OWASP ZAP - Access Site tree
I'm using OWASP ZAP API for spidering. I couldn't find the way to get site tree structure via ZAP API. I would like to know if there is anyway I can get Site tree of the URL (with its nodes) via ZAP API?
See also questions close to this topic
-
IdentityServer4 and OWASP
We use IdentityServer4 and have recently had a vulnerability test performed. There were three findings, all related to ID4 and how it works. Our implementation is fairly standard. They found that we have the following vulnerabilities:
- CWE-200: Information Exposure
- CWE-384: Session Fixation
- WE-598: Information Exposure Through Query Strings in GET Request
I don't believe they are actually vulnerabilities. The OWASP scanner looks for things that appear to be session identifiers. In this case, they hit on the nonce quite a few times. However, they also hit on the endSessionId that lives in the src attribute of the iframe that is injected when logging out. They also hit on the id_token_hint value that is passed in the url when calling endsession.
Has anyone responded to similar PEN Test issues with ID4?
-
SQL Injection Attack : Explanation as to where an attack vector has been placed in this following snippet.
<?php include_once "lib/db.php"; include "lib/sql_form.php"; if(!$_GET['id']) $_GET['id'] = str_replace("/", "", $_SERVER['PATH_INFO']); $query = "SELECT * FROM listings WHERE id = ".$_GET['id']; $result = mysql_query($query); $line = mysql_fetch_array($result, MYSQL_ASSOC); if($line['status'] == "DELETED"){ print("This file is deleted."); exit;} $_POST['form_id'] = $line['form_id']; $_POST['fields'] = split(",", $line['fields']); excel_report_results(); ?>I need to understand where the attack vector has been placed and also what the query translates to once it is performed and how is it an attack?
-
sonar-scanner setup for separate dependency-check-report for multi modules project
I've multi module project setup. Since no Jenkins/Maven setup for my project I use CLI to get the dependency report for each module separately and copied them to root project folder named as per the their module
For exampple :
D: MyProject --module1 --src --module2 --src --dependency-check-module1-report --dependency-check-report (XML) --dependency-check-report (HTML) --dependency-check-module1-report --dependency-check-report (XML) --dependency-check-report (HTML)I've explicitly mentioned the module wise report path in sonar-project.properties file
#----- Default SonarQube server sonar.host.url=http://localhost:9000 # Root project information sonar.projectKey=MyProject sonar.projectName=MyProject sonar.projectVersion=1.0 # Some properties that will be inherited by the modules sonar.sources=src sonar.language=java sonar.java.binaries=src sonar.java.libraries=src # List of the module identifiers sonar.modules=module1,module2 # Properties can obviously be overriden for each module - just prefix them with the module ID #module1.sonar.projectName=MyProject-module1 #module2.sonar.projectName=MyProject-module2 # Encoding of the source files sonar.sourceEncoding=UTF-8 module1.sonar.dependencyCheck.reportPath=D:/MyProject/dependency-check-module1-report/dependency-check-report.xml module1.sonar.dependencyCheck.htmlReportPath=D:/MyProject/dependency-check-module1-report/dependency-check-report.html module2.dependencyCheck.reportPath=D:/MyProject/dependency-check-module2-report/dependency-check-report.xml module2.dependencyCheck.htmlReportPath=D:/MyProject/dependency-check-module2-report/dependency-check-report.htmlsonar-scanner run fine but skip to pick up the dependency check as It always check ${WORKSPACE}/dependency-check-report.html which is defined in sonarQube dashboard->Configuraiton->Dependency-Check
In Dashboard I can mentioned report file for only one of the module but I need both module reports to be integrated in SonarQube scan result.
