$29
Overview
This lab walks you through using ZAP by OWASP. ZAP is a vulnerability analysis tool used to scan Web applications for possible software flaws. As an introduction to using ZAP, you will scan and interrupt http protocols in PHP code we developed in week 4. You will also run the attack scanner on code you developed in week 4.
Important: Do not attempt to use these tools against any live Web site. It is illegal to do so. You can only scan sites you have written permission to scan. You should use the virtual machine on applications you developed running on the localhost and disconnect from the Internet when running ZAP.
Learning Outcomes:
At the completion of the lab you should be able to:
Launch ZAP and view Web sites history and input parameters
Use ZAP to intercept http messages and change their content to Identify possible vulnerabilities
Read and analyze reports produced from ZAP and prioritize and fix alerts associated with software issues
Lab Submission Requirements:
After completing this lab, you will submit a word (or PDF) document that meets all of the requirements in the description at the end of this document. In addition, your associated files should be submitted. You can submit multiple files in a zip file.
Virtual Machine Account Information
Your Virtual Machine has been preconfigured with all of the software you will need for this class. The default username and password are:
Username : umucsdev
Password: umuc$d8v
Part 1 – Launch ZAP and view Web sites history and input parameters
This exercise will walk you through Launching ZAP and allow you to become comfortable with the GUI for ZAP within your virtual machine. We will use ZAP to begin to analyze some of the PHP Web applications we created in week 4.
Important: Disconnect your machine from the Internet when using ZAP. This will ensure you are only scanning applications on your localhost. You can do this by unplugging the Internet cable on your machine or if you have Wireless connection, you should turn your Wi-Fi off.
Start your Virtual Machine as you would normally by clicking the Oracle VM VirtualBox, starting the SDEV32Bit image and then logging into the machine.
Verify your Firefox browser has the Proxy properly configured. To do this, launch Firefox and go to Options - Preferences menu.
1
4. Click on the Advanced icon and select the Network tab.
2
Select the Settings button and then enter localhost for the HTTP Proxy with Port of 8080. Also, be sure Use this proxy server for all protocols is selected and the No proxy for: textarea is blank.
Click Ok and your Browser will send HTTP messages to the already preconfigured ZAP proxy. Note: You will need to change your Browser settings back to “No proxy” once you are ready to perform normal Browsing to either the localhost or the Internet for the future.
To Launch ZAP, open up a shell prompt and change to the ZAP_2.3.1 folder.
3
Type the following command to start ZAP:
./zap.sh
The ./ characters are important for properly and securely launching programs in Linux.
After launching the ZAP GUI will be revealed.
4
The GUI will look very complicated at first as there is much functionality that this tool can perform. Over the next couple of weeks you will be exposed to most of the critical features.
To use the Sites and History tabs, you will need to launch your Browser. Open your Browser and launch the DemoGetForm.html file from week 4. The URL should be: localhost/week4/DemoGetForm.html. If you review the ZAP tool you will see the Sites Icon has listed the GET:DemoGetForm.html file. Also, notice the History tab as information related to this site.
If you click on the Request and Response tabs on the right site of the tool, you will see both the header and body of the DemoGetForm.html file.
5
You should carefully review the request and response details noting how much information is revealed from this transaction. Information such as Web Server and Operating system are revealed. All HTML source code and comments are also provided.
Complete the DemoGetForm.html and notice the addition of the get_Submit.php(fname,lname mypass) to the history and sites tab. Also, notice the Request and Response tabs as well the Params tab near the bottom.
6
You should experiment with using ZAP by running the other Web applications you created in week 4. As you run these applications, be sure to review the Sites, History, Request, Response and Params tabs.
Part 2 Use ZAP to intercept http messages and change their content to Identify possible vulnerabilities
One of the strong features of the ZAP tool is the ability to interrupt HTTP message and change the values in an attempt to find software flaws. In this exercise, we will use the week4 PHP web applications and demonstrate how the input parameters sent from the form can easily be changed and redirected back to the application with the new parameters.
To interrupt an HTTP transmission, you use the Break Points functionality within ZAP.
As before, be certain you have disconnected your machine from the Internet, launch your virtual machine and then start ZAP.
To set a Break point, right mouse click the specific site you want to Break on. For example, if we want to put a Break point for the get_Submit.php file, we would right mouse click that site, select break and then select save.
7
3. Once the Break Point is set, it will display in the Break Points tab.
To test the break point, launch the DemoGetForm.html application, complete the form and then press submit. You will notice the browser seems to hang as the http request has been intercepted by the proxy and is awaiting action in ZAP.
You can now modify the original data by right mouse clicking in the Break tab and selecting resend. When the resend frame appears, modify the GET string as appropriate and select the send button.
8
6. You will then be able to see the new response in the window.
9
To release the break point, you can click on the arrows at the top which allow you to Submit and step to the next break. Once you select those arrows, the data will be submitted and the browser will show the results. Note, you can also modify the text in the break tab itself and then click the submit arrows to show the results in your browser.
This is where the person-in-the-loop analysis and discovery takes place. Manipulating the data sent into the applications provides insight into the vulnerabilities of the application. For example, you may discover that sending in a null password allows access to the system. You may also discover providing an admin username and brute force password guess may provide additional system privileges.
