Wilson Mar bio photo

Wilson Mar

Hello. Hire me!

Email me Calendar Skype call 310 320-7878

LinkedIn Twitter Gitter Google+ Instagram Youtube

Github Stackoverflow Pinterest

Practice penetration testing identifying security vulnerabilities in sample BWA app

Penetration (Pen) Testing Tools

Among web app penetration testing tools, the Zed Attack Proxy (ZAP) is offered free, and is actively maintained by hundreds of international volunteers. Use it to scan for security vulnerabilities in your web applications while you are developing and testing your applications.

ZAP is a tool for Dynamic App Security Testing (DAST) run while the app under test is running.

By contrast SAST (Static App Security Testing) tools focus on scanning application source code for vulnerabilities in coding. Static Application Security Testing (SAST) vendors include Veracode, Perforce, http://www.castsoftware.com/ and Checkmarx, which adds an agent running along the app to report to a central Security Handler, called Interactive App Security Testing (IAST).

Security tests should also cover the efficacy of Runtime Application Self-Protection (RASP) built within apps, rather than relying completely on the infrastructure Web Application Firewall (WAF).

OWASP Top 10

ZAP looks for vulnerabilities described by the non-profit OWASP (Open Web Application Security Project) OWASP (Open Web Application Security Project) Top 10 - 2017 PDF:

YouTube videos from F5 DevCentral 2017 by John Wagnon (and Description from OWASP):

  1. Injection Attacks (Description, blog article)

  2. Broken Authentication (Description)

  3. Sensitive Data Exposure (Description)

  4. XML External Entities (XXE) (Description)

  5. Broken Access Control (Description)

  6. Security Misconfiguration (Description)

  7. Cross-Site Scripting (XSS) (Description)

  8. Insecure Deserialization (Description)

  9. Using Components with Known Vulnerabilities (Description)

  10. Insufficient Logging and Monitoring (Description)

Cross-Site Request Forgery (CSRF)

There is also SAN’s Top 25 Software Errors that include Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses

Additionally:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Motor Industry Software Reliability Association (MISRA)

Test Scope

As a “black box” approach, DAST cannot identify non-reflective vulnerabilities (i.e – Cross-Site Scripting) that don’t generate feedback when triggered.

Get sample broken app

PROTIP: If you run ZAP against a server you don’t control, you are hacking that site.

Stand-up an instance of the BWA (Broken Web Application), a collection of intentionally vulnerable web applications distributed by OWASP in a Virtual Machine (VM) file used by Virtualbox, HyperV. VMware Workstation on Windows or VMware Fusion on Mac:

  1. Instantiate a server. In Sep 2017 nested VT-x is supported on GCE, according to Paul R. Nash, Group Product Manager, Google Compute Engine.

  2. Within a console on the server, download:

    
    curl -O https://sourceforge.net/projects/owaspbwa/files/latest/download
    

    The OWASP_Broken_Web_Apps_VM_1.2.7z file downloaded is 1.7 GB (big!) because it contains various apps in Ruby, PHP, WordPress, etc.

    It’s briefly described at https://owaspbwa.org, which resolves to https://code.google.com/archive/p/owaspbwa/

    Note it’s from 2015.

  3. Unpack the 7z file. Navigate into the folder.
  4. Double-click on file OWASP Broken Web Apps.vmx to open image in Virtualbox or VMWare workstation:

    See Install video (music only, no dialog) [5:49]

  5. Use it.

    Video showing version 1.1.1 [21:53] by Chuck Willis shows how to use BWA to demonstrate occurance of “Top 10” vulnerabilities described by OWASP. Mutillidae:

    owaspbwa-top10-842x790-451990

    http://www.concise-courses.com/infosec/owasp-broken-web-applications/

    https://www.youtube.com/watch?v=FOEFL8bbbCU [7:05]

    Beyond 1.0 from 2013 Chuck Willis (@chuckatsf) describes BWA origins

Install proxy server

There are several ways to obtain and instantiate a proxy server.

SaaS

QUESTION: Who are SaaS vendors operating on public cloud?

From Docker Hub

For those working on public clouds:

  1. Bring up Docker
  2. In a Terminal,
  3. Use the Docker image provided by the OWASP organization at https://hub.docker.com/r/owasp/zap2docker-stable/

    
    docker pull owasp/zap2docker-stable
    

    docker images say it’s 1.33GB.

    Alternately, for use in CI environments:

    
    docker pull owasp/zap2docker-bare
    

    docker images say it’s 525 MB, which is a third of the stable edition.

