New ZAP vulnerability checks & recommendations
65 views
Skip to first unread message
Aaron Bryson
Apr 25, 2014, 1:20:17 PM4/25/14
to zaproxy...@googlegroups.com
A few months ago I came across a neat website that does some basic security related HTTP header checks on websites provided. That website is: https://securityheaders.com/
There are several HTTP headers, that if not present, will be listed as a vulnerability. I think it would be great to implement these extra checks into ZAP.
For example, ZAP already checks for X-Frame-Options and X-Content-Type-Options HTTP headers. But we should add these as vulnerability checks:
- Strict-Transport-Security
- nosniff
- X-XSS-Protection
- Access-Control-Allow-Origin: *
- Server:
- X-Powered-By
- Permitted-Cross-Domain-Policies
I use ZAP in conjunction with the aforementioned website, and always have to manually add in these extra recommendations. BURP and other proxy tools do not have this check built-in either, so it would be cool for ZAP to have it.
Thoughts?
Thanks,
Aaron B.
kingthorin+owaspzap
Apr 25, 2014, 1:37:53 PM4/25/14
to zaproxy...@googlegroups.com
This could be handled pretty easily through a Passive script or some new passive rules.
kingthorin+owaspzap
Apr 25, 2014, 2:43:13 PM4/25/14
to zaproxy...@googlegroups.com
Here's a VERY quick example of how this could be handled by a passive script:
// The scan function will be called for request/response made via ZAP, excluding some of the automated tools
// Passive scan rules should not make any requests
// Note that new passive scripts will initially be disabled
// Right click the script in the Scripts tree and select "enable"
function scan(ps, msg, src) {
// raiseAlert(risk, int reliability, String name, String description, String uri,
// String param, String attack, String otherInfo, String solution, String evidence,
// int cweId, int wascId, HttpMessage msg)
// risk: 0: info, 1: low, 2: medium, 3: high
// reliability: 0: falsePositive, 1: suspicious, 2: warning
ps.raiseAlert(0, 1, 'Server Leaks Version Information via "Server" Header Field', 'Description',
msg.getRequestHeader().getURI().toString(),
'', '', '', 'See http://httpd.apache.org/docs/current/mod/core.html#servertokens for further details',
msg.getResponseHeader().getHeader("Server"), 0, 0, msg);
}
// The scan function will be called for request/response made via ZAP, excluding some of the automated tools
// Passive scan rules should not make any requests
// Note that new passive scripts will initially be disabled
// Right click the script in the Scripts tree and select "enable"
function scan(ps, msg, src) {
// raiseAlert(risk, int reliability, String name, String description, String uri,
// String param, String attack, String otherInfo, String solution, String evidence,
// int cweId, int wascId, HttpMessage msg)
// risk: 0: info, 1: low, 2: medium, 3: high
// reliability: 0: falsePositive, 1: suspicious, 2: warning
ps.raiseAlert(0, 1, 'Server Leaks Version Information via "Server" Header Field', 'Description',
msg.getRequestHeader().getURI().toString(),
'', '', '', 'See http://httpd.apache.org/docs/current/mod/core.html#servertokens for further details',
msg.getResponseHeader().getHeader("Server"), 0, 0, msg);
}
psiinon
Apr 28, 2014, 5:18:25 AM4/28/14
to zaproxy...@googlegroups.com
Good suggestion, be very happy to see these implemented (and nice script KingThorin;).
I've raised an enhancement request: http://code.google.com/p/zaproxy/issues/detail?id=1169
These should be easy to do (I've flagged it as an IdealFirstBug)
Anyone fancy implementing them all?
Cheers,
Simon
I've raised an enhancement request: http://code.google.com/p/zaproxy/issues/detail?id=1169
These should be easy to do (I've flagged it as an IdealFirstBug)
Anyone fancy implementing them all?
Cheers,
Simon
kingthorin+owaspzap
Apr 29, 2014, 3:05:21 PM4/29/14
to zaproxy...@googlegroups.com
After I finish issue 642 I'd take a crack at implementing these as pscanrules.
psiinon
Apr 30, 2014, 4:50:43 AM4/30/14
to zaproxy...@googlegroups.com
Assigned to you :)
Reply all
Reply to author
Forward
0 new messages