Solved

OWASP ZAP get started

Posted on 2016-09-24
3
73 Views
Last Modified: 2016-09-25
Dear Experts.

I am tasked to secure the site for one company and to prove that I did a good job.
I feel I need a small push to get started with ZAP.

Getting started with ZAP seems very obscure.

1.
What is the difference between extensitons and plugins?

2.
How can I see what has been sent and responded if alert indicates a vulnerability in Alerts?

    For example, after running ZAP on specific URL, there are:
        Alerts
            Cross Site Scripting
                POST: http://....
                    Attack --><script>...
                    Evidence --><script>...
    This short log makes no sense: what was a scenario of the attack?
    What was a full request and full response?

3.
Where one can see what happened behind specific alert, history records? Which sort of atacks were conducted, which plugins were used.

4.
What is a content of plugin and their scenario?

5.
Zest script are included when to click add-on menu. But were are they? How to see a specific one? How to edit it?


6.
What is "Fuzz Locations tab"? Where is it? Very obscure.
This term is found in Help/Fuzzer/Dialog

7. I am nearly sure that the site under my test has certain Ruby bufferoverflow vulnerability, but how can I prove it by including
the vulnerability code into ZAP plugins ( or find this plugin in OWASP forum ) and run the test?

Thank you.
0
Comment
Question by:Bitlab
  • 2
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 41814455
Will be good that you check out the ZAP wiki. I included some in my inputs below.
https://github.com/zaproxy/zap-core-help/wiki/HelpIntro


1. Extension is no longer available and replaced with adds on. They are actually Java packages that extend the existing functionality within OWASP ZAP (via "File / Load Add-on file..." menu option). https://github.com/zaproxy/zap-extensions/wiki/V1Extensions
The Plugins are typically referring to the capability coverage in each of the adds on. For example, taking this structure example, you can define first the adds on introduced (like a scan engine) and its plugins coming with it (like active / passive scan rules & type enabled etc)  https://github.com/zaproxy/zap-extensions/wiki/AddOnStructure
However, these term may be used quite loosely and interchangeably.


2/3/4.  The reporting should have some info (reports-->"Generate Alerts Report") and need to have manual exporting of the traffic exchanges (reports-->"Export Responses to Files") hence not that straightforward. https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport

Ideally, the single report should include each alerts details and request/response for better appreciation. You may want to check out BIRT report template
https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT#Extending_OWASP_ZAP_with_new_reporting_module


5. From ZAP info, it stated Zest is an experimental specialized scripting language (also known as a domain-specific language) developed by the Mozilla security team and is intended to be used in web oriented security tools. It is included by default with ZAP.
New Script Button
• Navigate to the Scripts tree tab
• Press the 'New Script...' button
• Type in a suitable name for your script in the 'New Script' dialog
• Select the script type (see the Scripts add-on help page for more details)
• Select the Zest script engine
• Select one of the templates (if relevant)
• Press the 'Save' button

Any type of Zest script can be created this way.
In short, it is kind of scripting means to automate certain action - and form a macro actions analogous to iMacro extension to web browser recording user surfing interactive and replay it ..


6. Fuzz location is where it allows you to select the payload processors to use with all payload generators. In short, it just means to say this is where you can select or change the payload processors to use with specific payload generators - e.g. via location processor (select/change) -> payload processor (select/change) -> payload generator (raw traffic)
Built in payload processors include:
• Base64 Decode
• Base64 Encode
• Expand (to a minimum specified length)
• JavaScript Escape
• JavaScript Unescape
• MD5 Hash
• Postfix String
• Prefix String
• SHA-1 Hash
• SHA-256 Hash
• SHA-512 Hash
• Trim
• URL Decode
• URL Encode
7. ZAP has active scan to surface buffer overflow though not specific to Ruby. See the Active Scan extension - see the list of its coverage
https://github.com/zaproxy/zap-extensions/tree/master/src/org/zaproxy/zap/extension/ascanrules

Since ruby has that known vulnerability, maybe there may be some specific inputs that can trigger it and the fuzzer in ZAP for you to configure the specific payload can be useful via the
Payload generators generate the raw attacks that the fuzzer submits to the target application.

The following types of generators are provided by default:
• File - select any local file for one off attacks
• File Fuzzers - select any combination of the fuzzing files registered with ZAP, eg via add-ons like fuzzdb
• Regex - generate attacks based on regex patterns
• Strings - raw strings, which can be entered manually ir pasted in
• Script - custom scripts that can generate any payloads required

You can write custom payload generator scripts - these can supply any payloads that you need.
0
 
LVL 2

Author Comment

by:Bitlab
ID: 41815140
Btan, thank you for your work.

I have to rate it well, but because I feel I am rather at the beginning of the question, than to the end of an answer, I will repost my follow up in the step-2 question:

OWASP ZAP get started. Step 2.
0
 
LVL 2

Author Closing Comment

by:Bitlab
ID: 41815153
Thank you.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now