Is ZAP upgraded to test Modern JS Libraries

[ch1c0hacker]

We have a bunch of Modern JS Libraries like the ones listed below.

--> AngularJS 1.x

--> Aurelia

--> Bootstrap

--> Closure

--> Dojo Toolkit

--> Emberjs

--> Knockout

--> Polymer 1.x

--> Ractive

--> React

--> RequireJS

--> Underscore / Backbone

--> Vue.js

--> jQuery

--> jQuery Mobile

--> jQuery UI

Can someone help me understand if ZAP is upgraded with vectors to identify vulnerabilities like XSS when different JS libraries are used.

Thanks in advance!

ch1c0hacker :)

[kingthorin+owaspzap]

That's an awfully vague question. Are you using standard web forms? Are the parameters passed using any special wrappers or notations?

[ch1c0hacker]

As an example considering KnockOutJS framework, assume the user input lands as the value of 'name' attribute for 'div' tag.

Case1: DIV Tag looks as below when the user input is ~DivTagName~ (without ~s)

<div name="DivTagName">ABC...XYZ</div>

Case2: DIV Tag looks as below when attempting an attack providing the user input as ~DivTagName" oncopy="javascript:alert(1);"~ (without ~s)

<div name="Attack Attempt" oncopy="javascript:alert(1);">ABC...XYZ</div>

Case3: Considering the application's input validation mechanism takes care of such functions or such malicious input, we can still perform an attack by providing the input as ~DivTagName" data-bind="value: alert(2)~ (without ~s). The new DIV tag looks as below

<div name="DivTagName" data-bind="value: alert(2)">ABC...XYZ</div>

These are the kind of cases I'm trying to understand if ZAP is upgraded to handle. Appreciate your help in advance!

Thanks,

ch1c0hacker :)

[Simon Bennetts]

I think the standard XSS rules should detect this - they look for reflected/stored user input and will try to inject suitable attacks where ever it occurs.

One of the problems with modern web applications is that much of the functionality is client side.
The standard ZAP spider is very effective in exploring traditional web apps, but not so good if the links are created via javascript. If thats the case for your app then use the ZAP Ajax Spider. It launches browsers to explore the app, which is slower but handles javascript links much more effectively.

We also have a DOM XSS rule (https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsDomxssDomxss) which also launches browsers to find DOM XSS vulnerabilities that wouldnt be found without a browser.

So yes, ZAP does have some support for modern web apps, but we know it does have limitations. Its an area we are actively looking at.
If anyone has specific requests (or examples of vulnerabilities that ZAP doesnt find) then please let us know :)

Cheers,

Simon

[ch1c0hacker]

Thanks for your reply Simon.

The case I was referring to is a particular case for applications which use KnockoutJS and the scenario can be a reflected/stored/DOM based XSS. The implementation I was referring to wasn't AJAX. Hence, I'm not sure if the current version of ZAP would identify such vulnerabilities or not. I'm trying to build a sample vulnerable application and to test for confirmation however, I would appreciate your/the group's help in case its a possibility.

Also, please can you help me better understand your statement "they look for reflected/stored user input and will try to inject suitable attacks where ever it occurs".

I understand it as ZAP will look for any strings that are reflecting (immediately or in subsequent pages after storing) and try for all the predefined vectors. Also, I believe that current scanners in market (open source/commercial) do not have the AI (Artificial Intelligence) to build custom vectors based on Vector Repository and the application's behavior. Feel free to correct my understanding.

Thanks for helping me out with additional information on AJAX Spider and that DOM XSS scan feature is limited to Firefox browser as of now. I'm yet to try these features.

Thanks Again,

ch1c0hacker :)

[Simon Bennetts]

I'm hoping ZAP _will_ identify such vulnerabilities. If its doesnt then please let us know - and a simple test case that exhibits this would be much appreciated :)

ZAP is a bit more sophisticated than just trying a load of built in payloads, but I definitely wouldnt describe it as AI :)
As per https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules#cross-site-scripting-reflected:

This rule starts by submitting a 'safe' value and analyzing all of the locations in which this value occurs in the response (if any). It then performs a series of attacks specifically targeted at the location in which each of the instances occurs, including tag attributes, URL attributes, attributes in tags which support src attributes, html comments etc.

