ZAP 1.4

[psiinon]

I've had a chat with Axel, and we've agreed we want to focus on stability and better scanning (active and passive) for the next major release.

At the moment we're not planning any major new functionality, which should mean that the release can come out sooner.

No idea when yet though ;)

I've started flagging 1.4 candidate issues as high priority: https://code.google.com/p/zaproxy/issues/list?can=2&q=priority=High

Note that this process has just started, so expect more issues to be included.

But if there are specific issues you think we should be including and havnt yet flagged then get in touch and convince us!

Or offer to implement the changes :)

And please post to this topic to give us any feedback with where ZAP should be going, especially for the 1.4 release.

Many thanks,

Psiinon

[aim4r]

Hi,

I don't know if this is anyhow helpful, but for the passive scanner
you might want to check RatProxy ( http://code.google.com/p/ratproxy/
) . It is an excellent (apache 2.0-licensed) passive proxy.

Regards
Houcem

[Adrien de Beaupre]

Hi all,

other places to look for ideas to implement as a proxy would be
watcher[1] , burp[2], and proxystrike[3].

[1] http://websecuritytool.codeplex.com/

[2] http://portswigger.net/burp/

[3] http://www.edge-security.com/proxystrike.php

Cheers,
Adrien

> --
> You received this message because you are subscribed to the Google Groups "zaproxy-develop" group.
> To post to this group, send email to zaproxy...@googlegroups.com.
> To unsubscribe from this group, send email to zaproxy-devel...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/zaproxy-develop?hl=en.
>
>

[psiinon]

Agree we should look at as many other tools as possible for inspiration.
However this all takes time - maybe people could volunteer to look at specific tools and report back so we dont get any overlap?

One thing I would really like us to do is to build up a set of regression tests for ZAP, especially around the plugins.
I made a start with that here: http://code.google.com/p/zaproxy/source/browse/trunk/src/org/zaproxy/zap/junit/TestDaemonWave.java
However I havnt really been able to spend enough time developing WAVE.
So I'd like us to use http://code.google.com/p/wavsep/ instead.
Its got a comprehensive set of SQLi and XSS test pages, but is lacking elsewhere.
I've been chatting with Shay (the wavsep lead, cc'ed) and if we develop any future tests in wavsep format then he's happy to look at them to see if they are suitable for him to include.
I think that would be great - I'm much rather make wavsep better than spend a load of effort trying to make WAVE catch up.
So if you're doing any work on ZAP plugins then please run them against wavsep, and also create new pages, especially for non SQLi and XSS issues.

How does that sound?

Psiinon

[Zaki Akhmad]

Hi folks,

I have a (newbie?) question here. What's the difference between active & passive scanning?

Thanks!

Zaki Akhmad
OWASP Indonesia Chapter Leader
http://www.owasp.org/index.php/Indonesia

[Houcem HACHICHA]

Hi Zaki,

The passive scanner will inspect the HTTP traffic for possible vulnerabilities.

The active scanner will actually manipulate parameters and inject malicious content in order to identify potential vulnerabilities.

More about this here: http://www.google.tn/search?gcx=c&sourceid=chrome&ie=UTF-8&q=active+vs+passive+scanner

--

You received this message because you are subscribed to the Google Groups "zaproxy-develop" group.

To post to this group, send email to zaproxy...@googlegroups.com.
To unsubscribe from this group, send email to zaproxy-devel...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/zaproxy-develop?hl=en.

--

Regards,
Houcem

[psiinon]

This is also covered in the help included with ZAP :)
You can also view it here: http://code.google.com/p/zaproxy/wiki/HelpStartConceptsConcepts

Psiinon

[Zaki Akhmad]

Thanks a lot, Simon! :-)

Zaki Akhmad
OWASP Indonesia Chapter Leader
http://www.owasp.org/index.php/Indonesia

> --
> You received this message because you are subscribed to the Google Groups "zaproxy-develop" group.

> To view this discussion on the web visit https://groups.google.com/d/msg/zaproxy-develop/-/lTdXY81umXoJ.

[psiinon]

OK, so its not related to stability OR scanning, but I had some time on the plane back from AppSec USA and so I decided to implement Issue 168 - revealing hidden fields.

Theres now a 'lightbulb' button on the toolbar which if selected shows hidden fields and enables disabled ones.
At least those controlled by HTML, it wont be able to change ones controlled by javascript.
Feedback appreciated.

[psiinon]

I'd like us to use the Issues as a way to track all non trivial changes, which I think we're generally doing anyway, so this is just to formalize that.
I've updated http://code.google.com/p/zaproxy/wiki/InDevelopment so that it gives links to show the changes committed and in progress. And it means we dont have to update this page manually any more ;)
So if you are implementing any changes please raise an issue (Defect/Enhancement etc), mark it as started and assign it to yourself.
Unless its skunkworks of course;)
And of course feel free to comment on other people changes via the relevant issue or via this group.

Many thanks,

Psiinon

[psiinon]

Just commited a couple of minor changes.

I've implemented an active scan test for path traversal attacks.

I still need to tidy up the test pages for this and check those in.

I've also tweaked the versioning so that now if you build from svn it should always say "Dev Build" rather than a number, and the auto update check will be disabled (as it wont make sense).

If you are using a dev build you'll also get a new icon at the bottom showing the number of log4j errors that have occurred. The stack traces are also written to the Output tab.

Talking of which, I've now found out that the Diogana icons are actually from here: http://p.yusukekamiyamane.com/ so I've updated the credits.

I've taken the 'bug' icon from the 'Fugue' set but only checked that one - if you need others from that set just add them.

Let me know if you have problems with any of these changes.

Psiinon

[psiinon]

And added a CSRF passive scanner, which just looks for the absence of any of the configured anti CSRF token names in forms.

The csrf code also now checks the ID att as well as the NAME att, as many devs use that instead now.

As always, let me know if you hit any problems with these changes...

Psiinon

[Vitor Meireles]

Hi,

For the CSRF, do you also check if it's on an hidden html tag?

Cheers,

Vitor

2011/10/11 psiinon <psi...@gmail.com>

Psiinon

--

You received this message because you are subscribed to the Google Groups "zaproxy-develop" group.

To view this discussion on the web visit https://groups.google.com/d/msg/zaproxy-develop/-/wxmqAFbXCJsJ.

[psiinon]

On all form input tags.

In theory it could be hidden via javascript as well as via html.

And the 'reveal' button might have made it 'unhidden' as well ;)

Psiinon

[psiinon]

Strange, I emailed a reply, but it doesnt seem to have turned up here.
So posting directly for completeness :)

[psiinon]

One of the priorities for 1.4 is to improve the scanner rules.
I've just raised Issue 228 (http://code.google.com/p/zaproxy/issues/detail?id=228) to cover improvements to (well, replacement of) the XSS scanners.

Feedback appreciated :)

Psiinon

[psiinon]

Just commited first set of changes for Issue 231: improving the extensibility of ZAP.

Theres now an options pane which allows you to configure which extensions get loaded.

I plan to implement an example plugin extension, show how to package it up and then import it into ZAP.