Owasp Zap doesn't appear to use my TOR Connection?
877 views
Skip to first unread message
Hood
Mar 25, 2021, 1:55:03 PM3/25/21
to OWASP ZAP User Group
Hi all!
I am new to OWASP ZAP and all of the associated components of pentesting.
I have setup torghost and it works for my web browsers and all other connections out of the box.
I have setup torghost and it works for my web browsers and all other connections out of the box.
However when I run a 'attack' in OWASP ZAP it doesn't appear to be using this TOR connection and somehow uses the base WAN IP.
Can you explain how I can setup OWASP ZAP to behave as I want (all traffic through torghost)
thc...@gmail.com
Mar 25, 2021, 2:00:55 PM3/25/21
to zaprox...@googlegroups.com
Hi.
ZAP does not pick proxy system configurations, you have to configure ZAP
to use an outgoing proxy (SOCKS one).
Best regards.
ZAP does not pick proxy system configurations, you have to configure ZAP
to use an outgoing proxy (SOCKS one).
Best regards.
Hood
Mar 25, 2021, 2:18:24 PM3/25/21
to OWASP ZAP User Group
Aha that explains it.
That leads to the next question! Any docs on how to configure ZAP in this way?
I also therefore assume I need to do something to torghost to have it pickup or expose an outgoing proxy....?
I also therefore assume I need to do something to torghost to have it pickup or expose an outgoing proxy....?
thc...@gmail.com
Mar 25, 2021, 2:32:49 PM3/25/21
to zaprox...@googlegroups.com
Yes, in:
https://www.zaproxy.org/docs/desktop/ui/dialogs/options/connection/#socks-proxy
It should be already doing that, you just need to know which port is
bound to.
Best regards.
https://www.zaproxy.org/docs/desktop/ui/dialogs/options/connection/#socks-proxy
It should be already doing that, you just need to know which port is
bound to.
Best regards.
Hood
Mar 25, 2021, 3:11:53 PM3/25/21
to OWASP ZAP User Group
I am not sure if it is, because I thought it handled everything through iptables.
Nevertheless, I did a 'netstat -t -l -p' and found :
9050
9051
which I think are associated with the torghost but the '-p' flag didn't detect the program or PID associated with those ports.
I tried configuring the socks proxy for v4a and v5 but the behaviour was exactly the same. Anyway for me to verify if it's hitting this proxy? Also are we sure this is a 'socks' proxy and not a 'proxy chain outgoing proxy' - its unclear the differences to me!
Hood
Mar 25, 2021, 3:19:55 PM3/25/21
to OWASP ZAP User Group
Running nmap against localhost I can see that 9050 is indeed a SOCKS proxy open, that supports socks4 and socks5.
Therefore I believe the SOCKS proxy is working, yet, I don't believe ZAP is using it!
thc...@gmail.com
Mar 25, 2021, 3:22:52 PM3/25/21
to zaprox...@googlegroups.com
The easiest is to access a site that reports your IP.
Make sure that you configure the proxy before accessing any site
(restart ZAP to make sure).
(You should use v5, otherwise with v4 it will leak DNS requests.)
Best regards.
Make sure that you configure the proxy before accessing any site
(restart ZAP to make sure).
(You should use v5, otherwise with v4 it will leak DNS requests.)
Best regards.
Hood
Mar 25, 2021, 4:22:33 PM3/25/21
to OWASP ZAP User Group
Ok so, if i visit https://www.whatismyipaddress.com in my browser - I see my TOR exit node IP address - which is what I expect.
If I do a quickstart in ZAP with https://www.whatismyipaddress.com - it fails instantly saying:
Progress: Failed to attack the URL: received a 403 response code, expected 200.
Progress: Failed to attack the URL: received a 403 response code, expected 200.
After doing some bits of research - it seems that when using http against the tor connection - services such as cloudflare etc don't trust the tor exit point IP - and then issue a 403 to the user, before presenting them a captcha style user verification page before continuing -- what I think I see here.
Clearly my SOCKS setup was working nicely - thank you @thc202. I know its now scope creep but:
How do users normally negotiate these kinds of problems?
thc...@gmail.com
Mar 25, 2021, 4:45:58 PM3/25/21
to zaprox...@googlegroups.com
You need to make yourself look like a person and less like an automated
tool... :)
(ZAP does not add any headers usually used by browsers, so adding some
of those will make CF happy, at least on first contact.)
Anyway, you shouldn't use quickstart against any site but your own (or
that you have permission to), quickstart will spider and scan.
If you are just probing (like this case) it's better to use Manual
Request Editor.
