GWT apps scanning abilities in ZAP

[Deepjyoti Saikia]

Hi ZAP-ers,

Any thoughts on having GWT application scanning capabilities in ZAP.

Regards,

Dj

[psiinon]

Hi Deepjyti,

I'm always in favour of adding more capabilities to ZAP ;)

What did you have in mind?

Cheers,

Simon

[Deepjyoti Saikia]

Simon, few days back I had a casual chance to look into a GWT app. All requests were GWT RPC calls, I really doubt if there are any automated scanners which can deobfuscate as well as fuzz such requests. I found only a few opensource python tools which were upto the task but not guaranteed results.

I think this is a good-to-have feature in ZAP.

I am doing a little homework on this, i will come up with a some points in next few days.

Simon, did you pen test a GWT app. May be you could share a few inputs with me :-)

Cheers,

Dj

[Björn Kimminich]

Hi all!

I think GWT applications are not even on the feature list of any commercial scanner application. Neither can they be properly safeguarded by existing WAFs - afaik.

The obfuscation Google does for GWT-RPC is really ... thorough. And it might even be changed w/o further notice from one GWT version to another. So this would definetely be a tough nut to crack,

I'd still love to have such a feature, because we use GWT a lot in our recent applications... :-)

Regards,

Björn

[Deepjyoti Saikia]

Hi Björn,

GWT is slowly but surely coming up on every scanners list, one such I am aware of is NTO Spider, more information here,

http://www.ntobjectives.com/security-software/ntospider-application-security-scanner/

Cheers,

Dj

[psiinon]

I havnt tested a GWT app for a while, but I'm very keen for ZAP to support them as effectively as possible.
And some of the things we'll need to support will help test AJAX apps in general.
So deobfuscation is one aspect, as is getting ZAP to recognise XML and JSON parameters (for AJAX in general) and then attack them.
What else would be useful?

Cheers,

Simon

[Anant Shrivastava]

Talking of AJAX this may be a bit off topic but what's the status of ASP.net Viewstate and java searlized object decoding in ZAP. is the capability already there, if not this will be a good to have  feature

[psiinon]

We've got a couple of related passive scan rules:
https://code.google.com/p/zap-extensions/source/browse/branches/beta/src/org/zaproxy/zap/extension/pscanrulesBeta/InsecureJSFViewStatePassiveScanner.java
https://code.google.com/p/zap-extensions/source/browse/branches/beta/src/org/zaproxy/zap/extension/pscanrulesBeta/ViewstateScanner.java
but yes, it would be really nice for to be able to encode/decode these (and java serialized objects etc) in the UI as well.

Any volunteers?
Would this be a good student project?
I'm just about to kick off another thread re GSoC 2012 ;)

Cheers,

Simon

[Michael Courcy]

HI Simon

Sorry to dig out this old thread but I'm realy interested.

Could you give the big steps to do such a thing or do you know an extensions which is functionnaly close. 

I see a class in the source code : org.parosproxy.paros.core.scanner.VariantGWTQuery and I wonder if it's the answer ?

If you could explain the role of VariantAbstractQuery: 

How is it activated ? (by the method isValidContentType maybe)

How it works with the proxy : when the payload is build to be sent to the server or when the request is coming in ?

The different active scan are called before or after it ?

Can I bring an other Variant with an extension or with a simple script ?

What if two variant are adressing the same content type ? For instance if I want to replace VariantGWTQuery without rebuilding ZAP.

Thanks a lot !

[yha...@gmail.com]

Dear all, GWT is already supported by ZAP since the 2014 with a Variant that is able to de-serialize and serialize parameters and manage also escaping to launch all the existing ZAP plugins.
This means that when you enable it in the Variant panel, the active scanner can look for a GWT serialization content type and encode payloads inside the serialized content.

[yha...@gmail.com]

Dear Saikia, currently ZAP supports GWT RPC serialization using a Variant that you can enable in the Variant panel and can be used by the active scanner to launch attack payloads correctly encoded to the backend.
The real limitation is that the search for GWT requests isn't supported by the spiders (maybe the AJAX spider can work but I haven't tested it), so in real scenario I had to use the proxy, then launch manually the page that connect using the GWT client to the backend, intercept the call thanks to the proxy, then launch the active scan on it (or to the entire tree).
I think that we can enhance the behavior looking for the possibility to crawl GWT requests automatically, maybe testing the AJACspider or enhancing it...

[Antoine]

Hello,

What is the Variant panel ? Where can I find it ?
I need to de-serialize GWT requests.

Thank you for your answer.

[thc...@gmail.com]

Hi.

The option is called "Google Web Toolkit" and is under "Options" >
"Active Scan Input Vectors" > "Built-in Input Vector Handlers". [1]

(To be effectively used the option "POST Data" also needs to be enabled.)


If you are referring to the code, the class responsible for the handling
is org.parosproxy.paros.core.scanner.VariantGWTQuery.


[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsAscaninput

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/zaproxy-develop/44e045cf-fcca-4eda-b396-f6829450e264%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-develop/44e045cf-fcca-4eda-b396-f6829450e264%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

[Antoine]

Thank you thc202 !

Moreover, is ZAP able to de-serialize GWT requests and responses "on the fly" ?
For example, if I intercept requests and responses between a client and a GWT application, can I display a view where the strange stuff of GWT becomes clear ? (Maybe it's not even possible, I don't find consistent documentation about how data is encoded by GWT applications).

Best regards,

> <mailto:zaproxy-develop+unsub...@googlegroups.com>.

[yha...@gmail.com]

Hi Antoine, currently ZAP can deserialize/serialize GWT streams only during the scanning step (e.g. when active, beta and alpha plugins installed on the system are launched in a scanning session).
This is performed using the Variant model described by THC before.
Currently the content of a GWT request while proxying is shown in its serialized way, but it can be easily understendable because GWT serialization is very easy (pipes and bad chars escaped).