scanning modals with the hud

[Sandra Koetter]

hey folks,

I have a quick question about using the hud to analyse vulnerabilities in modals. we have a couple of them and when trying to do some analysis today it seemed like its only reading the original page and not the modal.

Had a quick look on the hud wiki but i couldn't see anything.

Has anyone come across it and was able to read the modals as well or could point me in the right direction?

TIA,

Sandra

[Xavier Maso]

Hi Sandra,

If your modal is added to the DOM at runtime (by the JS executing in the browser), then ZAP will have a hard time seing it.

Indeed, because it sits between the server and the client, it only has knowledge the page content as it comes in the first time in the browser, without the modal.

From what I remember (I haven't had a look at it in a while TBH), the HUD does not perform any kind of analysis by itself: it displays the results of which scripts ZAP runs, and offer a way to trigger those directly from the browser.

What kind of "analysis" are you willing to run?

[Sandra Koetter]

Hi Xavier,

its not going to be an in depth analysis as I am still getting used to ZAP and the HUD. I want to do some security exploratory testing on a site my team is responsible for.  The modal is added to the DOM at runtime and I had the suspicion it might be because of this that the HUD cannot see it so its good to know that this seems to be the reason. 

I will do some prodding next week without using the HUD.

[Xavier Maso]

Hi Sandra,

This is a use case (scanning modern applications) that the ZAP devs have recognized as "problematic".

One thing that might be of interest in your case is the "FrontEndScanner".

Disclaimer: I have been working on this last summer, it is the addon that (hopefully one day) will solve this!

The idea is to inject a piece of JS code alongside the application to the browser.
This allows you to run scripts to interact with (at least read from) the application state, and report things back to ZAP.

This is still a work-in-progress, so consider this as an "experimental" addon, and that means it is not yet available on ZAP's marketplace...

There are some related issues if you are interested by the project, one is about integrating with the HUD btw!

You can read more about its underlying ideas and the concept here: https://blog.xaviermaso.com/2018/10/01/Scanning-modern-web-applications-with-OWASP-ZAP.html .

If you are willing to try this out to test your application, I can give you a hand: it's highly valuable to get some "real world" use case on this.

Cheers,

[Sandra Koetter]

Hey Xavier,

sorry for so late in replying - its been a busy few months (moving, big projects, promotion).

thanks for the info. I will look into it later this week. I think my security team might not be happy with me using an experimental add- on but will read through the links you shared and get their input.

cheers! 

[Stephen Ogu]

Hi Sandra,

So wonderful to hear from you. hope you are back fully.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP HUD Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-hud...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-hud/6635ed25-24f2-48c7-9d37-23db5671a5db%40googlegroups.com.