Automatic Web App Security Testing with OWASP ZAP

OWASP Zed Attack Proxy (ZAP) or ZaProxy, as it is also called, is an exceptional tool for both security testers and developers to test web application security. In this tutorial we will take a quick look at how to use a couple common features in the latest version of ZAP, including the quick attack and the Man-in-the-Middle Proxy scan and fuzzing features.

For this article, I used Mutillidae as a test target and ran ZAP from a Kali Linux system. As always, never use tools like this against systems that you do not have permission to do so.

Quick Scan & Attack

To start the quick scan, simply enter the address of your target (a Mutillidae system here) in the “URL to attack” input box and click the “Attack” button.

ZaProxy Quick Scan

This will spider the entire target website and then active scan it for vulnerabilities. The scan progress and pages found will be displayed in the bottom window. When it is finished press “Alerts” to see any security issues with the website:

ZaProxy Quick Scan 1

And as you can see, ZAP found multiple issues with the website! Each folder contains different types of security issues, color coded for severity. Clicking on the folder will reveal individual issues that you can select for additional information. ZAP is wonderful because it not only lists an in-depth explanation of the problem, but it also gives you recommendations on resolving the issue.

This is nice, but we can do a much more in-depth scan and even perform fuzzing attacks using ZAP’s proxy function.

Proxy Scan and Fuzzing

Start ZAP and then set your browser internet proxy settings to Localhost:8080. Then surf to the target webpage and login. Surf to a few other pages if you like, entering data as you go, the more site interaction the better. When done, return to ZAP, highlight the website in the “Sites” window, right click on it and select “Attack”, and then “Active Scan”:

ZaProxy Active Scan

ZAP will perform an in-depth scan of the page, including the new information obtained with the ZAP proxy. When the scan is done, click on the Alerts folder:

ZaProxy Active Scan 1

Notice we now have more alerts including SQL Injection issues. Let’s see what SQL attacks would work against the target.

In the sites Window, select the login webpage, right click on it and select, “Attack” and then “Fuzz…” This will open the fuzzer screen. It lists the header text in the top left box, the target query with selectable text in the bottom left box and the fuzz location/tool window on the right.

  • In the bottom left window, highlight the name you used to login as a keyword. I used the username, “test”.
  • Now click “Add” in the right Window:

OWASP Fuzzing

  • A Payloads box pops up showing the value of “test”. Click “Add” again to select our attack payloads.
  • In the drop down box that says ‘Type:’ select, “File Fuzzers”:

OWASP Fuzzing 1

  • Now click the triangle next to “jbrofuzz” to expand the options:

OWASP Fuzzing 2

  • Notice the large amount of different attack types you can use! We just want to try SQL Injection for now, so check the “SQL Injection Box”, and click “Add”.

You will now be back at the payload screen. Notice that at this point you could add multiple keywords and numerous payloads if you wanted to create a very complex attack. But for now we just want to attack the keyword ‘test’ with SQL Injections.

  • Click “OK” to continue.
  • Now just click, “Start Fuzzer” to begin.

This can take a short while to run, but within a few seconds you should already see multiple SQL injection attacks and their statuses shown in the status window:

OWASP Fuzzing 3

So fairly quickly we were able to scan a site for a host of SQL injections issues. Add to that the ability to select multiple keywords and payloads and you have a very powerful web application testing tool!

Advertisements

Backtrack Video: Introduction to Metasploit

Intro to Metasploit by Jeremy Druin (@webpwnized).

This is the 5th in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae for the Kentuckiana ISSA. This one covers Metasploit.

From Irongeek.com.

Adrian Crenshaw (Irongeek) is the creative genius behind “Mutillidae” the purposefully vulnerable web application for learning about the OWASP Top 10. Check out Adrian’s site for a ton more videos and some great security information.

Yahoo Password Dump Analyzed

Wow, not one, but two password dumps in one day. Hackers leaked a very large number of Billabong and Yahoo passwords in plain text with no need to try to crack them. We looked at the Billabong one earlier today using the password analysis tool Pipal, now let’s take a look at the Yahoo dump.

This one is huge, almost 450,000 users. Though from numerous reports most of these accounts leaked were not active, the latest reports are saying that many of the included cracked accounts were passwords to other sites. According to ABC News:

Some of the Yahoo Voices’ accounts listed email addresses with AOL, Gmail, Hotmail and Windows Live. Security firm Sucuri said that more than 100,000 Gmail addresses were included in the breach.”

And take into account that many people never change their passwords or use the same password at multiple sites and this is very concerning. Well, let’s go ahead and take a look at the dump as analyzed with Pipal.

Here are the top 7 Password Lengths:

The Complexity of the Passwords:

And Character Sets Used:

And as always, for some odd reason the password “monkey” always seems to show up in the top 10 lists. But this time it did not make it as a top 10 password:

It seems to have been supplanted by the password “0”. Two hundred and two people actually used “0” as a password!

Okay for the record, “monkey” was not a complete no-show. It was one of the top 10 base words!

It beat out Jesus, love, money and ninja!

All joking aside, what is bothersome is that some of the passwords leaked are pretty good passwords.

Check these out:

  • $coreS1BgM0rsl4me
  • $r87*CQG>36rkM

These would have taken a long time to crack if they had to be cracked manually. But here is the kicker, as the database that held the passwords was compromised via SQL injection, the hackers were able to grab the contents of the entire database. It doesn’t matter that some of the users had 17 character+ complex passwords. There was a web application security issue that led to the entire account database being dumped.

This really should drive home the fact of using good security measures at the network and especially the application server levels.