Hướng dẫn cài đặt react native Informational, Commercial

The Zed Attack Proxy (ZAP) is an open source tool to help developers and testers to find vulnerabilities in web application. It maintained under Open Web Application Security Project (OWASP). The features and capabilities of ZAP has been in performing manual or automated pen test. This article, I will be throwing overview and some features that make ZAP for any security tester.

1. Installation and configuration of ZAP

1.1 Setting up your ZAP Environment

• Download Link: https://www.zaproxy.org/download/
• ZAP is cross platform: Windows, MacOS and Linux.
• https://github.com/zaproxy/zaproxy
• You have already to install and setup JAVA_HOME in your machine ( Java version is 8+).

1.2 Introduction to ZAP UI - Starting OWASP ZAP

• You can start clicking the OWASP ZAP icon on your Windows desktop. “"C:\Program Files\OWASP\Zed Attack Proxy\ZAP.exe"
• When you runs ZAP, you can run directly from jar file or as an executable file. Checking on “Yes, I want to persist this session with name based on the current timestamp”.

The ZAP Desktop UI is composed of the following elements:

1. Menu Bar – Provides access to many of the automated and manual tools.
2. Toolbar – Includes buttons which provide easy access to most commonly used features.
3. Tree Window – Displays the Sites tree and the Scripts tree.
4. Workspace Window – Displays requests, responses, and scripts and allows you to edit them.
5. Information Window – Displays details of the automated and manual tools.
6. Footer – Displays a summary of the alerts found and the status of the main automated tools.

1.3 Running an Automated Scan

The easiest way to start using ZAP is via the Start tab. Quick Start is a ZAP add-on that is included automatically when you installed ZAP.

To run a Quick Start Automated Scan:

• Start ZAP and click the Quick Start tab of the Workspace Window.
• In the URL to attack text box, enter the full URL of the web application you want to attack.
• Click the Attack

You choose automate scan from Quick Start panel → Automated Scan

Adding URL that you want to test, for example https://tiki.vn/

Tick “Use ajax spider” option if you like after that clicking on button [Attack] and acting scan.

1.4 Running an Manual Scan

Spiders are a great way to explore your basic site, but they should be combined with manual exploration to be more effective. Spiders, for example, will only enter basic default data into forms in your web application but a user can enter more relevant information which can, in turn, expose more of the web application to ZAP.

2. Adding a site to the testing scope

Config proxy

Close all active Firefox browser sessions ZAP tool -> Tools Menu -> Options -> Local Proxy -> Change Address = 127.0.0.1 Port = 8080. Mozilla browser -> Tools Menu -> Options -> Advanced tab -> Network -> Settings -> Select Manual Proxy configuration:- HTTP Proxy = 127.0.0.1 Port = 8080.

3. Main Features

- Intercepting Proxy

- Active and Passive Scanners

- Spider

- Report Generation

- Brute Force (using OWASP DirBuster code)

- Fuzzing (using fuzzdb & OWASP JBroFuzz)

- Extensibility: code.google.com/p/zap-extensions/

The Additional Features

- Auto tagging

- Port scanner

- Parameter analysis

- Smart card support

- Session comparison

- Invoke external apps

- API + headless mode

- Dynamic SSL Certificates

- Anti CSRF token handling.

4. ZAP add-ons

- There are a lot of add-ons which you can find in marketplace.

- ZAP provide a lot of functionalities to do pen testing.

- From the tools panel → choose Manage add-ons.

5. Scanner

ZAP provides 2 spiders for crawling web applications. If the web application does not build on AJAX technology, use traditional spider will be faster. ZAP will use the active scanner to attack all of the discovered pages, functionality and parameters.

How to know if your website use AJAX

1. Open your website with Chrome and then open Chrome developer tools
2. Choose network tab
3. Filter requests by “XHR“. If there are requests found, this site is used AJAX (Asynchronous JavaScript And XML)

6. Fuzzer

Fuzzing, or fuzz testing, is the process of finding security vulnerabilities in input-parsing code by repeatedly testing the parser with modified, or fuzzed, inputs.

Fuzzing is the art of automatic bug finding, and it’s role is to find software implementation faults, and identify them if possible.

Refer to zap-fuzzing document for more details.

How to use Fuzzer in ZAP: Right click a request -> Hover on Attack and click on Fuzz.

We can execute some types from payload by right-click on frame and select “Syntax” to choose “Plain”

Click on button [Add] to config data and exploiting how the server reacts invalid data.

7. Alerts

An alert is a potential vulnerability and is associated with a specific request. Alerts are shown in the UI with a flag indicating the risk:

Refer to Alerts document for more details.

8.Result & Report

Scanned your website to find vulnerabilities. Below is 4 alerts with colorized flags. If Scanned have no red flag, the website are lucky. Besides, red flags are fixed asap.

You can export reports as HTML, XML, JSON, …and I generated a HTML report. You can see final report as below.

9. A simple Penetration Test

- Configure your browser to proxy via ZAP

- Explore the application manually

- Use the Spider to find 'hidden' content

- See what issues the Passive Scanner has found

- Use the Active Scanner to find vulnerabilities

10. What Is the Difference Between Active & Passive Scan?

Active Scan

Passive Scan

Attacks the website using known techniques to find vulnerabilities.

Response and checks vulnerabilities.

Can modify data and can insert malicious scripts to the website.

Can’t modify your website data.

Only run the active scan for the sites you have permission!

Be aware that you cannot detect even a SQL Injection.

...

...

Reference

https://www.youtube.com/watch?v=eH0RBI0nmww&list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB&index=1

https://medium.com/volosoft/running-penetration-tests-for-your-website-as-a-simple-developer-with-owasp-zap-493d6a7e182b