Solved

OWASP ZAP get started

Posted on 2016-09-24
3
114 Views
Last Modified: 2016-09-25
Dear Experts.

I am tasked to secure the site for one company and to prove that I did a good job.
I feel I need a small push to get started with ZAP.

Getting started with ZAP seems very obscure.

1.
What is the difference between extensitons and plugins?

2.
How can I see what has been sent and responded if alert indicates a vulnerability in Alerts?

    For example, after running ZAP on specific URL, there are:
        Alerts
            Cross Site Scripting
                POST: http://....
                    Attack --><script>...
                    Evidence --><script>...
    This short log makes no sense: what was a scenario of the attack?
    What was a full request and full response?

3.
Where one can see what happened behind specific alert, history records? Which sort of atacks were conducted, which plugins were used.

4.
What is a content of plugin and their scenario?

5.
Zest script are included when to click add-on menu. But were are they? How to see a specific one? How to edit it?


6.
What is "Fuzz Locations tab"? Where is it? Very obscure.
This term is found in Help/Fuzzer/Dialog

7. I am nearly sure that the site under my test has certain Ruby bufferoverflow vulnerability, but how can I prove it by including
the vulnerability code into ZAP plugins ( or find this plugin in OWASP forum ) and run the test?

Thank you.
0
Comment
Question by:Bitlab
  • 2
3 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41814455
Will be good that you check out the ZAP wiki. I included some in my inputs below.
https://github.com/zaproxy/zap-core-help/wiki/HelpIntro


1. Extension is no longer available and replaced with adds on. They are actually Java packages that extend the existing functionality within OWASP ZAP (via "File / Load Add-on file..." menu option). https://github.com/zaproxy/zap-extensions/wiki/V1Extensions 
The Plugins are typically referring to the capability coverage in each of the adds on. For example, taking this structure example, you can define first the adds on introduced (like a scan engine) and its plugins coming with it (like active / passive scan rules & type enabled etc)  https://github.com/zaproxy/zap-extensions/wiki/AddOnStructure
However, these term may be used quite loosely and interchangeably.


2/3/4.  The reporting should have some info (reports-->"Generate Alerts Report") and need to have manual exporting of the traffic exchanges (reports-->"Export Responses to Files") hence not that straightforward. https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport

Ideally, the single report should include each alerts details and request/response for better appreciation. You may want to check out BIRT report template
https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT#Extending_OWASP_ZAP_with_new_reporting_module


5. From ZAP info, it stated Zest is an experimental specialized scripting language (also known as a domain-specific language) developed by the Mozilla security team and is intended to be used in web oriented security tools. It is included by default with ZAP.
New Script Button
• Navigate to the Scripts tree tab
• Press the 'New Script...' button
• Type in a suitable name for your script in the 'New Script' dialog
• Select the script type (see the Scripts add-on help page for more details)
• Select the Zest script engine
• Select one of the templates (if relevant)
• Press the 'Save' button

Any type of Zest script can be created this way.
In short, it is kind of scripting means to automate certain action - and form a macro actions analogous to iMacro extension to web browser recording user surfing interactive and replay it ..


6. Fuzz location is where it allows you to select the payload processors to use with all payload generators. In short, it just means to say this is where you can select or change the payload processors to use with specific payload generators - e.g. via location processor (select/change) -> payload processor (select/change) -> payload generator (raw traffic)
Built in payload processors include:
• Base64 Decode
• Base64 Encode
• Expand (to a minimum specified length)
• JavaScript Escape
• JavaScript Unescape
• MD5 Hash
• Postfix String
• Prefix String
• SHA-1 Hash
• SHA-256 Hash
• SHA-512 Hash
• Trim
• URL Decode
• URL Encode
7. ZAP has active scan to surface buffer overflow though not specific to Ruby. See the Active Scan extension - see the list of its coverage
https://github.com/zaproxy/zap-extensions/tree/master/src/org/zaproxy/zap/extension/ascanrules

Since ruby has that known vulnerability, maybe there may be some specific inputs that can trigger it and the fuzzer in ZAP for you to configure the specific payload can be useful via the
Payload generators generate the raw attacks that the fuzzer submits to the target application.

The following types of generators are provided by default:
• File - select any local file for one off attacks
• File Fuzzers - select any combination of the fuzzing files registered with ZAP, eg via add-ons like fuzzdb
• Regex - generate attacks based on regex patterns
• Strings - raw strings, which can be entered manually ir pasted in
• Script - custom scripts that can generate any payloads required

You can write custom payload generator scripts - these can supply any payloads that you need.
0
 
LVL 2

Author Comment

by:Bitlab
ID: 41815140
Btan, thank you for your work.

I have to rate it well, but because I feel I am rather at the beginning of the question, than to the end of an answer, I will repost my follow up in the step-2 question:

OWASP ZAP get started. Step 2.
0
 
LVL 2

Author Closing Comment

by:Bitlab
ID: 41815153
Thank you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now