Join the conversat ion #DevSecCon

By Simon Bennetts

Scripting OWASP ZAP

● Session 1 : 2pm– Introduction– Standard Scripts (JavaScript, Python, Ruby)– Proxy and Http Sender Scripts– Passive and Active Scan rule Scripts

● Session 2 : 3pm– Zest Scripts– Standalone and Targeted Scripts

The Plan

● Session 3 : 4pm– How to use scripts in automation– How to add scripting support in add-ons (overview)– Authentication Scripts– More chance to write any or all of the above types

● Session 4 : 5pm– Optional – keep writing scripts, ask more questions...

The Plan

● We want more script examples● Submit PRs to https://github.com/zaproxy/community-scripts● Can be anything useful – eg copies of existing scripts in different

languages :)● Anything useful will earn a ZAP Contributor sticker (max one per

person) ● Lots of useful scripts will earn a ZAP T-shirt!● Only valid for this workshop

Competition Time!

● Advantages:– Quick to write and test– Full access to ZAP classes and data structures– No need for separate development environment

● Disadvantages– Documentation could be (much) better– No auto complete– No sandbox – only run scripts you trust!

Introduction – why do we need scripts?

● JavaScript – built in● Python – optional add-on● Ruby – optional add-on● Zest – built in, macro language on steroids● JSR 223 languages relatively easy to add● Beanshell – optional, no longer really maintained

Introduction – What languages are supported?

● Stand Alone– Run manually

● Targeted– Run manually against a specified requests

● Proxy– Change proxied browser requests on the fly

● HTTP Sender– Change any request on the fly (proxy, spider, active scanner ...)

Script types (built in)

● Passive Scan Rule– Detect potential issues just by looking

● Active Scan Rule– Detect potential issues by attacking

● Authentication– Automatically login to sites

● Script Input Vector– Define exactly what ZAP will attack

Script types (built in)

● Fuzzer HTTP Processor– Called before and after HTTP messages are fuzzed

● Fuzzer Websocket Processor– Called before and after Websocket messages are fuzzed

● Payload Generator– Generate attacks to be used in the fuzzer

● Payload Processor– Change fuzzer payloads before they are used

● Sequence– Define sequences of requests to be attacked (alpha)

Script types (add-ons)

● All roughly equivalent● All have good Java integration● JavaScript (ECMAScript)

– Java 7 – Rhino– Java 8 – Nashhorn– Can write to local filestore via Java classes– Use load("nashorn:mozilla_compat.js"); for Rhino scripts in Nashorn

● JavaScript Nashhorn – supports loading scripts from files– https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions

● Python – supports modules path

‘Standard’ Script languages

● Scripts group: https://groups.google.com/group/zaproxy-scripts ● Dev group: https://groups.google.com/group/zaproxy-develop● Community Scripts: https://github.com/zaproxy/community-scripts ● JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0

Useful links

● Fire up ZAP● Check for Updates (Help / Check for Updates...)● Update everything● Install Community Scripts● Optionally install Python / Ruby Scripting● Demo: “Hello world”

Getting started

● Scripts tab– Shows all of the scripts an templates– Allows you to select, add, remove, duplicate, enable, disable and save scripts– Icons show state – enabled / disabled, error and not saved

● Script Console tab– Top pane – edit scripts– Bottom pane – output and error messages– Run and Stop buttons – enabled when appropriate– Output pane buttons – control that pane– Right click for lots more options!

The tabs

● Proxy Scripts– Only affect requests and responses proxied via a browser

● HTTP Sender Scripts– Affect all requests and responses (proxy active scan, spider …)– Initiator param gives the component that initiated the request– Provides helper to make new requests

● Both– Must enable scripts before they will take effect– Will be disabled on error

Proxy and HTTP Sender scripts

● Key ZAP class: org/parosproxy/paros/network/HttpMessage.html● Provides methods like

– getRequestBody()– getRequestHeader()– getResponseBody()– getResponseHeader()

● See JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0● Or the code: https://github.com/zaproxy/zaproxy

Script parameter: HttpMessage - msg

● Proxy Scripts– Replace in request or response body.js– Drop requests not in scope.js– Return fake response.js

● HTTP Sender Scripts– Alert in HTTP Response Code Errors.js– Alert on Unexpected Content Types.js– Capture and Replace Anti CSRF Token.js

Proxy and HTTP Sender scripts - examples

Suggestions:

● Replace headers● Auto redirect from one page to another● Do different things based on content, eg:

– Replace different content– Redirect to different pages

Exercise – write Proxy &/ HTTP Sender scripts

● Passive Rule Scripts– Can only view requests and responses (should not change anything)

● Active Rule Scripts– Attack nodes or specific parameters– Can do pretty much anything you like :)– Must Enable Script Input Vectors

● Both– Can raise alerts– Must enable scripts before they will take effect– Will be disabled on error

Passive and Active Rule scripts

● Passive Rule Scripts– Server Header Disclosure.js– Find emails.js

● Active Rule Scripts– User defined attacks.js– gof_lite.js

● Demo: testing passive and active rule scripts

Passive and Active Rule scripts - examples

● Hacking ZAP Blog posts– https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html– https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html