    The images above were created based on code at: https://github.com/zaproxy/zaproxy/tree/develop/build/docker

    ZAP’s project leader is Simon Bennetts (@psilnon). His lecture on 2 Jun 2015 [59:59]: https://www.youtube.com/watch?v=_MmDWenz-6U

  4. Start ZAP in with xvfb (X virtual frame buffer) which allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment. Firefox is also installed so can be used with these add-ons.

    Alternately: Start ZAP in headless mode with following command:

    
    docker run -u zap -p 8080:8080 -i owasp/zap2docker-bare zap.sh -daemon -host 127.0.0.1 -port 8080
    

Blogs about this:

  • https://github.com/zaproxy/zaproxy/wiki/Docker

On private servers

  1. Download

    wget -q -O - https://github.com/zaproxy/zaproxy/releases/download/2.4.3/ZAP_2.4.3_Linux.tar.gz

    CAUTION: Enterprise security should review this.

  2. Un-tar

    tar zxf - -C /opt ln -s /opt/ZAP_2.4.3 /opt/zap

  3. Since ZAP does not come with a script, this script for Debian:

    wget -q -O /etc/init.d/zap https://raw.githubusercontent.com/stelligent/zap/master/packer/roles/zap/files/zap-init.sh chmod 755 /etc/init.d/zap

Instantiate within Google Cloud

Browser Proxy Setup

In Chrome:

  1. Menu > settings
  2. Proxy

In Firefox:

  1. Manu > Options
  2. Advanced
  3. Network tab
  4. Connections > Settings
  5. Clear “No Proxy for:” box

In Internet Explorer:

  1. Tools
  2. Internet options
  3. Connections tab
  4. Lan settings
  5. Check proxy settings

  6. Use http://localhost or http://127.0.0.1:8080 to reach the Proxy.

  7. Automate settings:

In Firefox:

  1. Menu > Add-ons (shift+command+A)
  2. Click “See more Add-ins”
  3. In “Search for add-ons” search box, type “foxy boxy basix”.
  4. Select “FoxyProxy Standard”.
  5. Click “+ Add to Firefox”.
  6. Click “Add” in the pop-up.
  7. Restart now.

Install Jenkins plugin

Blogs:

  • https://stelligent.com/2016/04/28/automating-penetration-testing-in-a-cicd-pipeline/
  • https://stelligent.com/2016/05/11/automating-penetration-testing-in-a-cicd-pipeline-part-2/

The plug-in is at:

https://wiki.jenkins.io/display/JENKINS/zap+plugin

  1. ZAP is written in Java, so a Java SDK is needed to run it.

    https://github.com/zapproxy/zapproxy/wiki/

ZAP UI OWASP

The drop-down at the upper-left corner of the ZAP UI provides for 4 modes:

  1. Safe mode
  2. Standard mode
  3. Protected mode
  4. Attack mode for sites you have permission to penetrate.

  5. Click Quick Start to, on the Information window, input the URL to scan, starting with https.

    The left pane Tree window provides the context history of URLs visited.

  6. Run ZAP using the ‘standard’ zap.sh script.

    There is also a zap-x.sh script which first starts xvfb (X virtual frame buffer) - this allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment.

ZAP scripts

The plugin:

  1. Manage Sessions (Load or Persist)
  2. Define Context (Name, Include URLs and Exclude URLs)
  3. Attack Contexts (Spider Scan, AJAX Spider, Active Scan)

You can also:

  1. Setup Authentication (Form Based or Script Based)
  2. Run as Pre-Build as part of a Selenium Build
  3. Generate Reports (.xhtml, .xml, .json)

Other DAST vendors

https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis

  1. https://en.wikipedia.org/wiki/Veracode at https://www.veracode.com/security/vulnerability-scanning-tools acquired on Nov 5 2018 from Broadcom by private equity firm Thoma Bravo who also funded Compuware and Dynatrace, Solar Winds and McAfee https://thomabravo.com/2018/11/05/thoma-bravo-to-acquire-veracode-software-from-broadcom-inc-nasdaqavgo/ Only scans Java.

  2. MicroFocus (formerly HP) https://en.wikipedia.org/wiki/Fortify_Software WebInspect

  3. Checkmarx based in Israel, offers Codebashing, a developer education platform for secure coding training.

  4. Synopsys acquired Black Duck, Coverity, and
    https://en.wikipedia.org/wiki/Cigital Cigital SecureAssist – A lightweight IDE plugin that points out common security vulnerabilities in real time

  5. IBM AppScan

    • https://en.wikipedia.org/wiki/Parasoft Parasoft

    • Tenable.io Nessus

Resources

Getting Started with OWASP Zed Attack Proxy (ZAP) for Web Application Penetration Testing 1h 40m video course 16 Feb 2017 by Mike Woolard

More

More about API usage and management: