Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : PrerequisitesJava Runtime EnvironmentZAP runs on Linux, Mac OS X, and Windows HappyThanksgiving As we express ourgratitude, we must never forget that the highest appreciation is not to utterwords, but to live by them. -JFK IntroductionNovember 2011 s toolsmith is the 61st in theseries for the ISSA Journal, thus marking five years of extensive toolsanalysis for information security practitioners. Thank you for coming along forthe ride.Fresh on the heels of a successful presentation on OWASPTop 10 Tools and Tactics at an even more successful ISSA International inBaltimore I was motivated to give full coverage this month to the OWASP ZedAttack Proxy, better known as ZAP. I had presented ZAP as a tool of choice whenassessing OWASP Top Ten A1 Injection but, as so many of the tools discussed,ZAP delivers plenty of additional functionality worthy of in-depth discussion.OWASP ZAP is a fork of the once favored Paros Proxy,which has not been updated since August 2006. As such, it should be noted withno small irony that we covered Paros in December 2006 this is an excellentopportunity to show you how far ZAP has come from the original project.ZAP is the result of Simon Bennetts Psiinon hard work,though he s got help from co-lead Axel Neumann a_c_neumann and manycontributors.As an official OWASP project, ZAP enjoys extensive useand development support as an easy to use integrated penetration testing toolfor finding vulnerabilities in web applications. Simon offered a veritable plethora of feedback for thisarticle, as provided throughout the rest of the introduction. He indicated thathe originally released ZAP specifically for developers and functional testers a group which he believes is poorly represented in the security tools market.Ease of use was a prime concern, as was documentation andto his surprise it turned out that it was the security folk who took up ZAP thequickest, providing great feedback, reporting issues and asking for lots ofenhancements. Simon still wants ZAP to be ideal for people new to web applicationsecurity but it s also going to be enhanced with more and more advancedfeatures aimed at profession penetration testers.Simon also wanted ZAP to be a community project thereare many open source security tools that are tightly controlled by oneindividual or company. While he doesn t have a problem with that fact he does believethat the real strength of open source comes when anyone can contribute to aproject and take it in directions its initial developers never envisaged.Anyone and everyone is welcome to contribute to ZAP, andnot necessarily coding only they welcome help with testing, documentation,localization, issues identification and enhancement requests. Help spread theword as well via articles, reviews, videos, blogs, Twitter, etc.ZAP is also one of the few open source security tools tobe fully internationalized. It has been translated into 10 languages and downloadstatistics indicate that approximately half of the ZAP users worldwide arelikely to be non-native English speakers.ZAP is intended to provide everything that you need toperform a penetration test on a web application.If you are new to web application security then it mightbe the only security tool you need. However, if you're an experiencedpenetration tester be sure to include it as one of the many tools in yourtoolbox.As a result, the development team is trying to make it aseasy as possible to integrate ZAP with other tools. They provide a way toinvoke other applications from within ZAP passing across the current context.In version 1.3 they introduced an API which allows the core ZAP functionalityto be invoked by a REST API, and will be extended to cover even more of ZAP'sfeatures in future releases.This is an ideal way for other applications to directlydrive ZAP, and can be used when ZAP is running in 'headless' mode i.e. withoutthe UI .They've also put together a POC showing how ZAP can beused by developers to include basic security tests in their continuousintegration framework and be alerted to potential security vulnerabilitieswithin hours of checking code.Simon and team don t believe in reinventing the wheel,which is why they always seek high quality open source components to reusebefore implementing a new feature from scratch.As such, the brute force forced browsing support isprovided via DirBuster andfuzzing makes use of the JBroFuzz libraries both OWASP projects .Amongst the more advanced features that users might notbe aware of is that ZAP keeps track of all of the anti-CSRF tokens it finds. Iffuzzing a form with an anti CSRF-token in it, ZAP can regenerate the token foreach of the payloads you fuzz with. There s also an experimental option thatallows this to be turned on when using the active scanner as well. I can saythat quality CSRF testing is not commonplace among ZAP s web applicationtesting contemporaries.For ZAP version 1.4 the development team has decided tofocus on Improving the active and passive scanners Improving stability especially for large sites Session token analysisIn July 2011 ZAP was evaluated and designated as a'stable' OWASP project, the highest level currently available. Further, OWASPprojects are now being restructured ZAP has been designated as one of thesmall number of 'flagship' projects. Rightfully so thank you Simon.Let s run ZAP through its paces. ZAP Installationand Configuration ZAP is installation is very simple. Once unpacked on yourpreferred platform, invoke ZAP from the application icon or at the commandprompt via the appropriate executable. A current Java Runtime Environment is arequirement as all the executables EXE, BAT, SH invoke java jar zap.jar org.zaproxy.xap.ZAP.Most importantly ZAP, runs as a proxy. Configure yourpreferred browser to proxy via localhost and the default port of 8080. I changethe port to 8088 to avoid conflict with other proxies and services. You canchange the port under Tools àOptions àLocal proxy if you run multiple proxies that you bounce between duringassessments. I do and as such I use