OWASP ZAP - Questions
359 views
Skip to first unread message
sujet.d...@outlook.com
Dec 28, 2016, 4:00:47 PM12/28/16
to OWASP ZAP User Group
Hi Everyone,
I am testing ZAP and I have a few questions that I hope you will solve:
I have installed ZAP 2.5.0 on
Windows 7 and Ubuntu 16.04 and the "Report > Compare with another
session..." feature seems to not work. Is it a known issue? Is there a
patch planned in the roadmap? Maybe a bad handling
from me?
Is it possible to definitely
modify a risk level for an alert (e.g. set "X-Content-Type-Options
header missing" risk level from Low to Medium but not only for one
request or session)?
Is there a way to know all the alerts possibly thrown by ZAP?
Apparently, it is possible to write passive or active scan rules
either in Java or dynamically by using scripts
(https://zaproxy.blogspot.fr/2014/04/hacking-zap-4-active-scan-rules.html).
Does installing a new version of ZAP remove (or impact) those rules?
Does updating a plugin (e.g. to get a new set of rules) impact those rules or previous scans results?
Does installing a new version of ZAP remove (or impact) those rules?
Does updating a plugin (e.g. to get a new set of rules) impact those rules or previous scans results?
Thanks.
kingthorin+owaspzap
Dec 29, 2016, 8:32:52 AM12/29/16
to OWASP ZAP User Group
Answers inline.
On Wednesday, December 28, 2016 at 4:00:47 PM UTC-5, sujet.d...@outlook.com wrote:
Hi Everyone,
I am testing ZAP and I have a few questions that I hope you will solve:
I have installed ZAP 2.5.0 on Windows 7 and Ubuntu 16.04 and the "Report > Compare with another session..." feature seems to not work. Is it a known issue? Is there a patch planned in the roadmap? Maybe a bad handling from me?
You need to be more specific than "not work". Is there an error? Do you not know how to use it? Did you not have a second session to compare against?
Is it possible to definitely modify a risk level for an alert (e.g. set "X-Content-Type-Options header missing" risk level from Low to Medium but not only for one request or session)?
That's part of what the Alert Filters addon is for. https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAlertFiltersAlertFilter
There's also this outstanding request: https://github.com/zaproxy/zaproxy/issues/1603
I guess if you're after doing it globally forever/always then there isn't really a convenient way of doing it.
You might be able to create a stand alone script to walk the alerts tree find the alerts you want to modify and re-assign the Risk value.
Is there a way to know all the alerts possibly thrown by ZAP?
Apparently, it is possible to write passive or active scan rules either in Java or dynamically by using scripts (https://zaproxy.blogspot.fr/2014/04/hacking-zap-4-active-scan-rules.html).
Does installing a new version of ZAP remove (or impact) those rules?
If you write them in Java then hopefully you'll contribute them back to the project in which case no. If you build a custom version of the scanners package yourself, then likely yes.
Scripts should not be impacted.
Does updating a plugin (e.g. to get a new set of rules) impact those rules or previous scans results?
Same as above.
sujet.d...@outlook.com
Jan 1, 2017, 3:49:02 PM1/1/17
to OWASP ZAP User Group
Thanks for your answers.
About the session comparison feature:
I have had no error but maybe I have not used it correctly. I have launched a scan on the WebGoat application and I have saved it in a session. Then I have done the same operation in a new session. Finally, I used the functionality from the second session to the first but nothing has happened. Maybe this is the default behavior when there is no differences?
One last thing which does not seem to be in your answers:
Does updating a plugin (from ZAP interface) could impact previous scans results (e.g. unable to open a session)? Are there known issues?
About the session comparison feature:
I have had no error but maybe I have not used it correctly. I have launched a scan on the WebGoat application and I have saved it in a session. Then I have done the same operation in a new session. Finally, I used the functionality from the second session to the first but nothing has happened. Maybe this is the default behavior when there is no differences?
One last thing which does not seem to be in your answers:
Does updating a plugin (from ZAP interface) could impact previous scans results (e.g. unable to open a session)? Are there known issues?
sujet.d...@outlook.com
Jan 19, 2017, 11:16:39 AM1/19/17
to OWASP ZAP User Group
Up!
Could someone answer me?
Otherwise, someone could explain to me how this feature (scan/session comparison) works?
Thanks.
Could someone answer me?
Otherwise, someone could explain to me how this feature (scan/session comparison) works?