P.S. It's none of my business but... use Tor judiciously, it's a
precious resource for everyone :)
Best regards.
tool... :)
(ZAP does not add any headers usually used by browsers, so adding some
of those will make CF happy, at least on first contact.)
Anyway, you shouldn't use quickstart against any site but your own (or
that you have permission to), quickstart will spider and scan.
If you are just probing (like this case) it's better to use Manual
Request Editor.
P.S. It's none of my business but... use Tor judiciously, it's a
precious resource for everyone :)
Best regards.
Hood
Mar 25, 2021, 4:48:29 PM3/25/21
to OWASP ZAP User Group
Interestingly, I find that CF detects the TOR through my browser, even after changing exit node etc - basically tor is rendered pretty much useless when CF is this effective in terms of stopping any even normal web traffic from using it.
Am i configuring something wrong here? I can see why ZAP automatic scan missing headers etc represents an obvious signal to CF, but when my normal browsers behave like this too -- what is going on!
thc...@gmail.com
Mar 25, 2021, 4:58:49 PM3/25/21
to zaprox...@googlegroups.com
Make sure that you clean your browser, cookies might give away that you
are still the same (bad ;) person.
You can also solve the captchas, that should appease CF for a while, or
try other exit node...
(That's why it's good to be careful, "bad behaviour" might end up
causing issues to other Tor users, ones that might really depend on it.)
Best regards.
are still the same (bad ;) person.
You can also solve the captchas, that should appease CF for a while, or
try other exit node...
(That's why it's good to be careful, "bad behaviour" might end up
causing issues to other Tor users, ones that might really depend on it.)
Best regards.
Hood
Mar 25, 2021, 5:22:45 PM3/25/21
to OWASP ZAP User Group
Well that's just the thing!
I have cleared all data from browsers, use private tabs, switch exit nodes - yet CloudFlare still picks it up and presents "Attention Required" and an associated captcha.
I have cleared all data from browsers, use private tabs, switch exit nodes - yet CloudFlare still picks it up and presents "Attention Required" and an associated captcha.
Once completing that in browsers, Imunify 360 then is another layer which has another captcha, and even after that - that only allows the 'browser' access - tools like ZAP must be part of a unique session which then again still don't work without those captchas being performed.
I can't see how TOR is helping anybody if this is the default response to new clients from CF and Imunity 360? And from a pen testing point of view, what would you do to work around this given these scenarios, this is a tough one!
thc...@gmail.com
Mar 25, 2021, 6:29:50 PM3/25/21
to zaprox...@googlegroups.com
Did you try with Tor browser? Are you seeing the same problems?
(ZAP can use the same cookies as the browser.)
Why would you need to use Tor for pentesting? :) You can use other
connections than the Tor network for that.
Best regards.
(ZAP can use the same cookies as the browser.)
Why would you need to use Tor for pentesting? :) You can use other
connections than the Tor network for that.
Best regards.
Hood
Mar 25, 2021, 6:51:25 PM3/25/21
to OWASP ZAP User Group
It is partially about trying to conceal the attack location -- what would a pentester normally do to hide their external IP - as clearly they don't want that to be on show
By default, does each launched browser from ZAP scrap cookies etc?
Simon Bennetts
Mar 26, 2021, 5:14:50 AM3/26/21
to OWASP ZAP User Group
On Thursday, 25 March 2021 at 22:51:25 UTC Hood wrote:
It is partially about trying to conceal the attack location -- what would a pentester normally do to hide their external IP - as clearly they don't want that to be on show
If a pentester is taking part in a standard scheduled pentest then there is no need to hide their IP address. The company which owns the target has organised the pentest and is expecting to be attacked. They will have typically have set up a unique instance just for the test.
Likewise bug bounties - these are for public sites which are going to be attacked anyway.
If a bug bounty excluded automated tools then theres a good chance that there will be a WAF or similar which will block connections if an automated attack is detected.
The exception to this would be a red team exercise where the people running the target system dont know that they are going to be attacked.
However they should still be able to detect and react to an automated attack as these are very noisy.
In this case a more subtle manual approach is likely to be used, in which case the attackers traffic should be 'lost' amongst the usual traffic from valid users.
thc...@gmail.com
Mar 28, 2021, 7:06:27 PM3/28/21
to zaprox...@googlegroups.com
> By default, does each launched browser from ZAP scrap cookies etc?
ZAP keeps track of session cookies (as defined in the options), then the
sessions can be set as active/used as needed.
Best regards.
Reply all
Reply to author
Forward
0 new messages