Tuesday, 28 September 2010

Exploring a web application with ZAP

This post explains how to explore the web application you are testing using the Zed Attack Proxy (ZAP).

Download and install ZAP

You will need to download ZAP from http://code.google.com/p/zaproxy/downloads/list.
There are downloads available for Windows, Mac OS and Unix / Linux like operating system.
You will need to have Java 1.6 or higher also installed.

Once you have downloaded and installed ZAP, start it up.
On Windows an icon will have been created on your desktop and an entry added to the start menu.
On other operating systems use the zap.sh command line script.

Change your browser to use ZAP as a proxy

Change your browser to use ZAP as a proxy, so that all of the requests and responses to and from your application go via ZAP.
See Configuring Proxies help page or your browser's documentation if you are unsure of how to do this.
By default ZAP will listen on http://localhost:8080.
If necessary this can be changed via the Options connection screen.

Now try to connect to your application using your browser.
If you can not connect to it then check your proxy settings again. You will need to check your browser's proxy settings, and also ZAP's proxy settings. Its also worth checking that the application that you are trying to test is running!

When you have successfully connected to your application you will see one or more lines in ZAP's Sites and History tabs.
Note that most of ZAP's tabs provide additional functionality that can be accessed via 'right click' menus.

Explore your application

Use your browser to explore all of the functionality provided by the application.
Follow all links, press all buttons and fill in and submit all forms.
Some automated security scanners just require you to login to your application and then explore it for you.
I do not recommend this approach.
It is much more effective to manually explore the application.
You are much more likely to submit valid data that will expose new functionality.
The automated scanner can supply the bad data in an attempt to compromise your application.

Save the ZAP session

Once you have manually explored the application it would be a good time to save the ZAP session so that you can look at it again.
If your application has multiple roles then you should explore it with each role and save the sessions in separate files.

What ZAP shows you

ZAP records all of the requests you make to the application and all of the responses you receive from it.
The Sites tab shows you a hierarchic representation of your requests, while the History tab shows them in the order you made them.
The History tab also shows you the HTTP response code, the time the request took and any Tags or Notes.
Tags are added automatically for pages that contain things like forms, hidden fields and scripts via the Passive Scanner.
These rules can be changed via the Options Passive Scan screen.
You can also tag requests manually.
Notes can contain much more information - they are for extra information that you want to record and are not generated automatically.
Clicking on an entry in either tab will show the details on the Request and Response tabs.
The History tab provides a filter dialog which allows you to restrict the requests listed to just the ones you are currently interested in.
The Search tab allows you to search for regular expressions in all of the URLs, requests and responses.

ZAP shows you all of the requests and responses that are going on 'under the covers' of your application.
This may be particularly revealing if the application uses AJAX requests to get information in the background.

Next we shall look at the automated tools the ZAP provides...

Monday, 6 September 2010

Introducing the Zed Attack Proxy

You dont always need any specialist tools to pen test web applications, but they do help.

Unfortunately many pen test tools either cost money, are aimed at experts or are poorly documented.

If you are going to be a professional pen tester then you will be able to justify the expense of buying and/or taking the time required to learn how to use an 'experts tool' like the Burp Suite or Web Scarab.

As a web application developer who wants to learn about pen testing you need a free, easy to use and well documented tool.
Ideally it should also be open source, as no doubt some of you will want to see whats going on under the hood, and maybe even make your own enhancements.

There are few if any tools that currently fit this profile.

So I've released the Zed Attack Proxy (ZAP).
This is a fork of the well regarded Paros Proxy , which unfortunately has not been updated for a while.
The full set of changes are documented here but essentially they are mostly usability changes and the addition of help pages.

In this blog I'm going to explain different aspects of pen testing from a developers point of view using ZAP.

I'll also be further developing ZAP with new features .
And if you want to get involved with the development of ZAP then you will be more than welcome.

Psiinon

Saturday, 4 September 2010

Welcome to my Penetration Testing for Developers blog

This blog is about penetration testing. 
But instead of being aimed at security professionals it is aimed at web application developers and functional testers.

Why do developers need to know about penetration testing?
Some web developers are very security aware. This blog is not really for them :)

However in my experience many developers (and from here on in read 'developers' to include functional testers) do not know enough about web application security.

And I don't think that its possible to build a secure web application without knowing how the bad guys will try to compromise it!

There are many ways to learn how to build secure web applications, but I think that a basic understanding of pen testing can really bring home to developers how easy it can be to compromise their applications.
This is not to say that other training and tools such as static source code analysis should not be used.
Defense in depth should be applied to the development process as well as the applications being developed. 

Shouldn't pen testing be left to the professionals?
A basic understanding of pen testing techniques is no substitute for having a security expert pen test your app.

However by learning about pen testing you will become more security aware and hopefully will avoid including some of the basic vulnerabilities in your apps. 
Which means the professional pen testers can concentrate on the more obscure (and interesting) vulnerabilities.