Does ZAP has any Java or .NET agent that can sit on app server (a form of IAST)?

39 views
Skip to first unread message

Viswanath C

unread,
Oct 19, 2017, 5:03:45 PM10/19/17
to OWASP ZAP Developer Group
IBM AppScan has Glass box and HP Fortify WebInspect has agents.
Curious if ZAP has any such app server agents (for Tomcat, WebSphere, WebLogic, JBoss, IIS, etc.)

kingthorin+owaspzap

unread,
Oct 19, 2017, 8:28:06 PM10/19/17
to OWASP ZAP Developer Group
Not to-date, but we gladly accept contributions.

Sushil Jawale

unread,
Jan 31, 2018, 12:15:29 PM1/31/18
to OWASP ZAP Developer Group
Do you have any plan?
Let me know, I would like to contribute... :)


On Friday, October 20, 2017 at 5:58:06 AM UTC+5:30, kingthorin+owaspzap wrote:

Andre Gironda

unread,
Jan 31, 2018, 12:27:34 PM1/31/18
to zaproxy...@googlegroups.com
arachni is open-source and has an IAST capability

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.
 To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/87db247b-731c-4b53-b0f5-ee0f09b810c6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

psiinon

unread,
Feb 1, 2018, 6:35:34 AM2/1/18
to OWASP ZAP Developer Group
OK, so I've not really looked into this, but ....

I'd have thought we would need an agent which can run on a variety of platforms and:
  • Monitors a configurable set of logs
  • Handles rollovers (new logs being created on the fly)
  • Matches a configurable set of patterns
  • Provides an API that ZAP can query
  • Has suitable security on that API

So it would be a very generic 'dumb' service, all of the logic would be in the patterns.

We would then need to change ZAP to poll this service and raise alerts for any of the patterns that are discovered.


To be honest this doesnt sound that hard ;)

OK, I'm sure theres plenty more that could be done, but I think that would provide a lot of useful functionality.

I also dont think it really matters what the service is written in, although ideally it would run on as many systems as possible. So along with Java, Python and Go are possibilities (as are many others I'm sure).


What does everyone else think about this 'fag packet' design?

Does anyone know of an existing open source project that does this (and _just_ this)?


Sushil - does this sound like something you could take on?

We could definitely help with the ZAP part, that should be even easier than the service (for us).


Cheers,


Simon

kingthorin+owaspzap

unread,
Feb 1, 2018, 3:09:01 PM2/1/18
to OWASP ZAP Developer Group
Not that we need to be at all the same. But, the arachni iast thingy seems somewhat technology specific (I read about their ruby/rack support) and able to monitor/determine code coverage etc.

gmaran23

unread,
Feb 8, 2018, 3:57:40 AM2/8/18
to OWASP ZAP Developer Group
Simon, 
I see 'binary instrumentation' missing in the list. From the IAST tools I have POC-ed (Contrast, Quotium Seeker (now Synopsys)), and from what I know they need all the binaries (jars, and dlls) that is used by the web application to analyse the flow of data through the code.

A couple of years ago, someone told me about Intel Pin for the Microsoft stack for runtime analysis of binaries, but I know nothing about it.

If IAST aligns with where we want to take ZAP to, then may be start with supporting Apache and Java, then move on to other platforms?
Reply all
Reply to author
Forward
0 new messages