● Java code– https://github.com/zaproxy/zap-extensions– master branch – org/zaproxy/zap/extension/ascanrules and pscanrules– beta branch – org/zaproxy/zap/extension/ascanrulesBeta and pscanrulesBeta– alpha branch – org/zaproxy/zap/extension/ascanrulesAlpha and pscanrulesAlpha

Passive and Active Rule links

● Global Variables– Variables can be shared between all scripts

org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value")

org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name")

● Script Variables– Variables can be shared between separate invocations of the same script

org.zaproxy.zap.extension.script.ScriptVars.setScriptVar(

this.context, "var.name","value")

org.zaproxy.zap.extension.script.ScriptVars.getScriptVar(

this.context, "var.name")

Variables (all script types)

Suggestions:

● Rewrite existing java rules (see previous links)● Alert on anything that ZAP doesn’t currently find :)

Exercise – write Passive &/ Active Rule scripts

● Domain Specific Language (DSL)● Its domain is security and automation● Closer to a macro language .. on steroids :)● Format – JSON :O● Intended to be ‘written’ graphically● Its tool independent (no access to ZAP internals)● Demo: “Hello world”

Zest Scripts

● Creating from templates● Duplicating existing script● Recording● Selecting and adding requests● Manually● Demo: playing with BodgeIt

Zest Scripts - creating

● Double click to edit nodes● Right click:

– Add and delete nodes– Delete nodes– Surround with loops, conditionals– Cut, copy and paste– Comment– Move up / down

● Drag and drop● Selecting and adding requests

Zest Scripts - editing

● Request – make requests (and make assertions)● Action – scan, script, print, fail, sleep● Assignment – assign things to variables● Client – launch and control browsers● Conditions – and, or, equals, length, etc ...● Loop – though strings, files, integers, regexes, client elements● Comment – comment :)● Controls – return, break, next

Zest Scripts – statement types

● Paste Zest variables (right click in Zest text boxes)● Parameterize strings (right click in requests)● Redact strings (right click in requests)● Drag and drop● Change prefix – applies to all requests● Anti CSRF tokens – automatically handled● Generate Zest script from alert

Zest Scripts – hidden extras

● You have to start by launching a browser in Zest● No record option at the moment :(● Browser - View source / Inspect is your friend● Demo: Persona video …

Zest Scripts – client side

Suggestions:

● Passive script – alert on the presence of 2 strings● Rewrite a script you’ve just written in another language● Rewrite one of the existing a/pscan rules● Record a script and start changing it

Exercise – write Zest scripts

● Both run ‘on-demand’ only● Standalone – run from the console● Targeted – right click on requests● Standard scripts (not Zest) – can access ZAP internals, eg:

– Sites tree– History– Other extensions

Standalone and Targeted scripts

● Standalone Scripts– loop through history table.js– traverse sites tree.js– domainFinder.js– window_creation_template.js

● Targeted Scripts– Resend as a GET request.zst– Find HTML comments.js

Standalone and Targeted scripts - examples

Suggestions:

● Count number of static vs dynamic pages● Detect authentication, registration and password changing?

(1 2 and 3 password fields)

Exercise – Standalone and Targeted scripts

-config script.scripts\(0\).name="Remove STS"

-config script.scripts\(0\).engine="Mozilla Zest"

-config script.scripts\(0\).type=proxy

-config script.scripts\(0\).enabled=true

-config script.scripts\(0\).file="/scripts/Remove STS.zst"

-config script.scripts\(1\).name="Another one..."

Scripts in Automation – set via cmd line

zap.script.load("Remove STS", “proxy”, "Mozilla Zest",

"/scripts/Remove STS.zst")

zap.script.enable("Remove STS")

● Pro Tip: Configure in the UI, look at whats set in config.xml ;)

Scripts in Automation – set via API

● Implement a script interface● Implement one or more templates / examples which implement

the interface● Register a new script type:ExtensionScript extensionScript = Control.getSingleton().

getExtensionLoader().getExtension(ExtensionScript.class);

extensionScript.registerScriptType(new ScriptType(

"newname", "i18nKey", icon, true, true));

Adding script support in add-ons

● Use the enabled scripts:ExtensionScript extensionScript = Control.getSingleton().

getExtensionLoader().getExtension(ExtensionScript.class);

List<ScriptWrapper> scripts = extension.getScripts("newname");

for (ScriptWrapper script : scripts) {

try {

if (script.isEnabled()) {MyScript s = extension.getInterface(

script, MyScript.class);// Do something with it...

}

Adding script support in add-ons

● For when simple form based auth isnt enough● Need to configure context● Demo: BodgeIt authentication● https://github.com/zaproxy/zaproxy/wiki/FAQformauth - auth FAQ

Authentication Scripts

Suggestions:

● Authenticate against any vulnerable app you have installed

Exercise – Authentication scripts

Join the conversat ion #DevSecCon

Many thanksPRs always appreciated ;)