Plugins for ZAP Marketplace
486 views
Skip to first unread message
Philippe Arteau
Mar 26, 2016, 12:28:02 AM3/26/16
to OWASP ZAP Developer Group
Note this email directed to psiinon to release plugins to the marketplace. I am making the conversation public because there are most likely small details that I will be missing at first. (if this make sense :/)
I finally got time to fully retest two of my plugins in the latest ZAP version.
Plugin 1: Retire.js
Description : Passive rule that scan JavaScript files to find known vulnerable librairies. It use Retire.js repository as the name indicate.
Source code : https://github.com/h3xstream/burp-retire-js
Plugin 2: Reissue Request Scripter
Description : This extension generates scripts to reissue a selected request.
Source code : https://github.com/h3xstream/http-script-generator
ZAP pre-build plugin : https://github.com/h3xstream/http-script-generator/blob/gh-pages/releases/zap/scriptgen-alpha-5.zap
Build
The plugins can be repackage if needed.
By running the install step from travis-ci and running "mvn clean install".
Let me know if theses are ready for release.
Thanks and great job on the ZAP project.
psiinon
Mar 29, 2016, 11:42:54 AM3/29/16
to OWASP ZAP Developer Group
Hey Philippe,
Thats great, I'll have a look at them as soon as I can.
Are you still pulling the latest rules down from the Retire.js repository?
If so then it would be worth discussing that point here.
As you know we state that add-ons should not make any unapproved remote requests, as
Thats great, I'll have a look at them as soon as I can.
Are you still pulling the latest rules down from the Retire.js repository?
If so then it would be worth discussing that point here.
As you know we state that add-ons should not make any unapproved remote requests, as
- Pentesters really dont like tools that talk to 3rd party sites
- ZAP is often used in environments where no there is no internet access
However I can see situations like this where it could make sense to allow some requests to 3rd party sites, but we would have to be very clear on which situations, how we flag this to the user and exactly what data can be sent and received.
What do people on this group think?
Should we allow add-ons on the ZAP Marketplace to access 3rd party sites, and if so under what circumstances and how should we inform users?
Cheers,
Simon
thc...@gmail.com
Apr 11, 2016, 11:29:07 AM4/11/16
to zaproxy...@googlegroups.com, philipp...@gmail.com
Hi.
Where's the best place to add comments about the code?
You should raise a pull request to reserve/register the scanner ID. [1]
[1]
https://github.com/zaproxy/zaproxy/blob/30c308dc84bb9b280abe45c7c9e773d5fbc3c98f/src/doc/alerts.xml
Best regards.
On 26/03/16 04:28, Philippe Arteau wrote:
> Note this email directed to psiinon to release plugins to the
> marketplace. I am making the conversation public because there are most
> likely small details that I will be missing at first. (if this make
> sense :/)
>
> Hi pssinon,
> I finally got time to fully retest two of my plugins in the latest ZAP
> version.
>
> *Plugin 1: Retire.js*
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Where's the best place to add comments about the code?
You should raise a pull request to reserve/register the scanner ID. [1]
[1]
https://github.com/zaproxy/zaproxy/blob/30c308dc84bb9b280abe45c7c9e773d5fbc3c98f/src/doc/alerts.xml
Best regards.
On 26/03/16 04:28, Philippe Arteau wrote:
> Note this email directed to psiinon to release plugins to the
> marketplace. I am making the conversation public because there are most
> likely small details that I will be missing at first. (if this make
> sense :/)
>
> Hi pssinon,
> I finally got time to fully retest two of my plugins in the latest ZAP
> version.
>
> Description : Passive rule that scan JavaScript files to find known
> vulnerable librairies. It use Retire.js repository as the name indicate.
> Source code : https://github.com/h3xstream/burp-retire-js
> ZAP pre-build plugin
> : https://raw.githubusercontent.com/h3xstream/burp-retire-js/gh-pages/releases/zap/retirejs-alpha-3.zap
>
> *Plugin 2: Reissue Request Scripter*
> vulnerable librairies. It use Retire.js repository as the name indicate.
> Source code : https://github.com/h3xstream/burp-retire-js
> ZAP pre-build plugin
> : https://raw.githubusercontent.com/h3xstream/burp-retire-js/gh-pages/releases/zap/retirejs-alpha-3.zap
>
> Description : This extension generates scripts to reissue a selected
> request.
> Source code : https://github.com/h3xstream/http-script-generator
> ZAP pre-build plugin
> : https://github.com/h3xstream/http-script-generator/blob/gh-pages/releases/zap/scriptgen-alpha-5.zap
>
> Build
> The plugins can be repackage if needed.
> By running the install step from travis-ci and running "mvn clean install".
>
> Let me know if theses are ready for release.
>
> Thanks and great job on the ZAP project.
>
> --
> request.
> Source code : https://github.com/h3xstream/http-script-generator
> ZAP pre-build plugin
> : https://github.com/h3xstream/http-script-generator/blob/gh-pages/releases/zap/scriptgen-alpha-5.zap
>
> Build
> The plugins can be repackage if needed.
> By running the install step from travis-ci and running "mvn clean install".
>
> Let me know if theses are ready for release.
>
> Thanks and great job on the ZAP project.
>
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Philippe Arteau
Apr 11, 2016, 4:54:40 PM4/11/16
to OWASP ZAP Developer Group
Sorry for the late response.
"Are you still pulling the latest rules down from the Retire.js repository?" Yes.
The JSON repo is cache to work offline.
I think external requests should be review case by case. The likeliness to be use to track users is low because the file is host on GitHub.
Potential solutions to deal with plugins on long term:
- Notify visually the user that the plugin does external requests with a reason to do so. (new configuration in the plugin ZapAddOn.xml ??)
- Maybe a sandbox could be made to allow/disallow external requests.
Reply all
Reply to author
Forward
0 new messages