+, 22+, 14+ years Contributor to OSSTMM 3
Contributor to Hacking Exposed, Linux 3rd Ed
Contributor to SANS Incident Handling Guide Certified SANS Instructor; 503, 504, 542, 560 ZAP, Nikto, Watcher, OSSAMS and other FOSS
projects
Black belt in Gōjū-ryū Okinawan karate
• The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
• It is designed to be used by people with a wide
range of security experience and as such is
ideal for developers and functional testers who are new to penetration testing.
• ZAP provides automated scanners as well as a
set of tools that allow you to find security vulnerabilities manually.
What is ZAP?
•
An easy to use webapp pentest tool•
Completely free and open source•
An OWASP flagship project•
Ideal for beginners•
But also used by professionals•
Ideal for devs, esp. for automated security tests•
Becoming a framework for advanced testing•
Included in all major security distributionsZAP Principles
•
Free, Open source•
Involvement actively encouraged•
Cross platform•
Easy to use•
Easy to install•
Internationalized•
Fully documented•
Work well with other toolsStatistics
•
V 2.3.1 released in May 2014•
V 2.2.2 released in Sept 2013•
V 2.1.0 downloaded > 25K times•
Released September 2010, fork of Paros•
Translated into 20+ languages•
Over 50 translatorsOhloh Statistics
•
Very High Activity•
The most active OWASP Project•
29 active contributors•
279 years of effortThe Main Features
All the essentials for web application testing
•
Intercepting Proxy•
Active and Passive Scanners•
Traditional and Ajax Spiders•
WebSockets support•
Forced Browsing (using OWASP DirBuster code)•
Fuzzing (using fuzzdb & OWASP JBroFuzz)Some Additional Features
•
Auto tagging•
Port scanner•
Script Console•
Report generation•
Smart card support•
Contexts and scope•
Session management•
Invoke external appsMore new stuff
•
New add-ons:
– Technology detection using Wappalyzer
– HTTPS Info
•
New / updated Scan rules:
– Command injection
– Code injection
– Xpath injection
Even more new stuff
•
New active scan targets and formats
– HTTP headers + Cookies
– Multipart Forms
– XML
– JSON
– Google Web Toolkit
– OData
•
New features and improvements:
– OWTF - Zest support and ZAP integration
– Advanced access control testing and user
access comparison
– Advanced Fuzzing
•
OWTF - Zest support and ZAP integration
This project will improve integration between the OWTF and external tools such as ZAP. This will be
accomplished by adding the features such as Sending HTTP requests/Zest scripts from OWTF to third party tools. Zest scripts will provide an automated
mechanism to replicate exploitation of security
vulnerabilities in a format that facilitates information exchange between external tools which can reproduce the same vulnerabilities in their own environment.
•
Advanced access control testing and user access
comparison
OWASP ZAP already has the capability to allow users to configure authentication methods, session
management methods and Users for a web-application in order to automate the
authentication/re-authentication process during scans. This project aims to enhance ZAP’s capabilities by adding a set of access control testing features and tools.
•
Advanced Fuzzing
Throughout this project the fuzzing tool of the
OWASP ZAP Attack Proxy is going to be reworked
to implement several features that have been
requested by users. This involves the completion
and clean up of the existing packages as well as
the implementation of several new ones on top
of that.
•
SOAP web service scanning
The purpose of this project is to implement
vulnerability scanning functionality for SOAP Web
Services into the OWASP ZAP tool, since its
current capabilities are very limited for this tasks.
Alberto
1 6
Scripting
•
Previously just supported 'run now' scripts
•
Scripting is now embedded into ZAP
•
Different types of scripts
– Stand alone
As now
– Targeted
Specify URLs to run against
– Active
Run in Active scanner
– Passive
Run in Passive scanner
– Proxy
Run 'inline'
Zest - Overview
•
An experimental scripting language
•
Developed by Mozilla Security Team
•
Free and open source (of course)
•
Format: JSON – designed to be
represented visually in security tools
•
Tool independent – can be used in open
and closed, free or commercial software
•
Is included by default in ZAP from 2.2.0
•
Will replace filters – Alessandro's project
Zest – Use cases
•
Reporting vulnerabilities to companies
•
Reporting vulnerabilities to developers
•
Defining tool independent active and
passive scan rules
How can you use ZAP?
•
Point and shoot – the Quick Start tab
•
Proxying via ZAP, and then scanning
•
Manual pentesting
•
Automated security regression tests (headless)
•
As a debugger
Methodology
Logistics and Planning
Open Source Information Gathering
Reconnaissance
Identification / Enumeration / Mapping
Research
Vulnerability Identification / Discovery
Validation / Exploitation
Reporting
Penetration Testing
Requires methodology AND creativity.
Requires performing a vulnerability
assessment correctly first.
Finding alternate means to access
functionality or data.
Finding alternate functionality.
Should be goal oriented.
There is no such thing as cheating in a
pentest.
Identification / Enumeration / Mapping
Purpose: Gaining an understanding of the
application and its underlying components
/ infrastructure / technologies.
Inputs: systems and applications known to
be live/available.
Outputs: Application map, technology
fingerprints.
Tools: Nmap, Nessus, ZAP, Burp,
diagramming tool...
Vulnerability Identification / Discovery
Purpose: identify known or previously
unknown vulnerabilities in the identified
technologies / application.
Inputs: IP addresses, ports, services,
applications.
Outputs: listing of potential vulnerabilities.
Tools: interception proxy and scanners
such as Skipfish, Burp, W3AF, ZAP…
Validation / Exploitation
Purpose: assign a confidence value and
validate potential vulnerabilities. Have
FUN!!
Inputs: listing of all potential
vulnerabilities.
Outputs: listing of validated vulnerabilities
and confidence rating values.
Tools: penetration testing (Metasploit, Core
Impact, Canvas…), manual validation,
ZAP, Burp...
Exploitation!
Pillaging.
Identification of previously unknown
vulnerabilities through fuzzing.
Post exploitation and pivoting.
Iterative process, returning to mapping,
discovery, exploitation...
The best hack is just logging in...
Tools: brain power
Why Automate?
Laziness ☺.
Consistent results over time.
Allows for scheduling and trending.
Embed into the dev/build process
Streamlined and more efficient.
Engineering a process that can be run and
maintained by an operational group.
Allows the test team to concentrate on the
areas that are not automated.
Workflow
Methodology is broken down into modules.
Output from one is the input to the next.
Unfortunately most tools do not follow the
methodology flow precisely, or may not
allow for data extraction / sharing /
integration between modules.
Which means that either we must run each
tool multiple times with different
configurations, or different tools for each
module.
2 9