why Technology tab is empty after Active Scan
173 views
Skip to first unread message
Faye
Aug 3, 2016, 5:32:52 PM8/3/16
to OWASP ZAP User Group
The Technology Detection add-on uses the Wappalyzer (http://wappalyzer.com/) rules to detect the technologies used by applications.
This tab is supposed to show all of the detected technologies for the site selected, however my Technology tab (not the Technology inside the Session properties) stays empty after I did Ajax Spider (using Chrome) and Active Scan.
Please advise.
Thank you,
Fay
Simon Bennetts
Aug 4, 2016, 3:26:24 AM8/4/16
to OWASP ZAP User Group
Hi Fay,
The detection and configuration of technologies are kept separate, which I can see could be initially confusing ;)
Tech configuration is there for users who know what tech is used by the app they are testing - ie white box rather than black box.
If you know that your app doesnt use SQL then theres no point ZAP sending a ton of SQL injection attacks :)
We deliberately limit the tech you can configure to the tech that the active scan rules explicitly target.
The Tech detection / Wappalyzer add-on shows you the tech that anyone can deduce about your app.
It is limited to the tech that can be deduced from the application responses, which is a different (but overlapping) set to the tech we target.
This add-on will have problems detecting 'backend' technology like dbs.
So just because this add-on doesnt detect (for example) MySQL that doesnt mean your app doesnt use it.
We _could_ configure the tech based on what we detect, but we would need to be very careful as this could easily hide real vulnerabilities in tech that is not externally visible.
Does that make sense?
Simon
The detection and configuration of technologies are kept separate, which I can see could be initially confusing ;)
Tech configuration is there for users who know what tech is used by the app they are testing - ie white box rather than black box.
If you know that your app doesnt use SQL then theres no point ZAP sending a ton of SQL injection attacks :)
We deliberately limit the tech you can configure to the tech that the active scan rules explicitly target.
The Tech detection / Wappalyzer add-on shows you the tech that anyone can deduce about your app.
It is limited to the tech that can be deduced from the application responses, which is a different (but overlapping) set to the tech we target.
This add-on will have problems detecting 'backend' technology like dbs.
So just because this add-on doesnt detect (for example) MySQL that doesnt mean your app doesnt use it.
We _could_ configure the tech based on what we detect, but we would need to be very careful as this could easily hide real vulnerabilities in tech that is not externally visible.
Does that make sense?
Simon
fay....@gmail.com
Aug 4, 2016, 11:34:46 AM8/4/16
to zaprox...@googlegroups.com
Thanks a lot for the quick response, Simon.
Yes, it makes sense. I used Ajax Spider and Active San on the BodgeIt app, but the Technology Detection did not detect anything. Since BodgeIt uses Java JSP, I expected to see JSP shown up under the Technology Detection tab after the Ajax Spider/Active Scan is done.
I am wondering if I missed any steps needed for making Technology Detection tab working properly. It is fine if it is by design sometimes the Technology Detection tab turned out to be empty.
Please advise.
Thank you,
Fay
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/71AqZac1uFo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8443ccec-d7ff-4a1f-8441-a8edee63721f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
kingthorin+owaspzap
Aug 4, 2016, 8:56:40 PM8/4/16
to OWASP ZAP User Group
While it's improbable it isn't impossible that no tech was actually identified.
Do you have different results with the traditional spider or just by proxying browser traffic (against or for BodgeIt)?
Do you have different results with the traditional spider or just by proxying browser traffic (against or for BodgeIt)?
kingthorin+owaspzap
Aug 4, 2016, 8:58:48 PM8/4/16
to OWASP ZAP User Group
Are you sure the wappalyzer passive scanner was enabled?
Tools : Options : Passive Scan Rules : "Wappalyzer scanner (tech detection)"
Tools : Options : Passive Scan Rules : "Wappalyzer scanner (tech detection)"
Faye
Aug 4, 2016, 11:20:50 PM8/4/16
to OWASP ZAP User Group
Yes. The wappalyzer passive scanner was enabled (Please see the attached screenshot).
