GSoC Dynamically Configurable Actions
33 views
Skip to first unread message
psiinon
Apr 25, 2013, 5:36:19 AM4/25/13
to zaproxy...@googlegroups.com
This thread is for discussing the GSoC Dynamically Configurable Actions project.
I've been working on a related project for Mozilla which I think changes the nature of this proposal.
I'm mentioned this to some of the students who have expressed an interest in the project, but I want to make sure that nobody is left out.
The project I've been working on is Mozilla Zest:
For the first phase the focus was on creating reproducible security tests.
I've just started the second phase which will allow Zest scripts to be used for active and passive scanning rules.
I think Zest will be ideal for the dynamically configurable actions, and there will still be plenty of interesting work to do on it :)
Some of the tasks that I think will be required:
I've been working on a related project for Mozilla which I think changes the nature of this proposal.
I'm mentioned this to some of the students who have expressed an interest in the project, but I want to make sure that nobody is left out.
The project I've been working on is Mozilla Zest:
- https://developer.mozilla.org/en-US/docs/zest
- https://github.com/mozilla/zest
- http://groups.google.com/group/mozilla-zest
For the first phase the focus was on creating reproducible security tests.
I've just started the second phase which will allow Zest scripts to be used for active and passive scanning rules.
I think Zest will be ideal for the dynamically configurable actions, and there will still be plenty of interesting work to do on it :)
Some of the tasks that I think will be required:
- Identifying initial use cases
- Identifying integration points (eg spider, fuzzer etc)
- Implementing hooks for integrating scripts
- Adding new features to Zest as required
- Designing and implementing the UI for actions
- Improving the UI for writing and maintaining scripts
- Enhancing the REST API to control scripts
- Creating example scripts for a variety of use cases
- Creating regression tests
- Writing documentation and help files
Feel free to post to this thread if you have any questions about this project.
Cheers,
Simon
Ryan Tan
Apr 30, 2013, 1:44:17 AM4/30/13
to zaproxy...@googlegroups.com
Hi Simon,
Sorry for the late reply, my exams just ended.
Anyway, about hooks for integrating scripts, u mean hooks to the UI so that when user selects them they will be executed?
Ryan Tan
Apr 30, 2013, 4:11:49 AM4/30/13
to zaproxy...@googlegroups.com
Hi Simon,
Also, the integration points meaning how to integrate this ZAP Add-on to utilize other features
of ZAP simultaneously right?
- Ryan
psiinon
Apr 30, 2013, 4:37:13 AM4/30/13
to zaproxy...@googlegroups.com
Hi Ryan,
I'd like to be able to integrate Zest script _everywhere_ in ZAP :)
So imagine you have a website with a wizard with 3 steps, each of which has a different anti CSRF token.
You want to test a parameter on the last page, but you have to go through the first 2 each time.
I think we could do that with Zest with only a few changes.
Then imagine if you got logged out if the application detected an attack.
You would then need to detect if you had been logged out and re-authenticate.
That would be extremely difficult for a fully automated tool, and very difficult to do manually as well.
But again, I think we could get Zest to do that.
So we need to identify as many places as possible in ZAP where we could integrate Zest scripts and implement a generic plugin mechanism that can be used wherever is relevant.
Then design and implement a UI which allows the user to easily manage the scripts and integration points.
Does that make sense?
Cheers,
Simon
I'd like to be able to integrate Zest script _everywhere_ in ZAP :)
So imagine you have a website with a wizard with 3 steps, each of which has a different anti CSRF token.
You want to test a parameter on the last page, but you have to go through the first 2 each time.
I think we could do that with Zest with only a few changes.
Then imagine if you got logged out if the application detected an attack.
You would then need to detect if you had been logged out and re-authenticate.
That would be extremely difficult for a fully automated tool, and very difficult to do manually as well.
But again, I think we could get Zest to do that.
So we need to identify as many places as possible in ZAP where we could integrate Zest scripts and implement a generic plugin mechanism that can be used wherever is relevant.
Then design and implement a UI which allows the user to easily manage the scripts and integration points.
Does that make sense?
Cheers,
Simon
Ryan Tan
May 2, 2013, 4:48:47 AM5/2/13
to zaproxy...@googlegroups.com
Hi Simon,
Thanks for the explanation with an example, it really does explain a lot.
I have edited my proposal according to your explanation, hope I am heading in the correct direction.
Cheers,
Ryan
Reply all
Reply to author
Forward
0 new messages