How to choose which paramaters to attack during ZAP Active scan
638 views
Skip to first unread message
baks...@gmail.com
Jul 31, 2017, 4:43:46 AM7/31/17
to OWASP ZAP User Group
Hi All,
I tried searching for this, but I can't find a straightforward answer.
I loaded my REST API using the Open API plugin and it seems to be working well.
However I can't find a way to add more headers and body parameters and get ZAP to attack them when doing an active scan.
Ideally I would want ZAP to attack a subset of those parameters.
for example
username:
password:
but ignore User-Agent:
Currently it's only attacking user-agent:
for example, In my header it attacks the User-Agent field:
User-Agent: response.write(100,000*100,000)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)&timeout /T {0}&
how do go about doing this?
Simon Bennetts
Jul 31, 2017, 6:15:52 AM7/31/17
to OWASP ZAP User Group
This is part of the exploration phase.
You can just proxy requests including the extra headers and body parameters through ZAP.
Once you've done that then ZAP will attack them as part of an active scan.
Cheers,
Simon
You can just proxy requests including the extra headers and body parameters through ZAP.
Once you've done that then ZAP will attack them as part of an active scan.
Cheers,
Simon
guth....@gmail.com
Jul 31, 2017, 6:34:41 AM7/31/17
to OWASP ZAP User Group
You could use a script to make custom scanning vectors. Here's an example that will add a Header X-Foobar with a default value of bla to all requests that get scanned:
// The parseParameter function will typically be called for every page and
// the setParameter function is called by each active plugin to bundle specific attacks
// Note that new custom input vector scripts will initially be disabled
// Right click the script in the Scripts tree and select "enable"
// The following handles differences in printing between Java 7's Rhino JS engine
// and Java 8's Nashorn JS engine
if (typeof println == 'undefined') this.println = print;
function parseParameters(helper, msg) {
helper.addParamHeader("X-Foobar", "bla");
//add more headers here to inject to more headers
}
function setParameter(helper, msg, param, value, escaped) {
msg.getRequestHeader().setHeader(param, value)
}
Now if you enable script inputs from the scan settings and disable header vectors, then you'll be able to to scan your added headers without scanning headers such as User-Agent.
Basically the script is a replacement for the default Headers input vector. It provides a custom, more selective vector.
// The parseParameter function will typically be called for every page and
// the setParameter function is called by each active plugin to bundle specific attacks
// Note that new custom input vector scripts will initially be disabled
// Right click the script in the Scripts tree and select "enable"
// The following handles differences in printing between Java 7's Rhino JS engine
// and Java 8's Nashorn JS engine
if (typeof println == 'undefined') this.println = print;
function parseParameters(helper, msg) {
helper.addParamHeader("X-Foobar", "bla");
//add more headers here to inject to more headers
}
function setParameter(helper, msg, param, value, escaped) {
msg.getRequestHeader().setHeader(param, value)
}
Now if you enable script inputs from the scan settings and disable header vectors, then you'll be able to to scan your added headers without scanning headers such as User-Agent.
Basically the script is a replacement for the default Headers input vector. It provides a custom, more selective vector.
Simon Bennetts
Jul 31, 2017, 6:38:21 AM7/31/17
to OWASP ZAP User Group
So this script will add the specified headers to all requests, rather than actually attacking them.
Very useful, but I dont think thats what the original question was about ;)
Very useful, but I dont think thats what the original question was about ;)
guth....@gmail.com
Jul 31, 2017, 9:05:09 AM7/31/17
to OWASP ZAP User Group
Oh, you're right, that script would only add one of the headers. The script below will work the intended way:
if (typeof println == 'undefined') this.println = print;
function parseParameters(helper, msg) {
helper.addParamHeader("X-Foobar", "bla");
function parseParameters(helper, msg) {
helper.addParamHeader("X-Foobar", "bla");
helper.addParamHeader("X-Gleglo", "boo");
//add more headers here to inject to more headers
}
function setParameter(helper, msg, param, value, escaped) {
params = helper.getParamList()
for(i=0; i<params.length; i++){
//adds all the headers defined earlier with the default values that were given
msg.getRequestHeader().setHeader(params[i].getName(), params[i].getValue())
}
//overwrites the scanned header with the payoad of the scan
msg.getRequestHeader().setHeader(param, value)
}
This is an example of a request that the scanner would do with the above Script Input Vector:
GET http://example.org/daa HTTP/1.1
X-Foobar: /etc/passwd
X-Gleglo: boo
Content-Length: 0
Host: example.org
for(i=0; i<params.length; i++){
//adds all the headers defined earlier with the default values that were given
msg.getRequestHeader().setHeader(params[i].getName(), params[i].getValue())
}
//overwrites the scanned header with the payoad of the scan
msg.getRequestHeader().setHeader(param, value)
}
This is an example of a request that the scanner would do with the above Script Input Vector:
GET http://example.org/daa HTTP/1.1
X-Foobar: /etc/passwd
X-Gleglo: boo
Content-Length: 0
Host: example.org
Reply all
Reply to author
Forward
0 new messages