IntroductionWelcome to the March newsletter, read on for some really good news, details of the new site level stats ZAP now supports and an introduction to scripting.
Table of Contents:
- New / Improved Add-ons
- New Features
- Tutorial: Introduction to Scripting
- Upcoming Talks and Training
- Next Month...
This is the second time we've come top and is a great validation of what we are doing. Thank you to all of you who voted for us!
Other important news is that ZAP is taking part in the Google Summer of Code (GSoC) 2016. For those of you who don't know, GSoC pays students to work on open source projects over the summer, and we've had key ZAP features like WebSockets, the Ajax Spider and Access Control testing implement by GSoC students.
The deadline for submissions has just passed and we've had 9 ZAP proposals. We'll evaluate those asap, but we dont currently know how many slots OWASP (and ZAP) will actually get so fingers crossed!
And in other breaking news, CommonSense Media have just published a Information Security Primer for Evaluating Educational Software which makes heavy use of ZAP - you can read all about it here: https://www.graphite.org/privacy/blog/information-security-primer-initial-release
A new version of the Zest add-on has been published which included a significant number of bug fixes. There is also an update to the Selenium add-on which includes the latest Selenium release that ensures Firefox doesn't visit the 'first run' page every time it is started.
The Alert Filters add-on has also been updated with various bug fixes and has been promoted to beta status. This add-on allows you to configure rules which automatically change the level at which alerts are raised for specific contexts. For more details see the help pages This add-on is included with the weekly releases and may well be included by default in future full releases.
The traditional spider has been updated so that you can constrain it to a subtree when using it via the UI or API. For example this means that with this option if you start spidering from https://www.example.com/app1 you can be sure that it wont explore any other apps under https://www.example.com/ - without this option it will explore anything in that domain it finds links to.
ZAP now records a range of site based statistics, including:
- Response codes, eg
- Content types, eg
- Tags (some of which are built in but can also be user defined), eg
- Anticsrf tokens generated
- Response times (using a logarithmic scale) eg
- Authentication information, eg
There is an almost infinite range of web applications and so its not possible for any tool to build in support for all of the strange things you will encounter. As ZAP is an open source project you can change the source code to handle anything you like. However this isnt always practical - ZAP is a large and complex project and even if you understand the code base very well, firing up an IDE to rewrite ZAP every time you encounter something strange is definitely not ideal.
Fortunately ZAP has powerful scripting capabilities, and ZAP scripts can access all of the code and data structures.
There are so many aspect to ZAP scripting that one tutorial wont be enough, so we're going to start with an overview.
Scripting support is included in all ZAP releases, but if you want to use scripting in the 'core' version then you will really need to download the Script Console and Zest add-ons from the marketplace.
By default ZAP supports ECMAScript (JavaScipt) and Zest, a graphical security scripting language from the Mozilla Security team.
You can also download add-ons which extend support to Jython and JRuby. ZAP will be able to support any language that supports JSR 223 so if there's another scripting language you would like us to support then please raise an enhancement request issue.
To use ZAP scripts from the UI you need to use the Scripts and Script Console tabs, which are hidden by default and can be accessed via the relevant tabs with the green plus sign.
The Scripts tab shows all of the scripts available in a tree view.
There are 2 nodes under the top 'Scripting' node:
- Scripts: the scripts that you have available
- Templates: the templates from which you can create scripts
- Active Rules - these run as part of the Active Scanner and can be individually enabled.
- Authentication - scripts that are invoked when authentication is performed for a Context. To be used, they need to be selected when configuring the Script-Based Authentication Method for a Context.
- Fuzzer HTTP Processor - these can access and change the fuzzing HTTP requests and responses, control the fuzzing process and interact with the ZAP UI.
- Fuzzer WebSocket Processor - these can access and change the fuzzing WebSocket messages, control the fuzzing process and interact with the ZAP UI.
- Http Sender - these run 'inline' and are similar to Proxy scripts except that they also apply to all requests that originate from ZAP.
- Passive Rules - these run as part of the Passive Scanner and can be individually enabled
- Payload Generator - these generate the raw attacks that the fuzzer submits to the target application.
- Payload Processor - these can be used to change specific fuzzer payloads before they are submitted.
- Proxy - these run 'inline', can change every request and response proxied through ZAP and can be individually enabled. They can also trigger break points.
- Script Input Vectors - scripts for defining exactly what ZAP should attack
- Stand Alone - scripts that are self contained and are only run when your start them manually
- Targeted Rules - scripts that are invoked with a target URL and are only run when your start them manually
Script Console tab
When you select a script in the Scripts tree then it is displayed in the Script Console.
For most scripting languages this is where you will edit it, the only exception to this is Zest which is displayed graphically in the Scripts tab. At the top of this tab is a toolbar that allows you to Run the script displayed and Stop it if it is running. Note that not all scripts can be run in this way - some types can only be run via other ZAP components. For example Active Rules can typically only be run when you start an Active Scan. Underneath the panel displaying the script is another panel which shows the script output.
This panel has its own toolbar with buttons for:
- Clearing the script output panel
- A toggle for clearing the script output panel every time a script is run
- A toggle for locking the automatic scrolling of the output panel
- A toggle for switching between showing the output of all scripts and just showing the output of the selected script
Script OptionsThe Scripts Options panel allows you to add any number of directories that contain scripts. The scripts must be in subdirectories named after the relevant script type and must have an appropriate extension for the script language used.
Scripts that can be written to will be added to the Scripts tree and those that are read only will be added to the Templates. This means you can build up your own libraries of scripts and even manage them in a central place using a shared drive.
Community Scripts repoThe Community Scripts repo is a collection of ZAP scripts written by the community, ie people like you :)
It lives on github: https://github.com/zaproxy/community-scripts and, not surprisingly, is structured so that it can be added as a script directory via the Script Options. It is also available as an add-on on the ZAP Marketplace: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsCommunityScriptsCommunityScripts
Hopefully that gives you an overview of the scripting support in ZAP. Future tutorials will go into scripting in more detail. In the meantime if you have any questions about ZAP scripting then we have a dedicated group where you can ask them: https://groups.google.com/group/zaproxy-scripts https://docs.google.com/forms/d/1uIbCJ8kF5xMeIB-C9_jvwvfEdex_Vly8CRU87Bupsws/viewform?c=0&w=1
Adrian Winckles will be demoing ZAP at the SecureCambridge Cyber Security Technology Showcase on April 5th in Cambridge: http://isc2chapter-eastofengland.co.uk/
Azzedine RAMRAMI and Sebastien Gioria will be demoing ZAP in their 'Securing your application with OpenSource tools' at Devoxx France on April 22nd in Paris: http://cfp.devoxx.fr/2016/talk/HNE-6288/Securiser_son_developpement_avec_10_outils_open-source
Sumanth Damarla (@Sumanth_Damarla) will be giving a talk: "Securing Web @ZAP" at the I T.A.K.E Unconference on May 19th in Bucharest: http://itakeunconf.com/sessions/securing-web-zap/
Feedback Form so that we can make sure this newsletter is as useful to you as possible.
Let us know what you would like to see using the above feedback form.
If you would like to write content for the newsletter then please get in touch - anything ZAP related, such as talks / training you are giving, a 3rd party tool you develop or maybe an add-on you'd like to explain in more detail.
And we're also looking for one or more editors for the ZAP newsletter - you don't need any detailed ZAP knowledge, just a bit of time each month you can dedicate to chasing up people for content and bashing it into something that reads better than this one :P Think thats you? Get in touch!
Simon Bennetts (ZAP Project Lead)