 
In other words it doesnt blindly try all payloads, it just uses payloads that explicitly target the HTML contexts in which the user input is reflected, and only reports issues where it detects that the attack has broken out of the relevant context.
FYI the code for the reflected rule is here: https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/ascanrules/TestCrossSiteScriptV2.java#L158

Cheers,

Simon

[ch1c0hacker]

Hi Simon,

I have created a sample vulnerable html file implementing KnockOutJS and ran ZAP scan setting "LOW" Threshold & "INSANE" Strength for all the XSS Test Names i.e.; 'Cross Site Scripting (Persistent)', 'Cross Site Scripting (Persistent) - Prime', 'Cross Site Scripting (Persistent) - Spider' and 'Cross Site Scripting (Reflected). However, the scan couldn't identify XSS vulnerability in my HTML page except that it identified 'X-XSS-Protection' header isn't enabled. Please can you look into this.

Attached are the 2 files needed 'XSS_SpecificTo_KOJS.html' and 'knockout-3.4.2.debug.js'.

Working XSS vector that is to be appended to the existing string in textbox is ",value:alert(window.location)" (excluding double quotes).

Also find the attached screenshot 'XSS_SpecificTo_KOJS_SuccessfulExecution.JPG' of a successful execution of the same.

Hope this can now be considered as a PULL Request. Kindly let me know your thoughts.

Thanks Again,

ch1c0hacker :)

[ch1c0hacker]

Tried at least 15 times to attach files but couldn't, not even as ZIP/7z file. Please can you let me know how the files can be shared.

Thanks in advance,

ch1c0hacker :)

[thc...@gmail.com]

Try just attach the HTML/image files, the knockout-3.4.2.debug.js file
is not necessary, it can be obtained directly from the project:
https://github.com/knockout/knockout/releases/tag/v3.4.2

That should work, hopefully. If not consider send them directly to us,
and we'll try to attach it.

Best regards.

>>>> Also, please can you help me better understand your statement "*they

>>>> look for reflected/stored user input and will try to inject suitable

>>>> attacks where ever it occurs*".
>>>>
>>>> *I understand it as ZAP will look for any strings that are reflecting

>>>> (immediately or in subsequent pages after storing) and try for all the
>>>> predefined vectors. Also, I believe that current scanners in market (open
>>>> source/commercial) do not have the AI (Artificial Intelligence) to build
>>>> custom vectors based on Vector Repository and the application's behavior.

>>>> Feel free to correct my understanding.*

>>>>>> As an example *considering KnockOutJS framework*, assume the user

>>>>>> input lands as the value of 'name' attribute for 'div' tag.
>>>>>>
>>>>>> Case1: DIV Tag looks as below when the user input is ~DivTagName~
>>>>>> (without ~s)

>>>>>> *<div name="DivTagName">ABC...XYZ</div>*

>>>>>>
>>>>>> Case2: DIV Tag looks as below when attempting an attack providing the
>>>>>> user input as ~DivTagName" oncopy="javascript:alert(1);"~ (without ~s)

>>>>>> *<div name="Attack Attempt"
>>>>>> oncopy="javascript:alert(1);">ABC...XYZ</div>*

>>>>>>
>>>>>> Case3: Considering the application's input validation mechanism takes
>>>>>> care of such functions or such malicious input, we can still perform an
>>>>>> attack by providing the input as ~DivTagName" data-bind="value: alert(2)~
>>>>>> (without ~s). The new DIV tag looks as below

>>>>>> *<div name="DivTagName" data-bind="value: alert(2)">ABC...XYZ</div>*

[ch1c0hacker]

Hope you received the files this time...

[thc...@gmail.com]

Yes, both files received :)

Best regards.

[thc...@gmail.com]

The scanner Cross Site Scripting (DOM Based) reports the issue.

Best regards.

[ch1c0 hacker]

Can you help me with the steps please. 

What was the vector reported.?

Is it an add-on? 

Thanks in advance! 

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/-5gulIquvmg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/30cd1eae-f601-49e9-8890-5f0bf01a4364%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[kingthorin+owaspzap]

Yes the DOM XSS Scanner is an addon. It launches Firefox (currently) and looks for DOM based XSS. You can get it via the ZAP Marketplace.

