DevSecCon London 2017: zap scripting workshop by Simon Bennetts
-
Upload
devseccon-limited -
Category
Technology
-
view
181 -
download
2
Transcript of DevSecCon London 2017: zap scripting workshop by Simon Bennetts
![Page 1: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/1.jpg)
Join the conversat ion #DevSecCon
By Simon Bennetts
Scripting OWASP ZAP
![Page 2: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/2.jpg)
● Session 1 : 2pm– Introduction– Standard Scripts (JavaScript, Python, Ruby)– Proxy and Http Sender Scripts– Passive and Active Scan rule Scripts
● Session 2 : 3pm– Zest Scripts– Standalone and Targeted Scripts
The Plan
![Page 3: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/3.jpg)
● Session 3 : 4pm– How to use scripts in automation– How to add scripting support in add-ons (overview)– Authentication Scripts– More chance to write any or all of the above types
● Session 4 : 5pm– Optional – keep writing scripts, ask more questions...
The Plan
![Page 4: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/4.jpg)
● We want more script examples● Submit PRs to https://github.com/zaproxy/community-scripts● Can be anything useful – eg copies of existing scripts in different
languages :)● Anything useful will earn a ZAP Contributor sticker (max one per
person) ● Lots of useful scripts will earn a ZAP T-shirt!● Only valid for this workshop
Competition Time!
![Page 5: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/5.jpg)
● Advantages:– Quick to write and test– Full access to ZAP classes and data structures– No need for separate development environment
● Disadvantages– Documentation could be (much) better– No auto complete– No sandbox – only run scripts you trust!
Introduction – why do we need scripts?
![Page 6: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/6.jpg)
● JavaScript – built in● Python – optional add-on● Ruby – optional add-on● Zest – built in, macro language on steroids● JSR 223 languages relatively easy to add● Beanshell – optional, no longer really maintained
Introduction – What languages are supported?
![Page 7: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/7.jpg)
● Stand Alone– Run manually
● Targeted– Run manually against a specified requests
● Proxy– Change proxied browser requests on the fly
● HTTP Sender– Change any request on the fly (proxy, spider, active scanner ...)
Script types (built in)
![Page 8: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/8.jpg)
● Passive Scan Rule– Detect potential issues just by looking
● Active Scan Rule– Detect potential issues by attacking
● Authentication– Automatically login to sites
● Script Input Vector– Define exactly what ZAP will attack
Script types (built in)
![Page 9: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/9.jpg)
● Fuzzer HTTP Processor– Called before and after HTTP messages are fuzzed
● Fuzzer Websocket Processor– Called before and after Websocket messages are fuzzed
● Payload Generator– Generate attacks to be used in the fuzzer
● Payload Processor– Change fuzzer payloads before they are used
● Sequence– Define sequences of requests to be attacked (alpha)
Script types (add-ons)
![Page 10: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/10.jpg)
● All roughly equivalent● All have good Java integration● JavaScript (ECMAScript)
– Java 7 – Rhino– Java 8 – Nashhorn– Can write to local filestore via Java classes– Use load("nashorn:mozilla_compat.js"); for Rhino scripts in Nashorn
● JavaScript Nashhorn – supports loading scripts from files– https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions
● Python – supports modules path
‘Standard’ Script languages
![Page 11: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/11.jpg)
● Scripts group: https://groups.google.com/group/zaproxy-scripts ● Dev group: https://groups.google.com/group/zaproxy-develop● Community Scripts: https://github.com/zaproxy/community-scripts ● JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0
Useful links
![Page 12: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/12.jpg)
● Fire up ZAP● Check for Updates (Help / Check for Updates...)● Update everything● Install Community Scripts● Optionally install Python / Ruby Scripting● Demo: “Hello world”
Getting started
![Page 13: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/13.jpg)
● Scripts tab– Shows all of the scripts an templates– Allows you to select, add, remove, duplicate, enable, disable and save scripts– Icons show state – enabled / disabled, error and not saved
● Script Console tab– Top pane – edit scripts– Bottom pane – output and error messages– Run and Stop buttons – enabled when appropriate– Output pane buttons – control that pane– Right click for lots more options!
The tabs
![Page 14: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/14.jpg)
● Proxy Scripts– Only affect requests and responses proxied via a browser
● HTTP Sender Scripts– Affect all requests and responses (proxy active scan, spider …)– Initiator param gives the component that initiated the request– Provides helper to make new requests
● Both– Must enable scripts before they will take effect– Will be disabled on error
Proxy and HTTP Sender scripts
![Page 15: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/15.jpg)
● Key ZAP class: org/parosproxy/paros/network/HttpMessage.html● Provides methods like
– getRequestBody()– getRequestHeader()– getResponseBody()– getResponseHeader()
● See JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0● Or the code: https://github.com/zaproxy/zaproxy
Script parameter: HttpMessage - msg
![Page 16: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/16.jpg)
● Proxy Scripts– Replace in request or response body.js– Drop requests not in scope.js– Return fake response.js
● HTTP Sender Scripts– Alert in HTTP Response Code Errors.js– Alert on Unexpected Content Types.js– Capture and Replace Anti CSRF Token.js
Proxy and HTTP Sender scripts - examples
![Page 17: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/17.jpg)
Suggestions:
● Replace headers● Auto redirect from one page to another● Do different things based on content, eg:
– Replace different content– Redirect to different pages
Exercise – write Proxy &/ HTTP Sender scripts
![Page 18: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/18.jpg)
● Passive Rule Scripts– Can only view requests and responses (should not change anything)
● Active Rule Scripts– Attack nodes or specific parameters– Can do pretty much anything you like :)– Must Enable Script Input Vectors
● Both– Can raise alerts– Must enable scripts before they will take effect– Will be disabled on error
Passive and Active Rule scripts
![Page 19: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/19.jpg)
● Passive Rule Scripts– Server Header Disclosure.js– Find emails.js
● Active Rule Scripts– User defined attacks.js– gof_lite.js
● Demo: testing passive and active rule scripts
Passive and Active Rule scripts - examples
![Page 20: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/20.jpg)
● Hacking ZAP Blog posts– https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html– https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html
● Java code– https://github.com/zaproxy/zap-extensions– master branch – org/zaproxy/zap/extension/ascanrules and pscanrules– beta branch – org/zaproxy/zap/extension/ascanrulesBeta and pscanrulesBeta– alpha branch – org/zaproxy/zap/extension/ascanrulesAlpha and pscanrulesAlpha
Passive and Active Rule links
![Page 21: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/21.jpg)
● Global Variables– Variables can be shared between all scripts
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value")
org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name")
● Script Variables– Variables can be shared between separate invocations of the same script
org.zaproxy.zap.extension.script.ScriptVars.setScriptVar(
this.context, "var.name","value")
org.zaproxy.zap.extension.script.ScriptVars.getScriptVar(
this.context, "var.name")
Variables (all script types)
![Page 22: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/22.jpg)
Suggestions:
● Rewrite existing java rules (see previous links)● Alert on anything that ZAP doesn’t currently find :)
Exercise – write Passive &/ Active Rule scripts
![Page 23: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/23.jpg)
● Domain Specific Language (DSL)● Its domain is security and automation● Closer to a macro language .. on steroids :)● Format – JSON :O● Intended to be ‘written’ graphically● Its tool independent (no access to ZAP internals)● Demo: “Hello world”
Zest Scripts
![Page 24: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/24.jpg)
● Creating from templates● Duplicating existing script● Recording● Selecting and adding requests● Manually● Demo: playing with BodgeIt
Zest Scripts - creating
![Page 25: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/25.jpg)
● Double click to edit nodes● Right click:
– Add and delete nodes– Delete nodes– Surround with loops, conditionals– Cut, copy and paste– Comment– Move up / down
● Drag and drop● Selecting and adding requests
Zest Scripts - editing
![Page 26: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/26.jpg)
