TLS checks in ZAP
409 views
Skip to first unread message
Naveen Rajamannar
Apr 20, 2023, 12:08:47 PM4/20/23
to OWASP ZAP User Group
V9.1.1 Verify TLS Fallback
V9.1.2 Verify TLS Cipher Suites Rajamanar
V9.1.3 Verify Latest TLS VersioningV9.1.1 Verify TLS Fallback
if not any examples/scripts for adding them?
kingthorin+owaspzap
Apr 20, 2023, 2:01:17 PM4/20/23
to OWASP ZAP User Group
ZAP used to have some functionality like that but it was slow and clunky and not used very much so it was retired.
I'd suggest using O-Saft (https://owasp.org/www-project-o-saft/) or SSLLabs (https://www.ssllabs.com/ssltest/)
Naveen Rajamannar
Apr 21, 2023, 1:06:41 AM4/21/23
to OWASP ZAP User Group
Thanks,
Just wondering, Any way to extend and do this in zap scripting? trying to automate as many testcases as possible using zap
Naveen Rajamannar
Apr 21, 2023, 3:00:23 AM4/21/23
to OWASP ZAP User Group
I have a script like this right now in python
import subprocess
# Set the hostname and port number for the application
hostname = 'ec.ex.com'
port = 443
# Run the sslscan command and capture the output
output2 = subprocess.check_output(['sslscan', hostname + ':' + str(port)])
# Convert the output to a string and search for weak ciphers
output_str = output2.decode('utf-8')
print(output_str)
if 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' in output_str or \
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' in output_str or \
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256' in output_str or \
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256' in output_str:
print('Weak ciphers are enabled')
else:
print('Weak ciphers are not enabled')
# Set the hostname and port number for the application
hostname = 'ec.ex.com'
port = 443
# Run the sslscan command and capture the output
output2 = subprocess.check_output(['sslscan', hostname + ':' + str(port)])
# Convert the output to a string and search for weak ciphers
output_str = output2.decode('utf-8')
print(output_str)
if 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' in output_str or \
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' in output_str or \
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256' in output_str or \
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256' in output_str:
print('Weak ciphers are enabled')
else:
print('Weak ciphers are not enabled')
This runs fine in pycharm, but not running in the zap script as it is not recognising sslscan tool, can this be run using selenium available under scripting using java?
thc...@gmail.com
Apr 21, 2023, 6:03:31 AM4/21/23
to zaprox...@googlegroups.com
That should work when running in ZAP too (assuming sslscan is in the PATH).
What's the actual error?
(Note that you should run it as a standalone or targeted script.)
Best regards.
What's the actual error?
(Note that you should run it as a standalone or targeted script.)
Best regards.
Naveen Rajamannar
Apr 21, 2023, 6:20:55 AM4/21/23
to OWASP ZAP User Group
I am getting the following error
Traceback (most recent call last):
File "09.01.02-Verify-TLS-Cipher Suites", line 8, in <module>
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 579, in check_output
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 892, in __init__
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 1402, in _execute_child
OSError: [Errno 2] No such file or directory
Traceback (most recent call last):
File "09.01.02-Verify-TLS-Cipher Suites", line 8, in <module>
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 579, in check_output
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 892, in __init__
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 1402, in _execute_child
OSError: [Errno 2] No such file or directory
File "09.01.02-Verify-TLS-Cipher Suites", line 8, in <module>
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 579, in check_output
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 892, in __init__
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 1402, in _execute_child
OSError: [Errno 2] No such file or directory
Traceback (most recent call last):
File "09.01.02-Verify-TLS-Cipher Suites", line 8, in <module>
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 579, in check_output
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 892, in __init__
File "/Users/naveenr/Library/Application Support/ZAP/plugin/jython-beta-12.zap/Lib/subprocess.py", line 1402, in _execute_child
OSError: [Errno 2] No such file or directory
When I got the same error in pycharm I installed sslscan and it started working
Reply all
Reply to author
Forward
0 new messages