Practice identifying security vulnerabilities in sample app
Among web app penetration testing tools listed here, the Zed Attack Proxy (ZAP) described here provides automated scanners to find vulnerabilities described by the non-profit OWASP (Open Web Application Security Project).
The Zed Attack Proxy (ZAP) is offered free, and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications.
It’s a tool for experienced pen-testers to use for manual security testing. “Tools” is designed to be easy-to-use by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. The tools include not just code, but also cheatsheets, documents, research.
Get sample broken app
PROTIP: If you run ZAP against a server you don’t control, you are hacking that site.
Stand-up an instance of the BWA (Broken Web Application), a collection of intentionally vulnerable web applications distributed by OWASP in a Virtual Machine (VM) file used by Virtualbox, HyperV. VMware Workstation on Windows or VMware Fusion on Mac:
Instantiate a server. In Sep 2017 nested VT-x is supported on GCE, according to Paul R. Nash, Group Product Manager, Google Compute Engine.
Within the server, download:
curl -O https://sourceforge.net/projects/owaspbwa/files/latest/download
The OWASP_Broken_Web_Apps_VM_1.2.7z file downloaded is 1.7 GB (big!) because it contains various apps in Ruby, PHP, WordPress, etc.
It’s briefly described at https://owaspbwa.org, which resolves to https://code.google.com/archive/p/owaspbwa/
- Unpack the 7z file. Navigate into the folder.
Double-click on file OWASP Broken Web Apps.vmx to open image in Virtualbox or VMWare workstation:
See Install video (music only, no dialog) [5:49]
Video showing version 1.1.1 [21:53] by Chuck Willis shows how to use BWA to demonstrate occurance of “Top 10” vulnerabilities described by OWASP. Mutillidae:
https://www.youtube.com/watch?v=0dxzGK1ZPxA Beyond 1.0 from 2013 Chuck Willis (@chuckatsf) describes BWA origins
Install proxy server
There are several ways to obtain and instantiate a proxy server.
QUESTION: Who are SaaS vendors operating on public cloud?
From Docker Hub
For those working on public clouds:
- Bring up Docker
- In a Terminal,
Use the Docker image provided by the OWASP organization at https://hub.docker.com/r/owasp/zap2docker-stable/
docker pull owasp/zap2docker-stable
docker images say it’s 1.33GB.
Alternately, for use in CI environments:
docker pull owasp/zap2docker-bare
docker images say it’s 525 MB, which is a third of the stable edition.
The images above were created based on code at: https://github.com/zaproxy/zaproxy/tree/develop/build/docker
ZAP’s project leader is Simon Bennetts (@psilnon). His lecture on 2 Jun 2015 [59:59]: https://www.youtube.com/watch?v=_MmDWenz-6U
Start ZAP in with xvfb (X virtual frame buffer) which allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment. Firefox is also installed so can be used with these add-ons.
Alternately: Start ZAP in headless mode with following command:
docker run -u zap -p 8080:8080 -i owasp/zap2docker-bare zap.sh -daemon -host 127.0.0.1 -port 8080
Blogs about this:
On private servers
wget -q -O - https://github.com/zaproxy/zaproxy/releases/download/2.4.3/ZAP_2.4.3_Linux.tar.gz
CAUTION: Enterprise security should review this.
tar zxf - -C /opt ln -s /opt/ZAP_2.4.3 /opt/zap
Since ZAP does not come with a script, this script for Debian:
wget -q -O /etc/init.d/zap https://raw.githubusercontent.com/stelligent/zap/master/packer/roles/zap/files/zap-init.sh chmod 755 /etc/init.d/zap
Instantiate within Google Cloud
Browser Proxy Setup
- Menu > settings
- Manu > Options
- Network tab
- Connections > Settings
- Clear “No Proxy for:” box
In Internet Explorer:
- Internet options
- Connections tab
- Lan settings
Check proxy settings
Use http://localhost or
http://127.0.0.1:8080to reach the Proxy.
- Automate settings:
- Menu > Add-ons (shift+command+A)
- Click “See more Add-ins”
- In “Search for add-ons” search box, type “foxy boxy basix”.
- Select “FoxyProxy Standard”.
- Click “+ Add to Firefox”.
- Click “Add” in the pop-up.
- Restart now.
Install Jenkins plugin
The plug-in is at:
ZAP is written in Java, so a Java SDK is needed to run it.
ZAP UI OWASP
The drop-down at the upper-left corner of the ZAP UI provides for 4 modes:
- Safe mode
- Standard mode
- Protected mode
Attack mode for sites you have permission to penetrate.
Click Quick Start to, on the Information window, input the URL to scan, starting with
The left pane Tree window provides the context history of URLs visited.
Run ZAP using the ‘standard’ zap.sh script.
There is also a zap-x.sh script which first starts xvfb (X virtual frame buffer) - this allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment.
- Manage Sessions (Load or Persist)
- Define Context (Name, Include URLs and Exclude URLs)
- Attack Contexts (Spider Scan, AJAX Spider, Active Scan)
You can also:
- Setup Authentication (Form Based or Script Based)
- Run as Pre-Build as part of a Selenium Build
- Generate Reports (.xhtml, .xml, .json)
https://app.pluralsight.com/library/courses/owasp-zap-web-app-pentesting-getting-started/table-of-contents Getting Started with OWASP Zed Attack Proxy (ZAP) for Web Application Penetration Testing</a> 1h 40m video course 16 Feb 2017 by Mike Woolard
More about API usage and management:
- API Portals
- GraphQL API
- GitHub API
- GitHub GraphQL API
- API Swagger
- API Design Tools
- API Design
- API Programming
- REST API Responses
- API Management Evaluation
- API Management by Microsoft Azure
- API Management by Amazon
- PowerShell GitHub API Programming
- PowerShell API Programming
- PowerShell Desired State Configuration
- PowerShell on Mac