Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 192
  • Last Modified:

OWASP ZAP get started. Step 2.

This is a follow up to question after viewing OWASP ZAP get started.

Dear Experts.

If I downloaded outdated version of ZAP, ~/Downloads/ZAP/ZAP_2.5.0$ ./zap.sh, why their web site offers 2,5 instead of recent and stable?
I only see 2.5: https://github.com/zaproxy/zaproxy/wiki/Downloads
Is there a newer one?
If this is a newest, why it keeps "outdated" extensions?

Which ever they are plugins or extensions, there seems no way to understand what they are doing and what is their attack scenario:

For example, this folder

contains, just a binary codes, how from binary codes one can know which vulnerability has been targeted, which is an ""International database index"" of
this vulnerability or simply what is vulnerability resproduction scenario?

One of your links leads to:

and it makes an impression that there is exist sort of Java library of attack scenarios. Where is this library? How to find out to which library
program the message in Alert or History tab refers. In my example of

            Cross Site Scripting
                POST: http://....
                    Attack --><script>...
                    Evidence --><script>...

where is this library program/scenario source code?

5. In my question 5 I am asking how to find a script. You provide and answer to the question "How to create a scrip".
aka: "New Script Button • Navigate to the Scripts tree tab".

Is this still possible to find scrips/scenarios which are used to understans what attack are going on in the out of box ZAP?

2/3/4 a.

"(reports-->"Export Responses to Files"
When I export Alert/Message to a file, it does not export the log of conversation between server and browser,
but instead it just exports the repose of the server. So, it does not show neither: Attack information, nor Evidence information.
Seems, this export very useless.


"...You can write custom payload generator scripts - these can supply any payloads that you need"
Before reenventing a wheel, it seems more practical for net-admin  to use already existing source codes.
Does it really that for every security-complany, they have to have programmers writing the codes for the same vulnerabil. again and again?

It seems, some of the scripts are from https://www.ida.org/

here is my example:

Thank you.
1 Solution
btanExec ConsultantCommented:
Latest version is 2.5 @ https://github.com/zaproxy/zap-core-help/wiki/HelpReleasesReleases
This is an open contribution from community, pls do not be too "perfectionaist" on the release packaging. In practice, the release ZAP will never keep to the latest adds-on version since it can be separately downloaded and updated . So do exercise due care to always get the latest version on the adds e.g.  
If you are using the latest version of ZAP then you can browse and download addons from within ZAP by clicking on this button in the toolbar:....You can also import add-ons you have downloaded manually via the "File / Load Add-on file..." menu option...

For add on, you can find more description summary on the main coverage scanner used below. The plugin are under the Active and Passive scan rules

- Active scanner rules @ https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules
- Passive scanner rules @ https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules
-fuzzDB @ https://github.com/fuzzdb-project/fuzzdb/blob/master/README.md

Specifically on "plugin" to delve into its bolt and nuts , you can go to the source
- Active @ https://github.com/zaproxy/zap-extensions/tree/master/src/org/zaproxy/zap/extension/ascanrules
- Passive @ https://github.com/zaproxy/zap-extensions/tree/master/src/org/zaproxy/zap/extension/pscanrules

I do not see a documentation to combine the depth of description so far to my best knowledge, we stick we what is already best make available

For the attack scenario, see the 1b summary for the active and passive scan rule.

Taking XSS example, it is under Active scan with summary as below
Cross Site Scripting (reflected)

This rule starts by submitting a 'safe' value and analyzing all of the locations in which this value occurs in the response (if any). It then performs a series of attacks specifically targeted at the location in which each of the instances occurs, including tag attributes, URL attributes, attributes in tags which support src attributes, html comments etc.

Cross Site Scripting (persistent)

This rule starts by submitting a unique 'safe' value and then spiders the whole application to find all of the locations in which the value occurs. It then performs a series of attacks in the same way that the 'reflected' version does but in this case checks all of the target locations in other pages.
On the actual test executed, you are probably looking at the reflected attack test in below code and is referring to WASC #8 (Vulnerabilities.getVulnerability("wasc_8");)  - this is actually has XSS info @ http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting

All the threat attack is reference to The Web Application Security Consortium (WASC) Threat Classification.

The script is better illustrated in the code of XSS reflective testing (not easily readable but I see it will be on the help in tool, I did not delve into that) - https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/ascanrules/TestCrossSiteScriptV2.java

2/3/4 a.
Most goes for the alert report instead i.e. - reports-->generate alert report
Actually I cannot comments how good it is since it is added there to help as much but not perfect.
You can actually grab all of the alerts via the ZAP API in JSON and XML format.  If you enable the API (via the options) you can then access a URL like below to get all of the alerts reported on "www.example.com" - "zap" is the hostname of your ZAP system:


But seems that there is new adds-on stated
The plugin can generate a report via the command line currently but not from the api, however i will be adding that support soon. I have been running tests and the minimum supported version is ZAP 2.5.0, however due to some bugs which got fixed in later weekly releases, i would recommend using weekly release 8-30-2016 or later.

The plugin can be found under marketplace titled as 'Export Report'. It is meant to act as a replacement, at least for me instead of the default xml and html reports since it allows for various fields such as who generated the report, the date and allows you to customize which alerts or details you deem important enough to generate.

I am thinking if search thru the community script to have that automated attacks scenario contributed and run it which you can see more details in the source codes
The easiest way to use this repo in ZAP is to install the 'Community Scripts' add-on from the ZAP Marketplace.

But the original one from FuzzDB has doc in its github that covers Attack Patterns, Response Analysis, and contributed cheatsheets and Documentation

No necessarily, the exchange and planting of exploit is same though but the payload may differs depending on the nature of the vulnerable appl or target. Metasploit has been a useful tool for exploitation testing. For FuzzDB, it did share and reuse payload too like this XSS instance
test.xxe - requested by some payloads from fuzzdb github repo raw filepath
xss-rsnake.fuzz.txt - rsnake's classic fuzzfile, modified to load http://xss.rocks test files
xss-other.fuzz.txt - newer payloads from various sources: my own testing, interesting filter bypassed found in the wild, etc.
xss-uri.fuzz.txt - URI abuse test cases
XSSPolyglot.fuzz.txt - from https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot - check the page for filter evasions and other interesting stuff
BitlabAuthor Commented:
Thank you. My project is postponed due unrelated circumstances. Will return if need arises again.

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now