[ch1c0 hacker]

Okay, I'll try that. Any steps/documentation help on the add-on is greatly appreciated. 

In the meantime can you also help me with the vector reported by tool. 

Thanks much in advance! 

On Mar 9, 2018 10:13 PM, "kingthorin+owaspzap" <kingt...@gmail.com> wrote:

Yes the DOM XSS Scanner is an addon. It launches Firefox (currently) and looks for DOM based XSS. You can get it via the ZAP Marketplace.

--

You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/-5gulIquvmg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/d9aab7f0-4ac1-4689-931f-c71c652ba8be%40googlegroups.com.

[thc...@gmail.com]

That's just another active scanner, you can use the same steps as for
the XSS reflected ones.

The attack of the alert is the XSS polyglot.

Best regards.

[ch1c0hacker]

Hello Friends,

I have installed latest alpha version of DOM XSS add-on from https://github.com/zaproxy/zap-extensions/releases/download/2.7/domxss-alpha-7.zap.

Installation was successful and a Firefox instance (Version: Firefox ESR 52.6.0) opens on running the scan however, the scan fails. Error message I could see in Scan Analyser Window is "Skipped, failed to start or connect to the browser". Attached are the screenshots of the same. Please, can you help!

Also, it would be great if you can share the Vector/Payload that the scan reported.

Additionally, I would request you to evaluate the scenario considering that the .html file I have prepared is a sample one without much of validations implemented. The actual considerations needed are that " (double quotes) are completely disallowed even in encoded/double-encoded formats along with no additional HTML Tag Attributes are allowed in User Input.

Thanks in advance,

ch1c0hacker :)

[kingthorin+owaspzap]

Since you installed manually you probably didn’t get the dependencies. Selenium and gecko driver.

[thc...@gmail.com]

Best is to use a newer version of Firefox, according to geckodriver
docs, greater than 54. It's possible to configure ZAP to use other
version than the default installed, in Options > Selenium > Firefox.

Scan reported the XSS polyglot:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

Best regards.

[ch1c0hacker]

Hello Friends,

I could finally execute DOM XSS add-on on a different machine without any issues. Thanks for your patience! Back to the original scenario although my problem detailed in previous post isn't yet resolved.

Yes! DOM XSS add-on identifies XSS vulnerability in <strong> tag but not the XSS vulnerability in "document.write()" function within <script> in Line#17.

Attached updated HTML files would second my observation.

"XSS_SpecificTo_KOJS_HtmlStrongTagRemoved.html" when scanned using all of the Cross Site Scripting tags including DOM XSS add-on in INSANE mode hasn't reported any XSS.

Where as, the same vector/payload ",value:alert(window.location)" (excluding double quotes) still works in both the files.

Please can you share your thoughts!

Thanks much in advance!

ch1c0hacker :)

[ch1c0 hacker]

Hello Friends, 

Please let me know if you are looking for any more information so, I can try to help. 

Thanks, 

ch1c0hacker :) 

On Mar 12, 2018 22:48, "ch1c0 hacker" <ch1c0h...@gmail.com> wrote:

Hello Friends,

Have you had an opportunity to look into my email.

- ch1c0hacker :)

--

You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/-5gulIquvmg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/32ec4f86-500a-4dc1-b163-664f44f1baad%40googlegroups.com.

[kingthorin+owaspzap]

I haven't had a chance to recreate any of this. Chances are there are false negative situations. If you'd like to submit a code change to address this one we'd be happy to deal with the pull request.

[ch1c0 hacker]

Sure, I'll try my best.

Can you help me with the list of files that deal with Cross Site Scripting Payloads & Testing Scenarios and where I can find them in the installed location, so I can attempt to make changes.

Thanks in advance,

ch1c0hacker :)

On Thu, Mar 15, 2018 at 3:53 AM, kingthorin+owaspzap <kingt...@gmail.com> wrote:

I haven't had a chance to recreate any of this. Chances are there are false negative situations. If you'd like to submit a code change to address this one we'd be happy to deal with the pull request.

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/-5gulIquvmg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/63fb258e-b55e-4255-a320-8a7dad69089b%40googlegroups.com.

