Practice penetration testing identifying security vulnerabilities in sample BWA app
Penetration (Pen) Testing Tools
Among web app penetration testing tools, the Zed Attack Proxy (ZAP) is offered free, and is actively maintained by hundreds of international volunteers. Use it to scan for security vulnerabilities in your web applications while you are developing and testing your applications.
ZAP is a tool for Dynamic App Security Testing (DAST) run while the app under test is running.
By contrast SAST (Static App Security Testing) tools focus on scanning application source code for vulnerabilities in coding. Static Application Security Testing (SAST) vendors include Veracode, Perforce, http://www.castsoftware.com/ and Checkmarx, which adds an agent running along the app to report to a central Security Handler, called Interactive App Security Testing (IAST).
Security tests should also cover the efficacy of Runtime Application Self-Protection (RASP) built within apps, rather than relying completely on the infrastructure Web Application Firewall (WAF).
OWASP Top 10
ZAP looks for vulnerabilities described by the non-profit OWASP (Open Web Application Security Project) OWASP (Open Web Application Security Project) Top 10 - 2017 PDF:
YouTube videos from F5 DevCentral 2017 by John Wagnon (and Description from OWASP):
Cross-Site Request Forgery (CSRF)
There is also SAN’s Top 25 Software Errors that include Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Motor Industry Software Reliability Association (MISRA)
As a “black box” approach, DAST cannot identify non-reflective vulnerabilities (i.e – Cross-Site Scripting) that don’t generate feedback when triggered.
Get sample broken app
PROTIP: If you run ZAP against a server you don’t control, you are hacking that site.
Stand-up an instance of the BWA (Broken Web Application), a collection of intentionally vulnerable web applications distributed by OWASP in a Virtual Machine (VM) file used by Virtualbox, HyperV. VMware Workstation on Windows or VMware Fusion on Mac:
Instantiate a server. In Sep 2017 nested VT-x is supported on GCE, according to Paul R. Nash, Group Product Manager, Google Compute Engine.
Within a console on the server, download:
curl -O https://sourceforge.net/projects/owaspbwa/files/latest/download
The OWASP_Broken_Web_Apps_VM_1.2.7z file downloaded is 1.7 GB (big!) because it contains various apps in Ruby, PHP, WordPress, etc.
Note it’s from 2015.
- Unpack the 7z file. Navigate into the folder.
Double-click on file OWASP Broken Web Apps.vmx to open image in Virtualbox or VMWare workstation:
See Install video (music only, no dialog) [5:49]
Video showing version 1.1.1 [21:53] by Chuck Willis shows how to use BWA to demonstrate occurance of “Top 10” vulnerabilities described by OWASP. Mutillidae:
Beyond 1.0 from 2013 Chuck Willis (@chuckatsf) describes BWA origins
Install proxy server
There are several ways to obtain and instantiate a proxy server.
QUESTION: Who are SaaS vendors operating on public cloud?
From Docker Hub
For those working on public clouds:
- Bring up Docker
- In a Terminal,
Use the Docker image provided by the OWASP organization at https://hub.docker.com/r/owasp/zap2docker-stable/
docker pull owasp/zap2docker-stable
docker images say it’s 1.33GB.
Alternately, for use in CI environments:
docker pull owasp/zap2docker-bare
docker images say it’s 525 MB, which is a third of the stable edition.
The images above were created based on code at: https://github.com/zaproxy/zaproxy/tree/develop/build/docker
ZAP’s project leader is Simon Bennetts (@psilnon). His lecture on 2 Jun 2015 [59:59]: https://www.youtube.com/watch?v=_MmDWenz-6U
Start ZAP in with xvfb (X virtual frame buffer) which allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment. Firefox is also installed so can be used with these add-ons.
Alternately: Start ZAP in headless mode with following command:
docker run -u zap -p 8080:8080 -i owasp/zap2docker-bare zap.sh -daemon -host 127.0.0.1 -port 8080
Blogs about this:
On private servers
wget -q -O - https://github.com/zaproxy/zaproxy/releases/download/2.4.3/ZAP_2.4.3_Linux.tar.gz
CAUTION: Enterprise security should review this.
tar zxf - -C /opt ln -s /opt/ZAP_2.4.3 /opt/zap
Since ZAP does not come with a script, this script for Debian:
wget -q -O /etc/init.d/zap https://raw.githubusercontent.com/stelligent/zap/master/packer/roles/zap/files/zap-init.sh chmod 755 /etc/init.d/zap
Instantiate within Google Cloud
Browser Proxy Setup
- Menu > settings
- Manu > Options
- Network tab
- Connections > Settings
- Clear “No Proxy for:” box
In Internet Explorer:
- Internet options
- Connections tab
- Lan settings
Check proxy settings
Use http://localhost or
http://127.0.0.1:8080to reach the Proxy.
- Automate settings:
- Menu > Add-ons (shift+command+A)
- Click “See more Add-ins”
- In “Search for add-ons” search box, type “foxy boxy basix”.
- Select “FoxyProxy Standard”.
- Click “+ Add to Firefox”.
- Click “Add” in the pop-up.
- Restart now.
Install Jenkins plugin
The plug-in is at:
ZAP is written in Java, so a Java SDK is needed to run it.
ZAP UI OWASP
The drop-down at the upper-left corner of the ZAP UI provides for 4 modes:
- Safe mode
- Standard mode
- Protected mode
Attack mode for sites you have permission to penetrate.
Click Quick Start to, on the Information window, input the URL to scan, starting with
The left pane Tree window provides the context history of URLs visited.
Run ZAP using the ‘standard’ zap.sh script.
There is also a zap-x.sh script which first starts xvfb (X virtual frame buffer) - this allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment.
- Manage Sessions (Load or Persist)
- Define Context (Name, Include URLs and Exclude URLs)
- Attack Contexts (Spider Scan, AJAX Spider, Active Scan)
You can also:
- Setup Authentication (Form Based or Script Based)
- Run as Pre-Build as part of a Selenium Build
- Generate Reports (.xhtml, .xml, .json)
Other DAST vendors
https://en.wikipedia.org/wiki/Veracode at https://www.veracode.com/security/vulnerability-scanning-tools acquired on Nov 5 2018 from Broadcom by private equity firm Thoma Bravo who also funded Compuware and Dynatrace, Solar Winds and McAfee https://thomabravo.com/2018/11/05/thoma-bravo-to-acquire-veracode-software-from-broadcom-inc-nasdaqavgo/ Only scans Java.
MicroFocus (formerly HP) https://en.wikipedia.org/wiki/Fortify_Software WebInspect
Checkmarx based in Israel, offers Codebashing, a developer education platform for secure coding training.
Synopsys acquired Black Duck, Coverity, and
https://en.wikipedia.org/wiki/Cigital Cigital SecureAssist – A lightweight IDE plugin that points out common security vulnerabilities in real time
Getting Started with OWASP Zed Attack Proxy (ZAP) for Web Application Penetration Testing 1h 40m video course 16 Feb 2017 by Mike Woolard
More about API usage and management:
- API Portals
- GraphQL API
- GitHub API
- GitHub GraphQL API
- API Swagger
- API Design Tools
- API Design
- API Programming
- REST API Responses
- API Management Evaluation
- API Management by Microsoft Azure
- API Management by Amazon
- PowerShell GitHub API Programming
- PowerShell API Programming
- PowerShell Desired State Configuration
- PowerShell on Mac