Computers, Programming, Technology, Music, Literature

Archive for the ‘xml’ Category

OWASP ZAP : Workaround – Html Report from APIs daemon mode

leave a comment »

 

Ok, may be the title is a bit misleading. The below post is going to show you a few workarounds that you can use to generate (or mimic) a html report when running OWASP ZAP automated in a headless mode.

Zed Attack Proxy (ZAP), as of version 2.3.1 stable release, provides options to generate an Xml report and an html report for the alerts found. We could get these two reports from the UI via the Report menu.

Use case:

One of the unique features of ZAP is the REST API that aids in automating scans. When running ZAP in daemon mode and pivoting ZAP from the REST APIs, there is a number of ways to harvest the alerts identified by ZAP.

Here’s a couple of them:

  1. alerts based on id (http://localhost:7070/UI/core/view/alert/)
  2. alerts for the baseurl (http://localhost:7070/UI/core/view/alerts/)
  3. xmlreport (http://localhost:7070/UI/core/other/xmlreport/) [Same as clicking Report –> Generate Xml Report…]

Using the API and your favorite programming language, you could very well gather the alerts and decide what you want to do with it.

Problem:

One convenience is just pulling a html report out of the scan and mail the application owners or ourselves so they could be fixed. There is an enhancement request open in the projects page – https://code.google.com/p/zaproxy/issues/detail?id=1355

Until the feature is available in the next stable release, I decided to love with a couple of workarounds. There is a workaround in python, there is also a workaround in an exe format (written in C#). They are not perfect in terms of formatting, but they are close enough to the original html report generated through the ZAP UI.

Workarounds:

Download from here – https://github.com/gmaran23/HtmlReportThroughZapAPIs

 

Workaround #1:

A python script to inject an xslt stylesheet into the xml report file generated through the API. Use the sample function to insert the sample (ZapReport.xslt) into the xml file generated. Needless to say that the ZapReport.xslt and the xmlreportfile should be in the same location.

If needed to email the xml report, we can zip the xml report with the xslt file, so when unzipped the xslt file resides in the same location as the xml file.

When the xml file is opened in Firefox, or IE –> see the formatting in action! (Does not work in chrome though Sad smile)

import io

def InsertXSLTSheetIntoXmlReport(xmlreportfile, xsltfile, xmlreportfileout):
    texttofind = '<?xml version="1.0" encoding="UTF-8"?>'
    texttoreplace = '<?xml version="1.0" encoding="UTF-8"?><?xml-stylesheet type="text/xsl" href="{0}" ?>'.format(xsltfile)
    with io.open(xmlreportfile, 'r', encoding="utf8") as f:
        xmlreport = f.read()
    xmlreportstyleinserted = xmlreport.replace(texttofind, texttoreplace)
    with io.open(xmlreportfileout, 'w', encoding="utf8") as f:
        f.write(xmlreportstyleinserted)


InsertXSLTSheetIntoXmlReport('SampleOWASPZAPReport.xml', 'ZapReport.xslt', 'SampleOWASPZAPReport-Mod.xml')

 

There is also another xslt template available from https://code.google.com/p/zaproxy/source/browse/trunk/src/xml/report.html.xsl

 

Workaround #2:

Use the command line program named XmlToHtmlWithXSLT.exe (requires .Net 4.0) as below to obtain a html report as output.

XmlToHtmlWithXSLT.exe SampleOWASPZAPReport.xml ZapReport.xslt converted.html

 

If you don’t have .Net 4.0, use the source below to recompile to any .Net version.

using System;
using System.IO;
using System.Text;
using System.Xml;
using System.Xml.Xsl;

namespace XmlToHtmlWithXSLT
{
    class Program
    {
        static void Main(string[] args)
        {
            string inputXmlFileName = args[0];
            string xsltfile = args[1];
            string outputHtmlFileName = args[2];

            XslCompiledTransform transform = LoadXsltTransform(xsltfile);

            StringWriter transformedToHtml = ApplyXsltTransform(inputXmlFileName, transform);

            WriteHtmlToFile(outputHtmlFileName, transformedToHtml);

            PrintStatus(outputHtmlFileName);
        }


        private static XslCompiledTransform LoadXsltTransform(string xsltfile)
        {
            XslCompiledTransform transform = new XslCompiledTransform();
            using (XmlReader reader = XmlReader.Create(xsltfile, new XmlReaderSettings() { DtdProcessing = DtdProcessing.Ignore }))
            {
                transform.Load(reader);
            }
            return transform;
        }

        private static StringWriter ApplyXsltTransform(string inputXmlFileName, XslCompiledTransform transform)
        {
            StringWriter transformedToHtml = new StringWriter();
            using (XmlReader reader = XmlReader.Create(inputXmlFileName, new XmlReaderSettings() { DtdProcessing = DtdProcessing.Ignore }))
            {
                transform.Transform(reader, null, transformedToHtml);
            }
            return transformedToHtml;
        }

        private static void WriteHtmlToFile(string outputHtmlFileName, StringWriter transformedToHtml)
        {
            using (StreamWriter outputFileStream = new StreamWriter(new FileStream(outputHtmlFileName, FileMode.Create)))
            {
                outputFileStream.Write(transformedToHtml.ToString());
            }
        }

        private static void PrintStatus(string outputHtmlFileName)
        {
            Console.WriteLine("Output Written to {0}", outputHtmlFileName);
        }
    }
}

 

Untill, the enhancement request (https://code.google.com/p/zaproxy/issues/detail?id=1355) is completed, these are some workarounds that I personally could live with, may be you can too, for your automating needs Winking smile.

Worth looking at – https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT

Advertisements

Written by gmaran23

January 13, 2015 at 9:52 pm

Devouring Security: XML – Attack surface and Defenses

leave a comment »

 

 

 

 
 
 

Agenda:

 

·         XML today

·         XML/XPath injection – Demo

·         Compiled XPath queries

·         DTD use and abuse

          document validations

          entity expansions

          denial of service – Demo

          arbitrary uri access (egress)

          parameters

          file enumeration and theft – Demo

          CSRF on internal systems – Demo?

·         Framework defaults limits/restrictions

·         Mitigations

·         Lessons learned

·         Verifying your XML systems for potential threats

 

 

Note:

1.       All of them inclusive of sample code for exploits and prevention. Language(C#, Java, php)/Platform(Windows/Linux) agnostic wherever possible.

2.       It is imperative at this juncture, that you are aware of most attack scenarios against XML, because the framework defaults may not protect you, hence you may be vulnerable, you might have not found it yet.

3.       The session is a bit biased towards DTD abuse in XML systems, as the Injection concepts and remediation remain common in XML when compared to Sql injection.