Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Join the conversation
#DevSecCon
By Simon Bennetts
Scripting OWASP ZAP
●
Session 1 : 2pm
– Introduction
– Standard Scripts (JavaScript, Python, Ruby)
– Proxy and Http Sender Scripts
– Passive a...
●
Session 3 : 4pm
– How to use scripts in automation
– How to add scripting support in add-ons (overview)
– Authentication...
●
We want more script examples
● Submit PRs to https://github.com/zaproxy/community-scripts
●
Can be anything useful – eg ...
●
Advantages:
– Quick to write and test
– Full access to ZAP classes and data structures
– No need for separate developmen...
●
JavaScript – built in
●
Python – optional add-on
●
Ruby – optional add-on
●
Zest – built in, macro language on steroids
...
●
Stand Alone
– Run manually
●
Targeted
– Run manually against a specified requests
●
Proxy
– Change proxied browser reque...
●
Passive Scan Rule
– Detect potential issues just by looking
●
Active Scan Rule
– Detect potential issues by attacking
●
...
●
Fuzzer HTTP Processor
– Called before and after HTTP messages are fuzzed
●
Fuzzer Websocket Processor
– Called before an...
●
All roughly equivalent
●
All have good Java integration
●
JavaScript (ECMAScript)
– Java 7 – Rhino
– Java 8 – Nashhorn
–...
● Scripts group: https://groups.google.com/group/zaproxy-scripts
● Dev group: https://groups.google.com/group/zaproxy-deve...
●
Fire up ZAP
●
Check for Updates (Help / Check for Updates...)
●
Update everything
●
Install Community Scripts
●
Optional...
●
Scripts tab
– Shows all of the scripts an templates
– Allows you to select, add, remove, duplicate, enable, disable and ...
●
Proxy Scripts
– Only affect requests and responses proxied via a browser
●
HTTP Sender Scripts
– Affect all requests and...
●
Key ZAP class: org/parosproxy/paros/network/HttpMessage.html
●
Provides methods like
– getRequestBody()
– getRequestHead...
●
Proxy Scripts
– Replace in request or response body.js
– Drop requests not in scope.js
– Return fake response.js
●
HTTP ...
Suggestions:
●
Replace headers
●
Auto redirect from one page to another
●
Do different things based on content, eg:
– Repl...
●
Passive Rule Scripts
– Can only view requests and responses (should not change anything)
●
Active Rule Scripts
– Attack ...
●
Passive Rule Scripts
– Server Header Disclosure.js
– Find emails.js
●
Active Rule Scripts
– User defined attacks.js
– go...
●
Hacking ZAP Blog posts
– https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html
– https://zaproxy.bl...
●
Global Variables
– Variables can be shared between all scripts
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar(...
Suggestions:
●
Rewrite existing java rules (see previous links)
●
Alert on anything that ZAP doesn’t currently find :)
Exe...
●
Domain Specific Language (DSL)
●
Its domain is security and automation
●
Closer to a macro language .. on steroids :)
●
...
●
Creating from templates
●
Duplicating existing script
●
Recording
●
Selecting and adding requests
●
Manually
●
Demo: pla...
●
Double click to edit nodes
●
Right click:
– Add and delete nodes
– Delete nodes
– Surround with loops, conditionals
– Cu...
●
Request – make requests (and make assertions)
●
Action – scan, script, print, fail, sleep
●
Assignment – assign things t...
●
Paste Zest variables (right click in Zest text boxes)
●
Parameterize strings (right click in requests)
●
Redact strings ...
●
You have to start by launching a browser in Zest
●
No record option at the moment :(
●
Browser - View source / Inspect i...
Suggestions:
●
Passive script – alert on the presence of 2 strings
●
Rewrite a script you’ve just written in another langu...
●
Both run ‘on-demand’ only
●
Standalone – run from the console
●
Targeted – right click on requests
●
Standard scripts (n...
●
Standalone Scripts
– loop through history table.js
– traverse sites tree.js
– domainFinder.js
– window_creation_template...
Suggestions:
●
Count number of static vs dynamic pages
●
Detect authentication, registration and password changing?
(1 2 a...
-config script.scripts(0).name="Remove STS"
-config script.scripts(0).engine="Mozilla Zest"
-config script.scripts(0).type...
zap.script.load("Remove STS", “proxy”, "Mozilla Zest",
"/scripts/Remove STS.zst")
zap.script.enable("Remove STS")
●
Pro Ti...
●
Implement a script interface
●
Implement one or more templates / examples which implement
the interface
●
Register a new...
●
Use the enabled scripts:
ExtensionScript extensionScript = Control.getSingleton().
getExtensionLoader().getExtension(Ext...
●
For when simple form based auth isnt enough
●
Need to configure context
●
Demo: BodgeIt authentication
● https://github....
Suggestions:
●
Authenticate against any vulnerable app you have installed
Exercise – Authentication scripts
Join the conversation
#DevSecCon
Many thanks
PRs always appreciated ;)
DevSecCon London 2017: zap scripting workshop by Simon Bennetts
Próxima SlideShare
Cargando en…5
×