● Request – make requests (and make assertions)● Action – scan, script, print, fail, sleep● Assignment – assign things to variables● Client – launch and control browsers● Conditions – and, or, equals, length, etc ...● Loop – though strings, files, integers, regexes, client elements● Comment – comment :)● Controls – return, break, next
Zest Scripts – statement types
![Page 27: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/27.jpg)
● Paste Zest variables (right click in Zest text boxes)● Parameterize strings (right click in requests)● Redact strings (right click in requests)● Drag and drop● Change prefix – applies to all requests● Anti CSRF tokens – automatically handled● Generate Zest script from alert
Zest Scripts – hidden extras
![Page 28: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/28.jpg)
● You have to start by launching a browser in Zest● No record option at the moment :(● Browser - View source / Inspect is your friend● Demo: Persona video …
Zest Scripts – client side
![Page 29: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/29.jpg)
![Page 30: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/30.jpg)
Suggestions:
● Passive script – alert on the presence of 2 strings● Rewrite a script you’ve just written in another language● Rewrite one of the existing a/pscan rules● Record a script and start changing it
Exercise – write Zest scripts
![Page 31: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/31.jpg)
● Both run ‘on-demand’ only● Standalone – run from the console● Targeted – right click on requests● Standard scripts (not Zest) – can access ZAP internals, eg:
– Sites tree– History– Other extensions
Standalone and Targeted scripts
![Page 32: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/32.jpg)
● Standalone Scripts– loop through history table.js– traverse sites tree.js– domainFinder.js– window_creation_template.js
● Targeted Scripts– Resend as a GET request.zst– Find HTML comments.js
Standalone and Targeted scripts - examples
![Page 33: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/33.jpg)
Suggestions:
● Count number of static vs dynamic pages● Detect authentication, registration and password changing?
(1 2 and 3 password fields)
Exercise – Standalone and Targeted scripts
![Page 34: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/34.jpg)
-config script.scripts\(0\).name="Remove STS"
-config script.scripts\(0\).engine="Mozilla Zest"
-config script.scripts\(0\).type=proxy
-config script.scripts\(0\).enabled=true
-config script.scripts\(0\).file="/scripts/Remove STS.zst"
-config script.scripts\(1\).name="Another one..."
Scripts in Automation – set via cmd line
![Page 35: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/35.jpg)
zap.script.load("Remove STS", “proxy”, "Mozilla Zest",
"/scripts/Remove STS.zst")
zap.script.enable("Remove STS")
● Pro Tip: Configure in the UI, look at whats set in config.xml ;)
Scripts in Automation – set via API
![Page 36: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/36.jpg)
● Implement a script interface● Implement one or more templates / examples which implement
the interface● Register a new script type:ExtensionScript extensionScript = Control.getSingleton().
getExtensionLoader().getExtension(ExtensionScript.class);
extensionScript.registerScriptType(new ScriptType(
"newname", "i18nKey", icon, true, true));
Adding script support in add-ons
![Page 37: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/37.jpg)
● Use the enabled scripts:ExtensionScript extensionScript = Control.getSingleton().
getExtensionLoader().getExtension(ExtensionScript.class);
List<ScriptWrapper> scripts = extension.getScripts("newname");
for (ScriptWrapper script : scripts) {
try {
if (script.isEnabled()) {MyScript s = extension.getInterface(
script, MyScript.class);// Do something with it...
}
Adding script support in add-ons
![Page 38: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/38.jpg)
● For when simple form based auth isnt enough● Need to configure context● Demo: BodgeIt authentication● https://github.com/zaproxy/zaproxy/wiki/FAQformauth - auth FAQ
Authentication Scripts
![Page 39: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/39.jpg)
Suggestions:
● Authenticate against any vulnerable app you have installed
Exercise – Authentication scripts
![Page 40: DevSecCon London 2017: zap scripting workshop by Simon Bennetts](https://reader031.fdocuments.us/reader031/viewer/2022021923/5a6479ef7f8b9a57568b474b/html5/thumbnails/40.jpg)
Join the conversat ion #DevSecCon
Many thanksPRs always appreciated ;)