Log:
12:45:46.752 DEBUG: Sensors : Dependency-Check -> SonarJavaXmlFileSensor -> Analyzer for "php.ini" files -> Zero Coverage Sensor -> CPD Block Indexer 12:45:46.752 INFO: Sensor Dependency-Check [dependencycheck] 12:45:46.752 INFO: Process Dependency-Check report 12:45:46.752 WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.xml 12:45:46.752 DEBUG: Analysis aborted due to missing report file java.io.FileNotFoundException: Dependency-Check report does not exist. at org.sonar.dependencycheck.parser.XmlReportFile.getInputStream(XmlReportFile.java:82) at org.sonar.dependencycheck.DependencyCheckSensor.parseAnalysis(DependencyCheckSensor.java:173) at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:227) at org.sonar.scanner.sensor.SensorWrapper.analyse(SensorWrapper.java:53) at org.sonar.scanner.phases.SensorsExecutor.executeSensor(SensorsExecutor.java:88) at org.sonar.scanner.phases.SensorsExecutor.execute(SensorsExecutor.java:82) at org.sonar.scanner.phases.SensorsExecutor.execute(SensorsExecutor.java:68) at org.sonar.scanner.phases.AbstractPhaseExecutor.execute(AbstractPhaseExecutor.java:88) at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:177) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121) at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:291) at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:286) at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:264) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121) at org.sonar.scanner.task.ScanTask.execute(ScanTask.java:48) at org.sonar.scanner.task.TaskContainer.doAfterStart(TaskContainer.java:84) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121) at org.sonar.scanner.bootstrap.GlobalContainer.executeTask(GlobalContainer.java:121) at org.sonar.batch.bootstrapper.Batch.doExecuteTask(Batch.java:116) at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:71) at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60) at com.sun.proxy.$Proxy0.execute(Unknown Source) at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:171) at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:128) at org.sonarsource.scanner.cli.Main.execute(Main.java:111) at org.sonarsource.scanner.cli.Main.execute(Main.java:75) at org.sonarsource.scanner.cli.Main.main(Main.java:61) 12:45:46.784 INFO: Process Dependency-Check report (done) | time=32ms 12:45:46.784 WARN: Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath: ${WORKSPACE}/dependency-check-report.html 12:45:46.784 INFO: Sensor Dependency-Check [dependencycheck] (done) | time=32ms 12:45:46.784 INFO: Sensor SonarJavaXmlFileSensor [java] 12:45:46.784 INFO: Sensor SonarJavaXmlFileSensor [java] (done) | time=0msIs there any way to tell sonar-scanner not to check the dependency report path mentioned in sonarQube-Dashboard but check the sonar-project.properties
Also, If at all it's possible, where can I see owasp-dependency report in dashboard ? ( Is this MyProject --> Measures -->OWASP-Dependency-Check ?)
Right now in Dashboard I only see 'MyProject' and it's adding the no. of vulnerabilities,code-smells etc for both module together. I thought I would see module wise scan result separately.
fyi, I an using sonarqube-6.7.5 sonar-dependency-check-plugin-1.1.1 sonar-java-plugin-5.7.0.15470 sonar-scanner-3.2.0.1227
Thanks in advance for clue.
-
How to configure active scan input vectors in ZAP?
I want to develop an application using the ZAP API for Java that performs an active scan over a site. I have the following code:
private static final String ZAP_ADDRESS = "localhost"; private static final int ZAP_PORT = 8090; private static final String ZAP_API_KEY = null; // Change this if you have set the apikey in ZAP via Options / API private static final String TARGET = "http://localhost:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp"; public static void main(String[] args) { ClientApi api = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY); try { //*********** SPIDER ******************* System.out.println("Spider : " + TARGET); //Probamos OPCIONES del spider String maxChildren="0";//Limite de hijos a explorar por nodo (0 es sin limite) String recurse="true";//Recursividad (boolean) String contextName=null;//nombre del contexto String subtreeOnly="false";//Para restringir el escaneo al subarbol de la url especificada (boolean) api.spider.setOptionMaxDepth(5);//Profundidad máxima para realizar el rastreo api.spider.setOptionMaxDuration(0);//Tiempo maximo del escaneo, 0 es hasta que explore todo api.spider.setOptionMaxParseSizeBytes(2621440); // Tamaño maximo en bytes de las respuestas a analizar api.spider.setOptionSendRefererHeader(true);//si las consultas del spider han de incluir el ‘Referer’ header. api.spider.setOptionAcceptCookies(true);//Si aceptamos o no cookies durante el spider api.spider.setOptionProcessForm(true);//Si se deben procesar los forms encontrados api.spider.setOptionPostForm(true);//Si los form que usen POST se procesan api.spider.setOptionParseComments(true);//Si se procesaran los comentarios html buscando enlaces a recursos api.spider.setOptionParseRobotsTxt(true);//Si se procesan los archivos robots.txt