DevSecCon London 2017: zap scripting workshop by Simon Bennetts

341 visualizaciones

Publicado el

DevSecCon London 2017: zap scripting workshop by Simon Bennetts

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

DevSecCon London 2017: zap scripting workshop by Simon Bennetts

  1. 1. Join the conversation #DevSecCon By Simon Bennetts Scripting OWASP ZAP
  2. 2. ● Session 1 : 2pm – Introduction – Standard Scripts (JavaScript, Python, Ruby) – Proxy and Http Sender Scripts – Passive and Active Scan rule Scripts ● Session 2 : 3pm – Zest Scripts – Standalone and Targeted Scripts The Plan
  3. 3. ● Session 3 : 4pm – How to use scripts in automation – How to add scripting support in add-ons (overview) – Authentication Scripts – More chance to write any or all of the above types ● Session 4 : 5pm – Optional – keep writing scripts, ask more questions... The Plan
  4. 4. ● We want more script examples ● Submit PRs to https://github.com/zaproxy/community-scripts ● Can be anything useful – eg copies of existing scripts in different languages :) ● Anything useful will earn a ZAP Contributor sticker (max one per person) ● Lots of useful scripts will earn a ZAP T-shirt! ● Only valid for this workshop Competition Time!
  5. 5. ● Advantages: – Quick to write and test – Full access to ZAP classes and data structures – No need for separate development environment ● Disadvantages – Documentation could be (much) better – No auto complete – No sandbox – only run scripts you trust! Introduction – why do we need scripts?
  6. 6. ● JavaScript – built in ● Python – optional add-on ● Ruby – optional add-on ● Zest – built in, macro language on steroids ● JSR 223 languages relatively easy to add ● Beanshell – optional, no longer really maintained Introduction – What languages are supported?
  7. 7. ● Stand Alone – Run manually ● Targeted – Run manually against a specified requests ● Proxy – Change proxied browser requests on the fly ● HTTP Sender – Change any request on the fly (proxy, spider, active scanner ...) Script types (built in)
  8. 8. ● Passive Scan Rule – Detect potential issues just by looking ● Active Scan Rule – Detect potential issues by attacking ● Authentication – Automatically login to sites ● Script Input Vector – Define exactly what ZAP will attack Script types (built in)
  9. 9. ● Fuzzer HTTP Processor – Called before and after HTTP messages are fuzzed ● Fuzzer Websocket Processor – Called before and after Websocket messages are fuzzed ● Payload Generator – Generate attacks to be used in the fuzzer ● Payload Processor – Change fuzzer payloads before they are used ● Sequence – Define sequences of requests to be attacked (alpha) Script types (add-ons)
  10. 10. ● All roughly equivalent ● All have good Java integration ● JavaScript (ECMAScript) – Java 7 – Rhino – Java 8 – Nashhorn – Can write to local filestore via Java classes – Use load("nashorn:mozilla_compat.js"); for Rhino scripts in Nashorn ● JavaScript Nashhorn – supports loading scripts from files – https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions ● Python – supports modules path ‘Standard’ Script languages
  11. 11. ● Scripts group: https://groups.google.com/group/zaproxy-scripts ● Dev group: https://groups.google.com/group/zaproxy-develop ● Community Scripts: https://github.com/zaproxy/community-scripts ● JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0 Useful links
  12. 12. ● Fire up ZAP ● Check for Updates (Help / Check for Updates...) ● Update everything ● Install Community Scripts ● Optionally install Python / Ruby Scripting ● Demo: “Hello world” Getting started
  13. 13. ● Scripts tab – Shows all of the scripts an templates – Allows you to select, add, remove, duplicate, enable, disable and save scripts – Icons show state – enabled / disabled, error and not saved ● Script Console tab – Top pane – edit scripts – Bottom pane – output and error messages – Run and Stop buttons – enabled when appropriate – Output pane buttons – control that pane – Right click for lots more options! The tabs
  14. 14. ● Proxy Scripts – Only affect requests and responses proxied via a browser ● HTTP Sender Scripts – Affect all requests and responses (proxy active scan, spider …) – Initiator param gives the component that initiated the request – Provides helper to make new requests ● Both – Must enable scripts before they will take effect – Will be disabled on error Proxy and HTTP Sender scripts
  15. 15. ● Key ZAP class: org/parosproxy/paros/network/HttpMessage.html ● Provides methods like – getRequestBody() – getRequestHeader() – getResponseBody() – getResponseHeader() ● See JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0 ● Or the code: https://github.com/zaproxy/zaproxy Script parameter: HttpMessage - msg
  16. 16. ● Proxy Scripts – Replace in request or response body.js – Drop requests not in scope.js – Return fake response.js ● HTTP Sender Scripts – Alert in HTTP Response Code Errors.js – Alert on Unexpected Content Types.js – Capture and Replace Anti CSRF Token.js Proxy and HTTP Sender scripts - examples
  17. 17. Suggestions: ● Replace headers ● Auto redirect from one page to another ● Do different things based on content, eg: – Replace different content – Redirect to different pages Exercise – write Proxy &/ HTTP Sender scripts
  18. 18. ● Passive Rule Scripts – Can only view requests and responses (should not change anything) ● Active Rule Scripts – Attack nodes or specific parameters – Can do pretty much anything you like :) – Must Enable Script Input Vectors ● Both – Can raise alerts – Must enable scripts before they will take effect – Will be disabled on error Passive and Active Rule scripts
  19. 19. ● Passive Rule Scripts – Server Header Disclosure.js – Find emails.js ● Active Rule Scripts – User defined attacks.js – gof_lite.js ● Demo: testing passive and active rule scripts Passive and Active Rule scripts - examples
  20. 20. ● Hacking ZAP Blog posts – https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html – https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html ● Java code – https://github.com/zaproxy/zap-extensions – master branch – org/zaproxy/zap/extension/ascanrules and pscanrules – beta branch – org/zaproxy/zap/extension/ascanrulesBeta and pscanrulesBeta – alpha branch – org/zaproxy/zap/extension/ascanrulesAlpha and pscanrulesAlpha Passive and Active Rule links
  21. 21. ● Global Variables – Variables can be shared between all scripts org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name") ● Script Variables – Variables can be shared between separate invocations of the same script org.zaproxy.zap.extension.script.ScriptVars.setScriptVar( this.context, "var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getScriptVar( this.context, "var.name") Variables (all script types)
  22. 22. Suggestions: ● Rewrite existing java rules (see previous links) ● Alert on anything that ZAP doesn’t currently find :) Exercise – write Passive &/ Active Rule scripts
  23. 23. ● Domain Specific Language (DSL) ● Its domain is security and automation ● Closer to a macro language .. on steroids :) ● Format – JSON :O ● Intended to be ‘written’ graphically ● Its tool independent (no access to ZAP internals) ● Demo: “Hello world” Zest Scripts
  24. 24. ● Creating from templates ● Duplicating existing script ● Recording ● Selecting and adding requests ● Manually ● Demo: playing with BodgeIt Zest Scripts - creating
