Solved

OWASP ZAP get started. Step 2.

Posted on 2016-09-25
2
54 Views
Last Modified: 2016-10-01
This is a follow up to question after viewing OWASP ZAP get started.

Dear Experts.

1.a
extensions-exists-in-ver-2.5--how-to-export-them-to-recent-version.png
If I downloaded outdated version of ZAP, ~/Downloads/ZAP/ZAP_2.5.0$ ./zap.sh, why their web site offers 2,5 instead of recent and stable?
I only see 2.5: https://github.com/zaproxy/zaproxy/wiki/Downloads
Is there a newer one?
If this is a newest, why it keeps "outdated" extensions?


1.b
Which ever they are plugins or extensions, there seems no way to understand what they are doing and what is their attack scenario:

For example, this folder
/home/stan/Downloads/ZAP/ZAP_2.5.0/plugin

contains, just a binary codes, how from binary codes one can know which vulnerability has been targeted, which is an ""International database index"" of
this vulnerability or simply what is vulnerability resproduction scenario?


2/3/4
One of your links leads to:
https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT#Extending_OWASP_ZAP_with_new_reporting_module

and it makes an impression that there is exist sort of Java library of attack scenarios. Where is this library? How to find out to which library
program the message in Alert or History tab refers. In my example of

            Cross Site Scripting
                POST: http://....
                    Attack --><script>...
                    Evidence --><script>...

where is this library program/scenario source code?


5. In my question 5 I am asking how to find a script. You provide and answer to the question "How to create a scrip".
aka: "New Script Button • Navigate to the Scripts tree tab".

Is this still possible to find scrips/scenarios which are used to understans what attack are going on in the out of box ZAP?


2/3/4 a.

"(reports-->"Export Responses to Files"
When I export Alert/Message to a file, it does not export the log of conversation between server and browser,
but instead it just exports the repose of the server. So, it does not show neither: Attack information, nor Evidence information.
Seems, this export very useless.

7.

"...You can write custom payload generator scripts - these can supply any payloads that you need"
Before reenventing a wheel, it seems more practical for net-admin  to use already existing source codes.
Does it really that for every security-complany, they have to have programmers writing the codes for the same vulnerabil. again and again?

It seems, some of the scripts are from https://www.ida.org/


*
here is my example:
    no-info-to-understand-what-is-scenario-and-request-response-of-scenario.png

Thank you.
extensions-exists-in-ver-2.5--how-to.png
no-info-to-understand-what-is-scenar.png
0
Comment
Question by:Bitlab
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 41816294
1a.
Latest version is 2.5 @ https://github.com/zaproxy/zap-core-help/wiki/HelpReleasesReleases
This is an open contribution from community, pls do not be too "perfectionaist" on the release packaging. In practice, the release ZAP will never keep to the latest adds-on version since it can be separately downloaded and updated . So do exercise due care to always get the latest version on the adds e.g.  
If you are using the latest version of ZAP then you can browse and download addons from within ZAP by clicking on this button in the toolbar:....You can also import add-ons you have downloaded manually via the "File / Load Add-on file..." menu option...
https://github.com/zaproxy/zap-extensions


1b.
For add on, you can find more description summary on the main coverage scanner used below. The plugin are under the Active and Passive scan rules

- Active scanner rules @ https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules
- Passive scanner rules @ https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules
-fuzzDB @ https://github.com/fuzzdb-project/fuzzdb/blob/master/README.md

Specifically on "plugin" to delve into its bolt and nuts , you can go to the source
- Active @ https://github.com/zaproxy/zap-extensions/tree/master/src/org/zaproxy/zap/extension/ascanrules
- Passive @ https://github.com/zaproxy/zap-extensions/tree/master/src/org/zaproxy/zap/extension/pscanrules

I do not see a documentation to combine the depth of description so far to my best knowledge, we stick we what is already best make available


2/3/4
For the attack scenario, see the 1b summary for the active and passive scan rule.

Taking XSS example, it is under Active scan with summary as below
Cross Site Scripting (reflected)

This rule starts by submitting a 'safe' value and analyzing all of the locations in which this value occurs in the response (if any). It then performs a series of attacks specifically targeted at the location in which each of the instances occurs, including tag attributes, URL attributes, attributes in tags which support src attributes, html comments etc.

Cross Site Scripting (persistent)

This rule starts by submitting a unique 'safe' value and then spiders the whole application to find all of the locations in which the value occurs. It then performs a series of attacks in the same way that the 'reflected' version does but in this case checks all of the target locations in other pages.
On the actual test executed, you are probably looking at the reflected attack test in below code and is referring to WASC #8 (Vulnerabilities.getVulnerability("wasc_8");)  - this is actually has XSS info @ http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting

All the threat attack is reference to The Web Application Security Consortium (WASC) Threat Classification.

The script is better illustrated in the code of XSS reflective testing (not easily readable but I see it will be on the help in tool, I did not delve into that) - https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/ascanrules/TestCrossSiteScriptV2.java


2/3/4 a.
Most goes for the alert report instead i.e. - reports-->generate alert report
Actually I cannot comments how good it is since it is added there to help as much but not perfect.
You can actually grab all of the alerts via the ZAP API in JSON and XML format.  If you enable the API (via the options) you can then access a URL like below to get all of the alerts reported on "www.example.com" - "zap" is the hostname of your ZAP system:

http://zap/JSON/core/view/alerts/?baseurl=http%3A%2F%2Fwww.example.com%2F&start=&count=

But seems that there is new adds-on stated
The plugin can generate a report via the command line currently but not from the api, however i will be adding that support soon. I have been running tests and the minimum supported version is ZAP 2.5.0, however due to some bugs which got fixed in later weekly releases, i would recommend using weekly release 8-30-2016 or later.

The plugin can be found under marketplace titled as 'Export Report'. It is meant to act as a replacement, at least for me instead of the default xml and html reports since it allows for various fields such as who generated the report, the date and allows you to customize which alerts or details you deem important enough to generate.
https://groups.google.com/forum/#!topic/zaproxy-users/VTDkreb3wUY


5.
I am thinking if search thru the community script to have that automated attacks scenario contributed and run it which you can see more details in the source codes
The easiest way to use this repo in ZAP is to install the 'Community Scripts' add-on from the ZAP Marketplace.
https://github.com/zaproxy/community-scripts

But the original one from FuzzDB has doc in its github that covers Attack Patterns, Response Analysis, and contributed cheatsheets and Documentation
https://github.com/zaproxy/zap-extensions/tree/master/src/org/zaproxy/zap/extension/fuzzdb/files/fuzzers/fuzzdb


7.
No necessarily, the exchange and planting of exploit is same though but the payload may differs depending on the nature of the vulnerable appl or target. Metasploit has been a useful tool for exploitation testing. For FuzzDB, it did share and reuse payload too like this XSS instance
test.xxe - requested by some payloads from fuzzdb github repo raw filepath
xss-rsnake.fuzz.txt - rsnake's classic fuzzfile, modified to load http://xss.rocks test files
xss-other.fuzz.txt - newer payloads from various sources: my own testing, interesting filter bypassed found in the wild, etc.
xss-uri.fuzz.txt - URI abuse test cases
XSSPolyglot.fuzz.txt - from https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot - check the page for filter evasions and other interesting stuff
https://github.com/zaproxy/zap-extensions/tree/master/src/org/zaproxy/zap/extension/fuzzdb/files/fuzzers/fuzzdb/attack/xss
0
 
LVL 2

Author Closing Comment

by:Bitlab
ID: 41825041
Thank you. My project is postponed due unrelated circumstances. Will return if need arises again.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now