que se encuentren buscando enlaces a recursos api.spider.setOptionParseSitemapXml(true);//Si se procesa el siteMap.xml api.spider.setOptionParseSVNEntries(false);//Si se procesa metadata de SVN api.spider.setOptionParseGit(false);//Si se procesa metadata de Git api.spider.setOptionHandleODataParametersVisited(false);//Indica si se deben detectar parametros de OData ApiResponse resp = api.spider.scan(TARGET, maxChildren, recurse, contextName, subtreeOnly); // The scan now returns a scan id to support concurrent scanning String scanid = ((ApiResponseElement) resp).getValue(); // Poll the status until it completes int progress; while (true) { progress = Integer.parseInt( ((ApiResponseElement) api.spider.status(scanid)).getValue()); System.out.println("Spider progress : " + progress + "%"); if (progress >= 100) { break; } Thread.sleep(1000); } System.out.println("Analisis Spider completo"); //*********** ASCAN ******************* System.out.println("Active scan : " + TARGET); //Probamos OPCIONES del Active Scan recurse="true";//Recursividad (boolean) String inScopeOnly="false";//se puede usar para restringir el escaneo a las URL que están en el alcance String scanPolicyName=null;//permite especificar la política de exploración (si no se proporciona ninguna, usa la política de exploración predeterminada) String method=null;// String postData="true";//Si usa datos POST api.ascan.setOptionScanHeadersAllRequests(false);//Si se activa escanea las cabeceras de todas las peticiones, no solo las que envían parámetros. api. api.ascan.excludeFromScan("1234abc");//Expresion regular que indica los que se va ignorar en el escaneo resp = api.ascan.scan(TARGET, recurse, inScopeOnly, scanPolicyName, method, postData); // The scan now returns a scan id to support concurrent scanning scanid = ((ApiResponseElement) resp).getValue(); // Poll the status until it completes while (true) { progress = Integer.parseInt( ((ApiResponseElement) api.ascan.status(scanid)).getValue()); System.out.println("Active Scan progress : " + progress + "%"); if (progress >= 100) { break; } Thread.sleep(1000); } System.out.println("Active Scan complete"); //GUARDO EL RESULTADO Conjunto //HTML System.out.println("Creando REPORT..."); File archivo = new File("./REPORT.html"); BufferedWriter bw = new BufferedWriter(new FileWriter(archivo)); bw.write(new String(api.core.htmlreport())); bw.close(); System.out.println("Resultado del SPIDER Y ASCAN guardado en REPORT.html"); //JSON archivo = new File("./REPORT.json"); bw = new BufferedWriter(new FileWriter(archivo)); bw.write(new String(api.core.jsonreport())); bw.close(); System.out.println("Resultado del SPIDER Y ASCAN guardado en REPORT.json"); } catch (Exception e) { System.out.println("Exception : " + e.getMessage()); e.printStackTrace(); } }This code performs an active scan over a site with custom configuration. I have set several configurations for the Spider scan, but I could not the Active Input Vector Options for the active scan. How could I do that?
-
Configuring OWASP Zap Spider to output the "chain of URLs" for each request
I am new to vulnerability testing at my new job at an EC site development (we also get them up and continue to run them on AWS EC2).
I am wondering if there is a way to configure Spider so that I can get ouput of the the "URL chain" to serve all the requests that are listed when I runphp artisan route:listCurrently, my colleague who joined the company a few months before me is manually inputting this info into a spreadsheet. Ex. "Home->Register user info->Confirm registered user info->main shopping page->item category page->item description page->confirm adding product to cart page->etc." I find this to be extremely tedious, he does as well, and because he only speaks Japanese, I don't think he is able to post questions here.
I have started looking through the Zap documentation but have not seen anything relevant yet. Any advice is appreciated. -
Laravel, What is wrong with using Owasp Zap spider to check all the routes from php artisan route:list?
I started working at an ecommerce site building and running company (Laravel, Ruby on Rails, Javascript and AWS for infrastructure) in Japan (I nor many of my colleagues seem to have comp sci degrees but the pay is very low).
Anyways, my job is to pen test and load test the sites the dev team makes. My coworker who started a few months before me says that rather than use Owasp Zap Spider capabilities, he lists all the GET, POST, and whatever other route requests he finds usingphp artisan route:listin an Excel spreadsheet and then MANUALLY tries to access each one, documenting the exact order of URLs that he links through to get there. This seems really tedious and we have a language barrier so I don't understand why we can't just use the Owasp Zap Spider function and retrieve all the URLs that are in the website checking to make sure that every request is completed200 OKor otherwise.
Is anyone familiar enough with Owasp Zap and the Spider function to explain why he's doing it manually? I am new to Owasp, pen testing, etc having just started last week. I apologize for the wall of words.