the Firefox add-on FoxyProxy to quicklydial in my proxy of choice. You must also generate an SSL certificate in order to useand test SSL enabled sites. You will be prompted to do when running ZAP for thefirst time. ZAP Use In addition to the aforementioned Security RegressionTests for developers, the OWASP ZAP project offers ZAP Web ApplicationVulnerability Examples, or ZAP WAVE. Download it and drop zap-wave.war in the webapps directoryof your favorite servlet engine. On Debian Ubuntu systems sudo apt-get install tomcat6 will getyou in business with said servlet engine quickly. In addition to a LAMP stackon an Ubuntu 11.10 VM I run Tomcat for just such occasions. OWASP WebGoat alsoruns as a standalone test bed or via a servlet engine. Enable ZAP, with your browser configured to proxy throughit, then navigate to the system VM or real steel hosting ZAP WAVE, usually onport 8080. As an example http 192.168.140.137 8080 zapwave .ZAP WAVE includes active vulnerabilities such ascross-site scripting and SQL injection as well as passive vulnerabilitiesincluding three types of information leakage and two session vulnerabilities.There are also pending false positives that are not yetready for primetime.The developers recommend that you explore the target appwith ZAP enabled as a proxy, and touch as much of it as possible beforespidering. Doing so helps ZAP find more vulns as you may cross paths with errormessages, etc.I typically visit the root of the application hierarchyfor a web application I wish to assess, right-click on it, select Attack, then Spider site. This crawls the entire site hierarchy andpopulates the tree view under the Sites tab in ZAP s left pane as seen inFigure 1. Figure 1 ZAP spidering Crawling spidering can have unintended side-effects on anapplication, even adding or deleting records in a database, so be advised.A good crawl ensures a better active scan, but beforebeginning a scan, set your Scan Policy via Analyzeà Scan Policy as seen in Figure 2. You may wish to morenarrowly scope your scan activity to just the likes of information gathering orSQL injection as seen in Figure 2. Figure 2 ZAP scan policy Spidering and scan policyconfiguration complete, right click the root, or a specific node you wish toassess as you can choose Attack à Active scansite or Attack à Active scannode.You can also exclude a sitefrom the scope in a similar fashion.A full scan of the ZAP WAVEinstance completed in very short order results were immediate as seen inFigure 3. Figure 3 ZAP scan results ZAP includes the expectedEncode Decode Hash functionality via Edità Encode Decode Hash or Toolsà Encode Decode Hash along with a manual editor for generating manual requests. I ll oftenrun ZAP for nothing more than encoding, decoding, and hashing it s a greatutility.The Port Scan feature is also useful. It will select the in-scope hostby default just click the Port Scan tab then the start button.The Brute Force tab is a function of the above-mentioned DirBustercomponent and includes seven dictionary lists to choose from. I ran thisagainst my full host VM rather just the servlet element and included thedictionary-list-1.0 dictionary for a simple, quick test. Figure 4 ZAP DirBuster at work One of my favorite ZAP features there are many is the Fuzzer. Per the Fuzzer component guidance Selecta request in the Sites or History tab Highlightthe string you wish to fuzz in the Request tab Rightclick in the Request tab and select 'Fuzz...' Selectthe Fuzz Category and one or more Fuzzers Pressthe Fuzz button Theresults listed in the Fuzzer tab - select them to see the full requests andresponses.The fuzzer, like the scanner,includes functionality which causes ZAP to automatically regenerate the tokenswhen requiredI ran Fuzzer against http 192.168.140.137 8080 zapwave active xss xss-form-anti-csrf.jspand fuzzed the anticsrf and name variables as it is a recentaddition per the ZAP WAVE download site.As seen in Figure 5, thefuzzer offers a wider array fuzzers within a given category. FIGURE 5 ZAP fuzzer config In the understanding thatfuzzing is the art of submitting a great deal of invalid or unexpected data toa target, you can look for variations in results such as response code 200 OK and response times. Where normal response times per request average between 2msand 4ms for ZAP WAVE hosted on a local VM, one request in particular stood out ata 402ms response time. I checked for the string passed and cracked up.pourcents3CIMG SRCpourcents3Dpourcents60javascriptpourcents3Aalertpourcents28pourcents22RSnake sayspourcents23pourcents23pourcents23 pourcents27XSSpourcents27pourcents22pourcents29pourcents60pourcents3EOr,courtesy of the handy ZAP decoder Mr. Slowloris HTTP DoS himselfcausing grind even here. - In Conclusion ZAP deserves its status as an OWASP flagship project.Whether you re a seasoned veteran or new to the web application security gamemake the Zed Attack Proxy part of your arsenal. I d go so far as to say, as2011 is winding down, that ZAP feels like a likely front runner for 2011Toolsmith Tool of the Year. But that is for you to decide, dear reader. Let meknow if you agree.Ping me via email if you have questions russ atholisticinfosec dot org .Cheers until next month. Acknowledgements Simon Bennetts Psiinon forproject feedback and detailsAxel Neumann a_c_neumann for draft review

Les mots clés de la revue de presse pour cet article : attack proxy
Les videos sur SecuObs pour les mots clés : attack proxy
Les éléments de la revue Twitter pour les mots clé : attack proxy





Les derniers articles du site "HolisticInfoSec.org" :

- toolsmith ZeroAccess analysis with OSForensics
- toolsmith Registry Decoder
- Tool review NetworkMiner Professional 1.2
- toolsmith OWASP ZAP - Zed Attack Proxy
- Presenting OWASP Top 10 Tools Tactics at ISSA International
- toolsmith Log Analysis with Highlighter
- toolsmith Memory Analysis with DumpIt and Volatility
- Phorum Phixes Phast
- toolsmith PacketFence - Open Source NAC
- Mark Russinovich presenting at ISSA Puget Sound

---

S'abonner au fil RSS global de la revue de presse

---