Wilson Mar bio photo

Wilson Mar

Hello. Hire me!

Email me Calendar Skype call 310 320-7878

LinkedIn Twitter Gitter Google+ Youtube

Github Stackoverflow Pinterest

Practice identifying security vulnerabilities in sample app

Background

Among web app penetration testing tools listed here, the Zed Attack Proxy (ZAP) described here provides automated scanners to find vulnerabilities described by the non-profit OWASP (Open Web Application Security Project).

The Zed Attack Proxy (ZAP) is offered free, and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications.

It’s a tool for experienced pen-testers to use for manual security testing. “Tools” is designed to be easy-to-use by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. The tools include not just code, but also cheatsheets, documents, research.

Test Scope

Get sample broken app

PROTIP: If you run ZAP against a server you don’t control, you are hacking that site.

Stand-up an instance of the BWA (Broken Web Application), a collection of intentionally vulnerable web applications distributed by OWASP in a Virtual Machine (VM) file used by Virtualbox, HyperV. VMware Workstation on Windows or VMware Fusion on Mac:

  1. Instantiate a server. In Sep 2017 nested VT-x is supported on GCE, according to Paul R. Nash, Group Product Manager, Google Compute Engine.

  2. Within the server, download:

    
    curl -O https://sourceforge.net/projects/owaspbwa/files/latest/download
    

    The OWASP_Broken_Web_Apps_VM_1.2.7z file downloaded is 1.7 GB (big!) because it contains various apps in Ruby, PHP, WordPress, etc.

    It’s briefly described at https://owaspbwa.org, which resolves to https://code.google.com/archive/p/owaspbwa/

  3. Unpack the 7z file. Navigate into the folder.
  4. Double-click on file OWASP Broken Web Apps.vmx to open image in Virtualbox or VMWare workstation:

    See Install video (music only, no dialog) [5:49]

  5. Use it.

    Video showing version 1.1.1 [21:53] by Chuck Willis shows how to use BWA to demonstrate occurance of “Top 10” vulnerabilities described by OWASP. Mutillidae:

    owaspbwa-top10-842x790-451990

    http://www.concise-courses.com/infosec/owasp-broken-web-applications/

    https://www.youtube.com/watch?v=FOEFL8bbbCU [7:05]

    https://www.youtube.com/watch?v=0dxzGK1ZPxA Beyond 1.0 from 2013 Chuck Willis (@chuckatsf) describes BWA origins

Install proxy server

There are several ways to obtain and instantiate a proxy server.

SaaS

QUESTION: Who are SaaS vendors operating on public cloud?

From Docker Hub

For those working on public clouds:

  1. Bring up Docker
  2. In a Terminal,
  3. Use the Docker image provided by the OWASP organization at https://hub.docker.com/r/owasp/zap2docker-stable/

    
    docker pull owasp/zap2docker-stable
    

    docker images say it’s 1.33GB.

    Alternately, for use in CI environments:

    
    docker pull owasp/zap2docker-bare
    

    docker images say it’s 525 MB, which is a third of the stable edition.

    The images above were created based on code at: https://github.com/zaproxy/zaproxy/tree/develop/build/docker

    ZAP’s project leader is Simon Bennetts (@psilnon). His lecture on 2 Jun 2015 [59:59]: https://www.youtube.com/watch?v=_MmDWenz-6U

  4. Start ZAP in with xvfb (X virtual frame buffer) which allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment. Firefox is also installed so can be used with these add-ons.

    Alternately: Start ZAP in headless mode with following command:

    
    docker run -u zap -p 8080:8080 -i owasp/zap2docker-bare zap.sh -daemon -host 127.0.0.1 -port 8080
    

Blogs about this:

  • https://github.com/zaproxy/zaproxy/wiki/Docker

On private servers

  1. Download

    wget -q -O - https://github.com/zaproxy/zaproxy/releases/download/2.4.3/ZAP_2.4.3_Linux.tar.gz

    CAUTION: Enterprise security should review this.

  2. Un-tar

    tar zxf - -C /opt ln -s /opt/ZAP_2.4.3 /opt/zap

  3. Since ZAP does not come with a script, this script for Debian:

    wget -q -O /etc/init.d/zap https://raw.githubusercontent.com/stelligent/zap/master/packer/roles/zap/files/zap-init.sh chmod 755 /etc/init.d/zap

Instantiate within Google Cloud

Browser Proxy Setup

In Chrome:

  1. Menu > settings
  2. Proxy

In Firefox:

  1. Manu > Options
  2. Advanced
  3. Network tab
  4. Connections > Settings
  5. Clear “No Proxy for:” box

In Internet Explorer:

  1. Tools
  2. Internet options
  3. Connections tab
  4. Lan settings
  5. Check proxy settings

  6. Use http://localhost or http://127.0.0.1:8080 to reach the Proxy.

  7. Automate settings:

In Firefox:

  1. Menu > Add-ons (shift+command+A)
  2. Click “See more Add-ins”
  3. In “Search for add-ons” search box, type “foxy boxy basix”.
  4. Select “FoxyProxy Standard”.
  5. Click “+ Add to Firefox”.
  6. Click “Add” in the pop-up.
  7. Restart now.

Install Jenkins plugin

Blogs:

  • https://stelligent.com/2016/04/28/automating-penetration-testing-in-a-cicd-pipeline/
  • https://stelligent.com/2016/05/11/automating-penetration-testing-in-a-cicd-pipeline-part-2/

The plug-in is at:

https://wiki.jenkins.io/display/JENKINS/zap+plugin

  1. ZAP is written in Java, so a Java SDK is needed to run it.

    https://github.com/zapproxy/zapproxy/wiki/

ZAP UI OWASP

The drop-down at the upper-left corner of the ZAP UI provides for 4 modes:

  1. Safe mode
  2. Standard mode
  3. Protected mode
  4. Attack mode for sites you have permission to penetrate.

  5. Click Quick Start to, on the Information window, input the URL to scan, starting with https.

    The left pane Tree window provides the context history of URLs visited.

  6. Run ZAP using the ‘standard’ zap.sh script.

    There is also a zap-x.sh script which first starts xvfb (X virtual frame buffer) - this allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment.

ZAP scripts

The plugin:

  1. Manage Sessions (Load or Persist)
  2. Define Context (Name, Include URLs and Exclude URLs)
  3. Attack Contexts (Spider Scan, AJAX Spider, Active Scan)

You can also:

  1. Setup Authentication (Form Based or Script Based)
  2. Run as Pre-Build as part of a Selenium Build
  3. Generate Reports (.xhtml, .xml, .json)

Resources

https://app.pluralsight.com/library/courses/owasp-zap-web-app-pentesting-getting-started/table-of-contents Getting Started with OWASP Zed Attack Proxy (ZAP) for Web Application Penetration Testing</a> 1h 40m video course 16 Feb 2017 by Mike Woolard

More about API usage and management: