Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Join the conversation
#DevSecCon
By Simon Bennetts
Scripting OWASP ZAP
●
Session 1 : 2pm
– Introduction
– Standard Scripts (JavaScript, Python, Ruby)
– Proxy and Http Sender Scripts
– Passive a...
●
Session 3 : 4pm
– How to use scripts in automation
– How to add scripting support in add-ons (overview)
– Authentication...
●
We want more script examples
● Submit PRs to https://github.com/zaproxy/community-scripts
●
Can be anything useful – eg ...
●
Advantages:
– Quick to write and test
– Full access to ZAP classes and data structures
– No need for separate developmen...
●
JavaScript – built in
●
Python – optional add-on
●
Ruby – optional add-on
●
Zest – built in, macro language on steroids
...
●
Stand Alone
– Run manually
●
Targeted
– Run manually against a specified requests
●
Proxy
– Change proxied browser reque...
●
Passive Scan Rule
– Detect potential issues just by looking
●
Active Scan Rule
– Detect potential issues by attacking
●
...
●
Fuzzer HTTP Processor
– Called before and after HTTP messages are fuzzed
●
Fuzzer Websocket Processor
– Called before an...
●
All roughly equivalent
●
All have good Java integration
●
JavaScript (ECMAScript)
– Java 7 – Rhino
– Java 8 – Nashhorn
–...
● Scripts group: https://groups.google.com/group/zaproxy-scripts
● Dev group: https://groups.google.com/group/zaproxy-deve...
●
Fire up ZAP
●
Check for Updates (Help / Check for Updates...)
●
Update everything
●
Install Community Scripts
●
Optional...
●
Scripts tab
– Shows all of the scripts an templates
– Allows you to select, add, remove, duplicate, enable, disable and ...
●
Proxy Scripts
– Only affect requests and responses proxied via a browser
●
HTTP Sender Scripts
– Affect all requests and...
●
Key ZAP class: org/parosproxy/paros/network/HttpMessage.html
●
Provides methods like
– getRequestBody()
– getRequestHead...
●
Proxy Scripts
– Replace in request or response body.js
– Drop requests not in scope.js
– Return fake response.js
●
HTTP ...
Suggestions:
●
Replace headers
●
Auto redirect from one page to another
●
Do different things based on content, eg:
– Repl...
●
Passive Rule Scripts
– Can only view requests and responses (should not change anything)
●
Active Rule Scripts
– Attack ...
●
Passive Rule Scripts
– Server Header Disclosure.js
– Find emails.js
●
Active Rule Scripts
– User defined attacks.js
– go...
●
Hacking ZAP Blog posts
– https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html
– https://zaproxy.bl...
●
Global Variables
– Variables can be shared between all scripts
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar(...
Suggestions:
●
Rewrite existing java rules (see previous links)
●
Alert on anything that ZAP doesn’t currently find :)
Exe...
●
Domain Specific Language (DSL)
●
Its domain is security and automation
●
Closer to a macro language .. on steroids :)
●
...
●
Creating from templates
●
Duplicating existing script
●
Recording
●
Selecting and adding requests
●
Manually
●
Demo: pla...
●
Double click to edit nodes
●
Right click:
– Add and delete nodes
– Delete nodes
– Surround with loops, conditionals
– Cu...
●
Request – make requests (and make assertions)
●
Action – scan, script, print, fail, sleep
●
Assignment – assign things t...
●
Paste Zest variables (right click in Zest text boxes)
●
Parameterize strings (right click in requests)
●
Redact strings ...
●
You have to start by launching a browser in Zest
●
No record option at the moment :(
●
Browser - View source / Inspect i...
Suggestions:
●
Passive script – alert on the presence of 2 strings
●
Rewrite a script you’ve just written in another langu...
●
Both run ‘on-demand’ only
●
Standalone – run from the console
●
Targeted – right click on requests
●
Standard scripts (n...
●
Standalone Scripts
– loop through history table.js
– traverse sites tree.js
– domainFinder.js
– window_creation_template...
Suggestions:
●
Count number of static vs dynamic pages
●
Detect authentication, registration and password changing?
(1 2 a...
-config script.scripts(0).name="Remove STS"
-config script.scripts(0).engine="Mozilla Zest"
-config script.scripts(0).type...
zap.script.load("Remove STS", “proxy”, "Mozilla Zest",
"/scripts/Remove STS.zst")
zap.script.enable("Remove STS")
●
Pro Ti...
●
Implement a script interface
●
Implement one or more templates / examples which implement
the interface
●
Register a new...
●
Use the enabled scripts:
ExtensionScript extensionScript = Control.getSingleton().
getExtensionLoader().getExtension(Ext...
●
For when simple form based auth isnt enough
●
Need to configure context
●
Demo: BodgeIt authentication
● https://github....
Suggestions:
●
Authenticate against any vulnerable app you have installed
Exercise – Authentication scripts
Join the conversation
#DevSecCon
Many thanks
PRs always appreciated ;)
DevSecCon London 2017: zap scripting workshop by Simon Bennetts
Upcoming SlideShare
Loading in …5
×

DevSecCon London 2017: zap scripting workshop by Simon Bennetts

373 views

Published on

DevSecCon London 2017: zap scripting workshop by Simon Bennetts

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DevSecCon London 2017: zap scripting workshop by Simon Bennetts

  1. 1. Join the conversation #DevSecCon By Simon Bennetts Scripting OWASP ZAP
  2. 2. ● Session 1 : 2pm – Introduction – Standard Scripts (JavaScript, Python, Ruby) – Proxy and Http Sender Scripts – Passive and Active Scan rule Scripts ● Session 2 : 3pm – Zest Scripts – Standalone and Targeted Scripts The Plan
  3. 3. ● Session 3 : 4pm – How to use scripts in automation – How to add scripting support in add-ons (overview) – Authentication Scripts – More chance to write any or all of the above types ● Session 4 : 5pm – Optional – keep writing scripts, ask more questions... The Plan
  4. 4. ● We want more script examples ● Submit PRs to https://github.com/zaproxy/community-scripts ● Can be anything useful – eg copies of existing scripts in different languages :) ● Anything useful will earn a ZAP Contributor sticker (max one per person) ● Lots of useful scripts will earn a ZAP T-shirt! ● Only valid for this workshop Competition Time!
  5. 5. ● Advantages: – Quick to write and test – Full access to ZAP classes and data structures – No need for separate development environment ● Disadvantages – Documentation could be (much) better – No auto complete – No sandbox – only run scripts you trust! Introduction – why do we need scripts?
  6. 6. ● JavaScript – built in ● Python – optional add-on ● Ruby – optional add-on ● Zest – built in, macro language on steroids ● JSR 223 languages relatively easy to add ● Beanshell – optional, no longer really maintained Introduction – What languages are supported?
  7. 7. ● Stand Alone – Run manually ● Targeted – Run manually against a specified requests ● Proxy – Change proxied browser requests on the fly ● HTTP Sender – Change any request on the fly (proxy, spider, active scanner ...) Script types (built in)
  8. 8. ● Passive Scan Rule – Detect potential issues just by looking ● Active Scan Rule – Detect potential issues by attacking ● Authentication – Automatically login to sites ● Script Input Vector – Define exactly what ZAP will attack Script types (built in)
  9. 9. ● Fuzzer HTTP Processor – Called before and after HTTP messages are fuzzed ● Fuzzer Websocket Processor – Called before and after Websocket messages are fuzzed ● Payload Generator – Generate attacks to be used in the fuzzer ● Payload Processor – Change fuzzer payloads before they are used ● Sequence – Define sequences of requests to be attacked (alpha) Script types (add-ons)
  10. 10. ● All roughly equivalent ● All have good Java integration ● JavaScript (ECMAScript) – Java 7 – Rhino – Java 8 – Nashhorn – Can write to local filestore via Java classes – Use load("nashorn:mozilla_compat.js"); for Rhino scripts in Nashorn ● JavaScript Nashhorn – supports loading scripts from files – https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions ● Python – supports modules path ‘Standard’ Script languages
  11. 11. ● Scripts group: https://groups.google.com/group/zaproxy-scripts ● Dev group: https://groups.google.com/group/zaproxy-develop ● Community Scripts: https://github.com/zaproxy/community-scripts ● JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0 Useful links
  12. 12. ● Fire up ZAP ● Check for Updates (Help / Check for Updates...) ● Update everything ● Install Community Scripts ● Optionally install Python / Ruby Scripting ● Demo: “Hello world” Getting started
  13. 13. ● Scripts tab – Shows all of the scripts an templates – Allows you to select, add, remove, duplicate, enable, disable and save scripts – Icons show state – enabled / disabled, error and not saved ● Script Console tab – Top pane – edit scripts – Bottom pane – output and error messages – Run and Stop buttons – enabled when appropriate – Output pane buttons – control that pane – Right click for lots more options! The tabs
  14. 14. ● Proxy Scripts – Only affect requests and responses proxied via a browser ● HTTP Sender Scripts – Affect all requests and responses (proxy active scan, spider …) – Initiator param gives the component that initiated the request – Provides helper to make new requests ● Both – Must enable scripts before they will take effect – Will be disabled on error Proxy and HTTP Sender scripts
  15. 15. ● Key ZAP class: org/parosproxy/paros/network/HttpMessage.html ● Provides methods like – getRequestBody() – getRequestHeader() – getResponseBody() – getResponseHeader() ● See JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0 ● Or the code: https://github.com/zaproxy/zaproxy Script parameter: HttpMessage - msg
  16. 16. ● Proxy Scripts – Replace in request or response body.js – Drop requests not in scope.js – Return fake response.js ● HTTP Sender Scripts – Alert in HTTP Response Code Errors.js – Alert on Unexpected Content Types.js – Capture and Replace Anti CSRF Token.js Proxy and HTTP Sender scripts - examples
  17. 17. Suggestions: ● Replace headers ● Auto redirect from one page to another ● Do different things based on content, eg: – Replace different content – Redirect to different pages Exercise – write Proxy &/ HTTP Sender scripts
  18. 18. ● Passive Rule Scripts – Can only view requests and responses (should not change anything) ● Active Rule Scripts – Attack nodes or specific parameters – Can do pretty much anything you like :) – Must Enable Script Input Vectors ● Both – Can raise alerts – Must enable scripts before they will take effect – Will be disabled on error Passive and Active Rule scripts
  19. 19. ● Passive Rule Scripts – Server Header Disclosure.js – Find emails.js ● Active Rule Scripts – User defined attacks.js – gof_lite.js ● Demo: testing passive and active rule scripts Passive and Active Rule scripts - examples
  20. 20. ● Hacking ZAP Blog posts – https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html – https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html ● Java code – https://github.com/zaproxy/zap-extensions – master branch – org/zaproxy/zap/extension/ascanrules and pscanrules – beta branch – org/zaproxy/zap/extension/ascanrulesBeta and pscanrulesBeta – alpha branch – org/zaproxy/zap/extension/ascanrulesAlpha and pscanrulesAlpha Passive and Active Rule links
  21. 21. ● Global Variables – Variables can be shared between all scripts org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name") ● Script Variables – Variables can be shared between separate invocations of the same script org.zaproxy.zap.extension.script.ScriptVars.setScriptVar( this.context, "var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getScriptVar( this.context, "var.name") Variables (all script types)
  22. 22. Suggestions: ● Rewrite existing java rules (see previous links) ● Alert on anything that ZAP doesn’t currently find :) Exercise – write Passive &/ Active Rule scripts
  23. 23. ● Domain Specific Language (DSL) ● Its domain is security and automation ● Closer to a macro language .. on steroids :) ● Format – JSON :O ● Intended to be ‘written’ graphically ● Its tool independent (no access to ZAP internals) ● Demo: “Hello world” Zest Scripts
  24. 24. ● Creating from templates ● Duplicating existing script ● Recording ● Selecting and adding requests ● Manually ● Demo: playing with BodgeIt Zest Scripts - creating
  25. 25. ● Double click to edit nodes ● Right click: – Add and delete nodes – Delete nodes – Surround with loops, conditionals – Cut, copy and paste – Comment – Move up / down ● Drag and drop ● Selecting and adding requests Zest Scripts - editing
  26. 26. ● Request – make requests (and make assertions) ● Action – scan, script, print, fail, sleep ● Assignment – assign things to variables ● Client – launch and control browsers ● Conditions – and, or, equals, length, etc ... ● Loop – though strings, files, integers, regexes, client elements ● Comment – comment :) ● Controls – return, break, next Zest Scripts – statement types
  27. 27. ● Paste Zest variables (right click in Zest text boxes) ● Parameterize strings (right click in requests) ● Redact strings (right click in requests) ● Drag and drop ● Change prefix – applies to all requests ● Anti CSRF tokens – automatically handled ● Generate Zest script from alert Zest Scripts – hidden extras
  28. 28. ● You have to start by launching a browser in Zest ● No record option at the moment :( ● Browser - View source / Inspect is your friend ● Demo: Persona video … Zest Scripts – client side
  29. 29. Suggestions: ● Passive script – alert on the presence of 2 strings ● Rewrite a script you’ve just written in another language ● Rewrite one of the existing a/pscan rules ● Record a script and start changing it Exercise – write Zest scripts
  30. 30. ● Both run ‘on-demand’ only ● Standalone – run from the console ● Targeted – right click on requests ● Standard scripts (not Zest) – can access ZAP internals, eg: – Sites tree – History – Other extensions Standalone and Targeted scripts
  31. 31. ● Standalone Scripts – loop through history table.js – traverse sites tree.js – domainFinder.js – window_creation_template.js ● Targeted Scripts – Resend as a GET request.zst – Find HTML comments.js Standalone and Targeted scripts - examples
  32. 32. Suggestions: ● Count number of static vs dynamic pages ● Detect authentication, registration and password changing? (1 2 and 3 password fields) Exercise – Standalone and Targeted scripts
  33. 33. -config script.scripts(0).name="Remove STS" -config script.scripts(0).engine="Mozilla Zest" -config script.scripts(0).type=proxy -config script.scripts(0).enabled=true -config script.scripts(0).file="/scripts/Remove STS.zst" -config script.scripts(1).name="Another one..." Scripts in Automation – set via cmd line
  34. 34. zap.script.load("Remove STS", “proxy”, "Mozilla Zest", "/scripts/Remove STS.zst") zap.script.enable("Remove STS") ● Pro Tip: Configure in the UI, look at whats set in config.xml ;) Scripts in Automation – set via API
  35. 35. ● Implement a script interface ● Implement one or more templates / examples which implement the interface ● Register a new script type: ExtensionScript extensionScript = Control.getSingleton(). getExtensionLoader().getExtension(ExtensionScript.class); extensionScript.registerScriptType(new ScriptType( "newname", "i18nKey", icon, true, true)); Adding script support in add-ons
  36. 36. ● Use the enabled scripts: ExtensionScript extensionScript = Control.getSingleton(). getExtensionLoader().getExtension(ExtensionScript.class); List<ScriptWrapper> scripts = extension.getScripts("newname"); for (ScriptWrapper script : scripts) { try { if (script.isEnabled()) { MyScript s = extension.getInterface( script, MyScript.class); // Do something with it... } Adding script support in add-ons
  37. 37. ● For when simple form based auth isnt enough ● Need to configure context ● Demo: BodgeIt authentication ● https://github.com/zaproxy/zaproxy/wiki/FAQformauth - auth FAQ Authentication Scripts
  38. 38. Suggestions: ● Authenticate against any vulnerable app you have installed Exercise – Authentication scripts
  39. 39. Join the conversation #DevSecCon Many thanks PRs always appreciated ;)

×