I tried proxying browser traffic, Spider, Ajax Spider (using Chrome because I am having trouble with Firefox) and Active Scan. They all performed well, still but nothing shown under the Technology tab.
Thank you very much for all the help!
Faye
thc...@gmail.com
Aug 5, 2016, 5:08:06 AM8/5/16
to zaprox...@googlegroups.com
Hi.
The absence of entries in the Technology tab seems to be caused by a
core bug. [1]
Could you try with a weekly release? (which already has the issue fixed) [2]
[1] https://github.com/zaproxy/zaproxy/pull/2659
[2] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly
Best regards.
> --
> You received this message because you are subscribed to the Google
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> <https://groups.google.com/d/msgid/zaproxy-users/c55df665-6204-4a99-b906-6b44e67c69d3%40googlegroups.com?utm_medium=email&utm_source=footer>.
The absence of entries in the Technology tab seems to be caused by a
core bug. [1]
Could you try with a weekly release? (which already has the issue fixed) [2]
[1] https://github.com/zaproxy/zaproxy/pull/2659
[2] https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly
Best regards.
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/c55df665-6204-4a99-b906-6b44e67c69d3%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-users/c55df665-6204-4a99-b906-6b44e67c69d3%40googlegroups.com?utm_medium=email&utm_source=footer>.
Faye
Aug 5, 2016, 11:06:53 PM8/5/16
to OWASP ZAP User Group
I just installed the weekly release of 08/01. The Technology Detection tab is gone somehow. I also checked the passive scan rule and the Technology Detection is no longer listed there.
Please advise.
Thank you!
kingthorin+owaspzap
Aug 6, 2016, 5:43:24 AM8/6/16
to OWASP ZAP User Group
You need to open the market place (the stacked cubes button on the main toolbar) and install it for the weekly.
Or copy it from your other install into the weekly.
Faye
Aug 6, 2016, 1:09:22 PM8/6/16
to OWASP ZAP User Group
Thanks a lot for the advise. The Technology tab is shown again.
However it is still empty. I compared the Active Scan tab and Technology tab (please see the attached screenshot). The Active Scan tab is able to select specific site of bodgeit (http://IP/bodgeit), but the Technology tab selects the parent url (http://IP:80). Is it possible reason why Technology Detection detects nothing because it looks at the OWASP BWA parent level and BWA has multiple sites under it?
Did I miss some steps in order to have same site selection in Technology Detection tab as in Active Scan?
Thank you!
thc...@gmail.com
Aug 8, 2016, 5:48:08 AM8/8/16
to zaprox...@googlegroups.com
Hi.
Could you try the following:
1. Start ZAP;
2. Access the target website;
3. Wait some seconds (for the passive scan to finish) and check the
Technology tab.
Does it now show the technologies?
No, the Technology tab shows all technologies found for a given
host/server, it does not differentiate by hosted websites.
Best regards.
> <https://groups.google.com/d/msgid/zaproxy-users/ed91caed-eafe-4b44-81ab-de5929fc0c81%40googlegroups.com?utm_medium=email&utm_source=footer>.
Could you try the following:
1. Start ZAP;
2. Access the target website;
3. Wait some seconds (for the passive scan to finish) and check the
Technology tab.
Does it now show the technologies?
No, the Technology tab shows all technologies found for a given
host/server, it does not differentiate by hosted websites.
Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/ed91caed-eafe-4b44-81ab-de5929fc0c81%40googlegroups.com
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/zaproxy-users/ed91caed-eafe-4b44-81ab-de5929fc0c81%40googlegroups.com?utm_medium=email&utm_source=footer>.
fay....@gmail.com
Aug 8, 2016, 8:05:58 AM8/8/16
to zaprox...@googlegroups.com
No. It still does not show any technology. :-(
Thank you!
> You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/71AqZac1uFo/unsubscribe.
Thank you!
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/71AqZac1uFo/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/54eebae0-0747-6ac0-9588-f898b99598f2%40gmail.com.
Reply all
Reply to author
Forward
0 new messages