DevSecCon London 2017: zap scripting workshop by Simon Bennetts
Download as ODP, PDF0 likes987 views
The document outlines an agenda for a workshop on scripting the OWASP Zed Attack Proxy (ZAP). The workshop includes sessions on standard, proxy, and rule scripts using languages like JavaScript, Python, and Ruby. It also covers Zest scripts, variables, automation, and challenges participants to submit new scripts. The goal is to provide examples to help developers write useful scripts that improve ZAP's capabilities.
DevSecCon London 2017: zap scripting workshop by Simon Bennetts
- 1. Join the conversation #DevSecCon By Simon Bennetts Scripting OWASP ZAP
- 2. ● Session 1 : 2pm – Introduction – Standard Scripts (JavaScript, Python, Ruby) – Proxy and Http Sender Scripts – Passive and Active Scan rule Scripts ● Session 2 : 3pm – Zest Scripts – Standalone and Targeted Scripts The Plan
- 3. ● Session 3 : 4pm – How to use scripts in automation – How to add scripting support in add-ons (overview) – Authentication Scripts – More chance to write any or all of the above types ● Session 4 : 5pm – Optional – keep writing scripts, ask more questions... The Plan
- 4. ● We want more script examples ● Submit PRs to https://github.com/zaproxy/community-scripts ● Can be anything useful – eg copies of existing scripts in different languages :) ● Anything useful will earn a ZAP Contributor sticker (max one per person) ● Lots of useful scripts will earn a ZAP T-shirt! ● Only valid for this workshop Competition Time!
- 5. ● Advantages: – Quick to write and test – Full access to ZAP classes and data structures – No need for separate development environment ● Disadvantages – Documentation could be (much) better – No auto complete – No sandbox – only run scripts you trust! Introduction – why do we need scripts?
- 6. ● JavaScript – built in ● Python – optional add-on ● Ruby – optional add-on ● Zest – built in, macro language on steroids ● JSR 223 languages relatively easy to add ● Beanshell – optional, no longer really maintained Introduction – What languages are supported?
- 7. ● Stand Alone – Run manually ● Targeted – Run manually against a specified requests ● Proxy – Change proxied browser requests on the fly ● HTTP Sender – Change any request on the fly (proxy, spider, active scanner ...) Script types (built in)
- 8. ● Passive Scan Rule – Detect potential issues just by looking ● Active Scan Rule – Detect potential issues by attacking ● Authentication – Automatically login to sites ● Script Input Vector – Define exactly what ZAP will attack Script types (built in)
- 9. ● Fuzzer HTTP Processor – Called before and after HTTP messages are fuzzed ● Fuzzer Websocket Processor – Called before and after Websocket messages are fuzzed ● Payload Generator – Generate attacks to be used in the fuzzer ● Payload Processor – Change fuzzer payloads before they are used ● Sequence – Define sequences of requests to be attacked (alpha) Script types (add-ons)
- 10. ● All roughly equivalent ● All have good Java integration ● JavaScript (ECMAScript) – Java 7 – Rhino – Java 8 – Nashhorn – Can write to local filestore via Java classes – Use load("nashorn:mozilla_compat.js"); for Rhino scripts in Nashorn ● JavaScript Nashhorn – supports loading scripts from files – https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions ● Python – supports modules path ‘Standard’ Script languages
- 11. ● Scripts group: https://groups.google.com/group/zaproxy-scripts ● Dev group: https://groups.google.com/group/zaproxy-develop ● Community Scripts: https://github.com/zaproxy/community-scripts ● JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0 Useful links
- 12. ● Fire up ZAP ● Check for Updates (Help / Check for Updates...) ● Update everything ● Install Community Scripts ● Optionally install Python / Ruby Scripting ● Demo: “Hello world” Getting started
- 13. ● Scripts tab – Shows all of the scripts an templates – Allows you to select, add, remove, duplicate, enable, disable and save scripts – Icons show state – enabled / disabled, error and not saved ● Script Console tab – Top pane – edit scripts – Bottom pane – output and error messages – Run and Stop buttons – enabled when appropriate – Output pane buttons – control that pane – Right click for lots more options! The tabs
- 14. ● Proxy Scripts – Only affect requests and responses proxied via a browser ● HTTP Sender Scripts – Affect all requests and responses (proxy active scan, spider …) – Initiator param gives the component that initiated the request – Provides helper to make new requests ● Both – Must enable scripts before they will take effect – Will be disabled on error Proxy and HTTP Sender scripts
- 15. ● Key ZAP class: org/parosproxy/paros/network/HttpMessage.html ● Provides methods like – getRequestBody() – getRequestHeader() – getResponseBody() – getResponseHeader() ● See JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0 ● Or the code: https://github.com/zaproxy/zaproxy Script parameter: HttpMessage - msg
- 16. ● Proxy Scripts – Replace in request or response body.js – Drop requests not in scope.js – Return fake response.js ● HTTP Sender Scripts – Alert in HTTP Response Code Errors.js – Alert on Unexpected Content Types.js – Capture and Replace Anti CSRF Token.js Proxy and HTTP Sender scripts - examples
- 17. Suggestions: ● Replace headers ● Auto redirect from one page to another ● Do different things based on content, eg: – Replace different content – Redirect to different pages Exercise – write Proxy &/ HTTP Sender scripts
- 18. ● Passive Rule Scripts – Can only view requests and responses (should not change anything) ● Active Rule Scripts – Attack nodes or specific parameters – Can do pretty much anything you like :) – Must Enable Script Input Vectors ● Both – Can raise alerts – Must enable scripts before they will take effect – Will be disabled on error Passive and Active Rule scripts
- 19. ● Passive Rule Scripts – Server Header Disclosure.js – Find emails.js ● Active Rule Scripts – User defined attacks.js – gof_lite.js ● Demo: testing passive and active rule scripts Passive and Active Rule scripts - examples
- 20. ● Hacking ZAP Blog posts – https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html – https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html ● Java code – https://github.com/zaproxy/zap-extensions – master branch – org/zaproxy/zap/extension/ascanrules and pscanrules – beta branch – org/zaproxy/zap/extension/ascanrulesBeta and pscanrulesBeta – alpha branch – org/zaproxy/zap/extension/ascanrulesAlpha and pscanrulesAlpha Passive and Active Rule links
- 21. ● Global Variables – Variables can be shared between all scripts org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name") ● Script Variables – Variables can be shared between separate invocations of the same script org.zaproxy.zap.extension.script.ScriptVars.setScriptVar( this.context, "var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getScriptVar( this.context, "var.name") Variables (all script types)
- 22. Suggestions: ● Rewrite existing java rules (see previous links) ● Alert on anything that ZAP doesn’t currently find :) Exercise – write Passive &/ Active Rule scripts
- 23. ● Domain Specific Language (DSL) ● Its domain is security and automation ● Closer to a macro language .. on steroids :) ● Format – JSON :O ● Intended to be ‘written’ graphically ● Its tool independent (no access to ZAP internals) ● Demo: “Hello world” Zest Scripts
- 24. ● Creating from templates ● Duplicating existing script ● Recording ● Selecting and adding requests ● Manually ● Demo: playing with BodgeIt Zest Scripts - creating
- 25. ● Double click to edit nodes ● Right click: – Add and delete nodes – Delete nodes – Surround with loops, conditionals – Cut, copy and paste – Comment – Move up / down ● Drag and drop ● Selecting and adding requests Zest Scripts - editing
- 26. ● Request – make requests (and make assertions) ● Action – scan, script, print, fail, sleep ● Assignment – assign things to variables ● Client – launch and control browsers ● Conditions – and, or, equals, length, etc ... ● Loop – though strings, files, integers, regexes, client elements ● Comment – comment :) ● Controls – return, break, next Zest Scripts – statement types
- 27. ● Paste Zest variables (right click in Zest text boxes) ● Parameterize strings (right click in requests) ● Redact strings (right click in requests) ● Drag and drop ● Change prefix – applies to all requests ● Anti CSRF tokens – automatically handled ● Generate Zest script from alert Zest Scripts – hidden extras
- 28. ● You have to start by launching a browser in Zest ● No record option at the moment :( ● Browser - View source / Inspect is your friend ● Demo: Persona video … Zest Scripts – client side
- 30. Suggestions: ● Passive script – alert on the presence of 2 strings ● Rewrite a script you’ve just written in another language ● Rewrite one of the existing a/pscan rules ● Record a script and start changing it Exercise – write Zest scripts
- 31. ● Both run ‘on-demand’ only ● Standalone – run from the console ● Targeted – right click on requests ● Standard scripts (not Zest) – can access ZAP internals, eg: – Sites tree – History – Other extensions Standalone and Targeted scripts
- 32. ● Standalone Scripts – loop through history table.js – traverse sites tree.js – domainFinder.js – window_creation_template.js ● Targeted Scripts – Resend as a GET request.zst – Find HTML comments.js Standalone and Targeted scripts - examples
- 33. Suggestions: ● Count number of static vs dynamic pages ● Detect authentication, registration and password changing? (1 2 and 3 password fields) Exercise – Standalone and Targeted scripts
- 34. -config script.scripts(0).name="Remove STS" -config script.scripts(0).engine="Mozilla Zest" -config script.scripts(0).type=proxy -config script.scripts(0).enabled=true -config script.scripts(0).file="/scripts/Remove STS.zst" -config script.scripts(1).name="Another one..." Scripts in Automation – set via cmd line
- 35. zap.script.load("Remove STS", “proxy”, "Mozilla Zest", "/scripts/Remove STS.zst") zap.script.enable("Remove STS") ● Pro Tip: Configure in the UI, look at whats set in config.xml ;) Scripts in Automation – set via API
- 36. ● Implement a script interface ● Implement one or more templates / examples which implement the interface ● Register a new script type: ExtensionScript extensionScript = Control.getSingleton(). getExtensionLoader().getExtension(ExtensionScript.class); extensionScript.registerScriptType(new ScriptType( "newname", "i18nKey", icon, true, true)); Adding script support in add-ons
- 37. ● Use the enabled scripts: ExtensionScript extensionScript = Control.getSingleton(). getExtensionLoader().getExtension(ExtensionScript.class); List<ScriptWrapper> scripts = extension.getScripts("newname"); for (ScriptWrapper script : scripts) { try { if (script.isEnabled()) { MyScript s = extension.getInterface( script, MyScript.class); // Do something with it... } Adding script support in add-ons
- 38. ● For when simple form based auth isnt enough ● Need to configure context ● Demo: BodgeIt authentication ● https://github.com/zaproxy/zaproxy/wiki/FAQformauth - auth FAQ Authentication Scripts
- 39. Suggestions: ● Authenticate against any vulnerable app you have installed Exercise – Authentication scripts
- 40. Join the conversation #DevSecCon Many thanks PRs always appreciated ;)
Editor's Notes
- #2: &lt;number&gt;