You should experiment with all of the week4 PHP applications to see how parameters and information can be changed and the resulting impact on the application.
Part 3 Read and analyze reports produced from ZAP
In this lab, we will run the automatic scanning feature of ZAP and then generate HTML Alert reports for the DemoGetForm.html and DemoPostForm.html and discuss approaches to prioritize and mitigate the issues found in each Web applications.
As before, be certain you have disconnected your machine from the Internet, launch your virtual machine and then start ZAP.
Under the Quick Start tab of ZAP, enter the localhost/week4/DemoGetForm.html URL and click attack.
10
As the scan runs, you will see hundreds of requests logged into the Active Scan tab. You will also see several Alerts. Alerts from the scan provide possible vulnerabilities. The color of flag indicates the risk level of issue found.
To generate a report from the scan in HTML format, open the Report menu from the top of tool bar and select Generate HTML report.
11
Save the report to a folder and filename of your choice. For this example, a ScanResults folder was created and the HTML report was saved to the DemoGetFormReport file. Click Save to continue.
The HTML report should automatically open in your Browser. If not, use the file manager to open the report.
12
You should review the report carefully comparing the risk levels, descriptions, URL, Parameter, Attack, Solution, Reference CWE ID and WASC ID. When you prepare your lab for this week, you will use each of fields to describe your findings as well as formulate your solutions. The solutions provided may work but you may need to dig deeper into the references to mitigate the issue.
Typically, you should work to mitigate the higher risk issues first.
After you have resolved the issues, you can rescan the application and see if any Alerts remain. You will find some of the warnings are easy to fix. Some are more challenging – particularly the Cross-Site Scripting issues.
You can use the File- New Session option to clear the current session.
Next, run a similar scan and analysis of the week4/DemoPostForm.html application. Save the results to a file named DemoPostSubmitReport.
You will find similar number and types of alerts for this web application:
13
11. Work through the report to analyze the results and remove alerts where possible.
The analysis and mitigation of issues is a repetitive process that should be done often in development and after each release to make sure issues are not introduced during updates. ZAP is just one tool for use in this process. Be aware that ZAP is not the only approach for finding software vulnerabilities nor
14
will it eliminate or find all of the issues. Other scanners and techniques should be used to help secure your web application.
Lab submission details:
For this lab, you will provide a detailed analysis using both manual interception techniques and automatic scanner attacks on the http://localhost/week4/loginAuth.html. You should run the manual interception techniques first, and describe in detail the information revealed to you during your analysis. Be sure to provide screen captures of you running of the tool and analyze all files used for the application (loginAuth.html, authcheck.php and logout.php). Try to modify the http messages and look for possible vulnerabilities. This is the important discovery portion of your analysis.
When you run the automatic scan, be sure to generate an HTML report showing all alerts. Also, describe the active scan activity. For each alert, discuss all of the output and try possible solutions. Be sure to describe how you prioritized alert messages. Try to resolve all alerts and document specifically your process in resolving those alerts. Looking up these errors and how to resolve them is part of the exercise and is a good representation of how this is accomplished in the real world. Rerun the scanner after you have fixed as many issues as you can to demonstrate your success.
For your deliverables, you should submit a zip file containing your word document (or PDF file) with screen shots of your scans. Be sure to include the descriptions and analysis of your results, your prioritization and approach to mitigating the issues. Also, include the reports from your scan. Your report should be well-organized and clearly written. This report is aimed at your Chief Security officer who pays your salary. He is a technical geek and wants details, clarity and something he can pass on to others to make sure you have job security for years to come.
Have fun with this!
Include your full name, class number and section and date in the document.
Grading Rubric:
Attribute
Meets
Does not meet
ZAP analysis
6 points
0 points
Runs the manual interception
Does not run the manual interception
techniques, and describes in detail
techniques, and describes in detail the
the information revealed to you
information revealed to you during your
during your analysis. (1 point)
analysis.
Analyzes all files used for the
Does not analyze all files used for the
application (loginAuth.html,
application (loginAuth.html,
authcheck.php and logout.php). (1
authcheck.php and logout.php).
point)
Does not modify the http messages or
Modifies the http messages and
look for possible vulnerabilities.
looks for possible vulnerabilities. (1
point)
15
Does not run the automatic scan, or
Runs the automatic scan, and
generate an HTML report showing all
generates an HTML report showing
alerts.
all alerts. (1 point)
Does not discuss all of the output and
Discusses all of the output and tries
tries possible solutions for all alerts.
possible solutions for all alerts. (1
point)
Does not rerun the scanner after you
have fixed as many issues as you can to
Reruns the scanner after you have
demonstrate your success.
fixed as many issues as you can to
demonstrate your success. (1 point)
Documentation
4 points
0 points
and submission
Submits a zip file containing your
Does not submits a zip file containing
word document (or PDF file) with
your word document (or PDF file) with
screen shots of your scans. (1 point)
screen shots of your scans.
Includes the descriptions and
Does not includes the descriptions or
analysis of your results, your
analysis of your results, or the
prioritization and approach to
prioritization and approach to mitigating
mitigating the issues. (2 points)
the issues.
Includes the reports from your scan.
Does not include the reports from your
(0.5 points)
scan.
Your report is well-organized and
Your report is not well-organized or
clearly written. (0.5 points)
clearly written.
16