  25. 25. ● Double click to edit nodes ● Right click: – Add and delete nodes – Delete nodes – Surround with loops, conditionals – Cut, copy and paste – Comment – Move up / down ● Drag and drop ● Selecting and adding requests Zest Scripts - editing
  26. 26. ● Request – make requests (and make assertions) ● Action – scan, script, print, fail, sleep ● Assignment – assign things to variables ● Client – launch and control browsers ● Conditions – and, or, equals, length, etc ... ● Loop – though strings, files, integers, regexes, client elements ● Comment – comment :) ● Controls – return, break, next Zest Scripts – statement types
  27. 27. ● Paste Zest variables (right click in Zest text boxes) ● Parameterize strings (right click in requests) ● Redact strings (right click in requests) ● Drag and drop ● Change prefix – applies to all requests ● Anti CSRF tokens – automatically handled ● Generate Zest script from alert Zest Scripts – hidden extras
  28. 28. ● You have to start by launching a browser in Zest ● No record option at the moment :( ● Browser - View source / Inspect is your friend ● Demo: Persona video … Zest Scripts – client side
  29. 29. Suggestions: ● Passive script – alert on the presence of 2 strings ● Rewrite a script you’ve just written in another language ● Rewrite one of the existing a/pscan rules ● Record a script and start changing it Exercise – write Zest scripts
  30. 30. ● Both run ‘on-demand’ only ● Standalone – run from the console ● Targeted – right click on requests ● Standard scripts (not Zest) – can access ZAP internals, eg: – Sites tree – History – Other extensions Standalone and Targeted scripts
  31. 31. ● Standalone Scripts – loop through history table.js – traverse sites tree.js – domainFinder.js – window_creation_template.js ● Targeted Scripts – Resend as a GET request.zst – Find HTML comments.js Standalone and Targeted scripts - examples
  32. 32. Suggestions: ● Count number of static vs dynamic pages ● Detect authentication, registration and password changing? (1 2 and 3 password fields) Exercise – Standalone and Targeted scripts
  33. 33. -config script.scripts(0).name="Remove STS" -config script.scripts(0).engine="Mozilla Zest" -config script.scripts(0).type=proxy -config script.scripts(0).enabled=true -config script.scripts(0).file="/scripts/Remove STS.zst" -config script.scripts(1).name="Another one..." Scripts in Automation – set via cmd line
  34. 34. zap.script.load("Remove STS", “proxy”, "Mozilla Zest", "/scripts/Remove STS.zst") zap.script.enable("Remove STS") ● Pro Tip: Configure in the UI, look at whats set in config.xml ;) Scripts in Automation – set via API
  35. 35. ● Implement a script interface ● Implement one or more templates / examples which implement the interface ● Register a new script type: ExtensionScript extensionScript = Control.getSingleton(). getExtensionLoader().getExtension(ExtensionScript.class); extensionScript.registerScriptType(new ScriptType( "newname", "i18nKey", icon, true, true)); Adding script support in add-ons
  36. 36. ● Use the enabled scripts: ExtensionScript extensionScript = Control.getSingleton(). getExtensionLoader().getExtension(ExtensionScript.class); List<ScriptWrapper> scripts = extension.getScripts("newname"); for (ScriptWrapper script : scripts) { try { if (script.isEnabled()) { MyScript s = extension.getInterface( script, MyScript.class); // Do something with it... } Adding script support in add-ons
  37. 37. ● For when simple form based auth isnt enough ● Need to configure context ● Demo: BodgeIt authentication ● https://github.com/zaproxy/zaproxy/wiki/FAQformauth - auth FAQ Authentication Scripts
  38. 38. Suggestions: ● Authenticate against any vulnerable app you have installed Exercise – Authentication scripts
  39. 39. Join the conversation #DevSecCon Many thanks PRs always appreciated ;)

×