Thanks.
Simon Bennetts
Jan 19, 2017, 11:32:39 AM1/19/17
to OWASP ZAP User Group
Its detailed in the help: https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#compare-with-another-session
So it should generate a file showing the URLs in both sessions with some controls allowing you show the URLs from one or other session.
I'm guessing you're not getting any file then?
Cheers,
Simon
So it should generate a file showing the URLs in both sessions with some controls allowing you show the URLs from one or other session.
I'm guessing you're not getting any file then?
Cheers,
Simon
sujet.d...@outlook.com
Jan 20, 2017, 10:04:24 AM1/20/17
to OWASP ZAP User Group
Indeed, after choosing the two sessions files, nothing happens (I tried again today).
kingthorin+owaspzap
Jan 20, 2017, 10:33:29 AM1/20/17
to OWASP ZAP User Group
How big are the two session files you're trying to compare?
kingthorin+owaspzap
Jan 20, 2017, 10:37:49 AM1/20/17
to OWASP ZAP User Group
I just put together two quick sessions and tried a comparison. It errored out on me:
84844 [AWT-EventQueue-0] WARN org.zaproxy.zap.extension.compare.ExtensionCompare - Parameter databaseOptions must not be null.
java.lang.IllegalArgumentException: Parameter databaseOptions must not be null.
at org.parosproxy.paros.db.paros.ParosDatabaseServer.<init>(ParosDatabaseServer.java:68)
at org.parosproxy.paros.db.paros.ParosDatabase.open(ParosDatabase.java:157)
at org.zaproxy.zap.extension.compare.ExtensionCompare.compareSessions(ExtensionCompare.java:195)
at org.zaproxy.zap.extension.compare.ExtensionCompare.access$1(ExtensionCompare.java:161)
at org.zaproxy.zap.extension.compare.ExtensionCompare$2.actionPerformed(ExtensionCompare.java:116)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.AbstractButton.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$500(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
84844 [AWT-EventQueue-0] WARN org.zaproxy.zap.extension.compare.ExtensionCompare - Parameter databaseOptions must not be null.
java.lang.IllegalArgumentException: Parameter databaseOptions must not be null.
at org.parosproxy.paros.db.paros.ParosDatabaseServer.<init>(ParosDatabaseServer.java:68)
at org.parosproxy.paros.db.paros.ParosDatabase.open(ParosDatabase.java:157)
at org.zaproxy.zap.extension.compare.ExtensionCompare.compareSessions(ExtensionCompare.java:195)
at org.zaproxy.zap.extension.compare.ExtensionCompare.access$1(ExtensionCompare.java:161)
at org.zaproxy.zap.extension.compare.ExtensionCompare$2.actionPerformed(ExtensionCompare.java:116)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.AbstractButton.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$500(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
kingthorin+owaspzap
Jan 20, 2017, 10:41:49 AM1/20/17
to OWASP ZAP User Group
Issue opened.
https://github.com/zaproxy/zaproxy/issues/3157
@sujet if you could enable debugging (https://github.com/zaproxy/zaproxy/wiki/FAQlogging) and let us know if you're encountering the same issue that would help.
https://github.com/zaproxy/zaproxy/issues/3157
@sujet if you could enable debugging (https://github.com/zaproxy/zaproxy/wiki/FAQlogging) and let us know if you're encountering the same issue that would help.
thc...@gmail.com
Jan 20, 2017, 10:55:03 AM1/20/17
to zaprox...@googlegroups.com
The (same) issue happens with 2.5.0 as well.
Best regards.
Best regards.
kingthorin+owaspzap
Jan 20, 2017, 11:58:34 AM1/20/17
to OWASP ZAP User Group
Yay Open Source!
A fix has already been pushed by thc202 and accepted, so it'll be in the next weekly release and 2.6.0.
https://github.com/zaproxy/zaproxy/pull/3158
https://github.com/zaproxy/zaproxy/issues/3157
A fix has already been pushed by thc202 and accepted, so it'll be in the next weekly release and 2.6.0.
https://github.com/zaproxy/zaproxy/pull/3158
https://github.com/zaproxy/zaproxy/issues/3157
sujet.d...@outlook.com
Jan 24, 2017, 3:47:28 AM1/24/17
to OWASP ZAP User Group
It works with the last zap weekly version!
Thanks :)
Thanks :)
Reply all
Reply to author
Forward
0 new messages