[kingthorin+owaspzap]

https://github.com/zaproxy/zaproxy/wiki/Contributing-Changes
https://github.com/zaproxy/zaproxy/wiki/DevGuidelines

Building extensions is done via ant (build.xml).

The reflected cross site scripting rule is here:
https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/ascanrules/TestCrossSiteScriptV2.java

You can modify it, build the addon, load it in ZAP (ctrl+L) and test it.
You should also update the UnitTest:
https://github.com/zaproxy/zap-extensions/blob/master/test/org/zaproxy/zap/extension/ascanrules/TestCrossSiteScriptV2UnitTest.java
to cover whatever change(s) you make to the scanner.

[kingthorin+owaspzap]

I should have included. The majority of the dev team uses Eclipse (you don't have to there are others that use IntelliJ). However, using Eclipse will make it easier for us to support and guide you if needed.

I've used the last few versions of Eclipse and am currently running Oxygen2 on my dev systems. I don't think any of the team have moved to Photon yet.

[ch1c0 hacker]

Hey,

I have done the below but couldn't see my changes for testing. Please can you help me.

1. Using IDE Eclipse Oxygen2 with "Enhanced Class Decompiler".

2. Forked the code to my GITHUB account.

3. Imported code from my account and made some changes.

4. Created a Remote and Branch to PUSH my changes to Code Repository in my GITHUB account.

5. IDE prompted the push is successful however, i couldn't see any changes pushed to code in my GITHUB account. However, I could see the new branch created.

Please, can you help me on how I can push the changes and on how I can test my changes.

Thanks much in advance,

ch1c0hacker :)

On Thu, Mar 15, 2018 at 3:34 PM, kingthorin+owaspzap <kingt...@gmail.com> wrote:

I should have included. The majority of the dev team uses Eclipse (you don't have to there are others that use IntelliJ). However, using Eclipse will make it easier for us to support and guide you if needed.

I've used the last few versions of Eclipse and am currently running Oxygen2 on my dev systems. I don't think any of the team have moved to Photon yet.

--

You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/-5gulIquvmg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b67f5419-239d-43b1-a6f7-265a0bfd24ef%40googlegroups.com.

[kingthorin+owaspzap]

1. In the branch where you made the changes open /zap-extensions/build/build.xml
2. Find the "deploy-ascanrules-without-help-indexes" job.
3. Right click on it in the outline and select Run-as >. Ant Build
4. 
5. Note the build location, such as \zap-extensions\build\zap-exts\ascanrules-release-31.zap
6. Launch ZAP and run a scan to test the package (it should have been copied to the correct location for your dev version of ZAP). If it doesn't run then the copy location was off, goto the marketplace and uninstall the existing extension. In ZAP hit ctrl+L (Load Addon) navigate to the path noted in step 5.
7. Run a scan and test your changes.
   

[kingthorin+owaspzap]

ch1c0hacker any luck making progress on this?

[ch1c0 hacker]

Hey, 

I couldn't progress much on this yet. Facing troubles at multiple layers. 

1. The PoC I created only has DOM XSS cases but the ZAP code I could download isn't having that testing module. 

2. Facing a little tough time to recreate similar PoCs for Reflected and Persistent XSS cases. I'm quite sure we'll need to add similar code constructs to all 3 modules of XSS. 

3. Also, I'm yet unable to identify on how/where the descriptive function names like 'test in img tag'  are defined. I could identify where and what test cases were listed for these scenarios but not the locations where the descriptive function names are defined for the machine to understand. 

I'm working on this however, I accept the pace has been very slow. Any help/guidance would really help. 

Thanks in advance, 

ch1c0hacker. 

On Apr 16, 2018 7:06 PM, "kingthorin+owaspzap" <kingt...@gmail.com> wrote:

ch1c0hacker any luck making progress on this?

--

You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/-5gulIquvmg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/5dc9e4ef-b845-4b7d-be14-d78cd32845db%40googlegroups.com.

[kingthorin+owaspzap]

The domxss scanner is in the alpha or beta branch not master.

As for the reflected xss scanner the code is pretty monolithic (the majority of the code is in one or two functions). Your best bet is probably to add some temporary logging or println’s to figure out the correct sink context for the eye catcher.

I wish I could be more specific but I’m putting this response together in my phone while riding a city bus.

Feel free to ask questions, we’re glad to assist.