Mixed Content Insecure HTTP Url's Missed During Scanning
102 views
Skip to first unread message
ro da
May 28, 2018, 2:19:29 PM5/28/18
to OWASP ZAP User Group
Please forgive me for deleting my original question and post. I wanted to re-post it with better clarification. In a nutshell, I enabled only the check that I want to flag insecure content in a mixed page. In this case its the Secure Pages Include Mixed Content:
Its works flawless on basic test sites as in:
I had a dev intentionally add an http link on an iframe that contains Java Script referencing the non secure link as in:
When I attempt to spider entire website or just the url that contains the vulnerability as in:
https://qa.testwebsite.com/cart
it completely missed it. My first though was that maybe the spider isnt capable of spidering java-script so I tried:
- Using the AJAX spider (Didnt make a difference)
Upon further investigation, I looked at Firefox web dev tools (network), and can see the domains that are involved until the spider reaches the url that contains the insecure http link:
So I added these out of scope domains to the spider and in particular the above domain that contain the goodies as in:
and it simply did not make a difference. Can anyone shed some light. Thank you in advanced.
thc...@gmail.com
May 29, 2018, 1:44:27 PM5/29/18
to zaprox...@googlegroups.com
Hi.
Does ZAP raise the alert if you access the page that contains the
iframe? (Just to make sure that the passive scanner if flagging that case.)
The normal spider might not find much depending on how the iframe is
being added (e.g. if requires JavaScript).
Regarding the AJAX Spider, you would have to create a context and allow
access to the assets subdomain, I'd expect that one to properly see the
iframe.
Best regards.
On 28/05/18 19:19, ro da wrote:
> Please forgive me for deleting my original question and post. I wanted to
> re-post it with better clarification. In a nutshell, I enabled only the
> check that I want to flag insecure content in a mixed page. In this case
> its the Secure Pages Include Mixed Content:
>
> <https://lh3.googleusercontent.com/-xCvQl8v0Cec/Wwwzk7pVJjI/AAAAAAAArcQ/VMdkkrxdoJsGGZB29luAY9y3WkuE2ZyyACLcBGAs/s1600/5-23-2018%2B2-30-23%2BPM.png>
Does ZAP raise the alert if you access the page that contains the
iframe? (Just to make sure that the passive scanner if flagging that case.)
The normal spider might not find much depending on how the iframe is
being added (e.g. if requires JavaScript).
Regarding the AJAX Spider, you would have to create a context and allow
access to the assets subdomain, I'd expect that one to properly see the
iframe.
Best regards.
On 28/05/18 19:19, ro da wrote:
> Please forgive me for deleting my original question and post. I wanted to
> re-post it with better clarification. In a nutshell, I enabled only the
> check that I want to flag insecure content in a mixed page. In this case
> its the Secure Pages Include Mixed Content:
>
>
>
> Its works flawless on basic test sites as in:
>
>
> https://googlesamples.github.io/web-fundamentals/fundamentals/security/prevent-mixed-content/passive-mixed-content.html
>
> https://googlesamples.github.io/web-fundamentals/fundamentals/security/prevent-mixed-content/active-mixed-content.html
>
>
> I had a dev intentionally add an http link on an iframe that contains Java
> Script referencing the non secure link as in:
>
>
> <https://lh3.googleusercontent.com/-7w2o6gMx-gQ/WwxANfDYyNI/AAAAAAAArck/XIet6XurF9U0jEVT8PujXDnQMLFNqj8kQCLcBGAs/s1600/5-24-2018%2B11-35-02%2BAM.png>
>
> Its works flawless on basic test sites as in:
>
>
> https://googlesamples.github.io/web-fundamentals/fundamentals/security/prevent-mixed-content/passive-mixed-content.html
>
> https://googlesamples.github.io/web-fundamentals/fundamentals/security/prevent-mixed-content/active-mixed-content.html
>
>
> I had a dev intentionally add an http link on an iframe that contains Java
> Script referencing the non secure link as in:
>
>
>
>
> When I attempt to spider entire website or just the url that contains the
> vulnerability as in:
>
>
> https://qa.testwebsite.com/cart
>
>
> it completely missed it. My first though was that maybe the spider isnt
> capable of spidering java-script so I tried:
>
>
> - Using the AJAX spider (Didnt make a difference)
>
> When I attempt to spider entire website or just the url that contains the
> vulnerability as in:
>
>
> https://qa.testwebsite.com/cart
>
>
> it completely missed it. My first though was that maybe the spider isnt
> capable of spidering java-script so I tried:
>
>
>
> Upon further investigation, I looked at Firefox web dev tools (network),
> and can see the domains that are involved until the spider reaches the url
> that contains the insecure http link:
>
> <https://lh3.googleusercontent.com/-cWnpO1D7xnc/WwxHlxZ4ROI/AAAAAAAArdM/0IANrcf9evQdxMr823VzSh3ZPsc-VOy9gCLcBGAs/s1600/5-25-2018%2B2-08-38%2BPM.png>
> Upon further investigation, I looked at Firefox web dev tools (network),
> and can see the domains that are involved until the spider reaches the url
> that contains the insecure http link:
>
>
>
> So I added these out of scope domains to the spider and in particular the
> above domain that contain the goodies as in:
>
> <https://lh3.googleusercontent.com/-r7evU94rE5o/WwxDjYfwMOI/AAAAAAAArcw/33BGFfGjomkKYDvwXAOO7Z_E-gfARAldgCLcBGAs/s1600/5-25-2018%2B2-23-28%2BPM.png>
>
> So I added these out of scope domains to the spider and in particular the
> above domain that contain the goodies as in:
>
ro da
May 29, 2018, 1:48:21 PM5/29/18
to OWASP ZAP User Group
I wanted to add that there is a captcha iframe that appears when accessing the page but Firefox and Chrome are still able to identify the vulnerability without having satisfying its requirements.
ro da
May 29, 2018, 2:10:56 PM5/29/18
to OWASP ZAP User Group
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Thank you for your reply. When I access the page that has the iframe containing the java-script that refers to (<img src="http....>) along with other http references, its still not flagging them:
another snippet of embedded code
ro da
May 29, 2018, 3:28:39 PM5/29/18
to OWASP ZAP User Group
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Could it be the captcha:
kingthorin+owaspzap
May 29, 2018, 5:59:19 PM5/29/18
to OWASP ZAP User Group
Where you proxying via ZAP?
kingthorin+owaspzap
May 29, 2018, 6:00:36 PM5/29/18
to OWASP ZAP User Group
Hard to say considering we gave no details as to the relationship between the page, frame (the issue is supposed to impact), and the captcha (in another frame?)...
ro da
May 29, 2018, 6:38:48 PM5/29/18
to OWASP ZAP User Group
No I wasnt proxying.
On Tuesday, May 29, 2018 at 5:59:19 PM UTC-4, kingthorin+owaspzap wrote:
On Tuesday, May 29, 2018 at 5:59:19 PM UTC-4, kingthorin+owaspzap wrote:
Where you proxying via ZAP?
kingthorin+owaspzap
May 29, 2018, 7:54:25 PM5/29/18
to OWASP ZAP User Group
Please try it again while proxying (through ZAP). Proxied traffic is subject to passive scanning.
ro da
May 30, 2018, 1:45:52 PM5/30/18
to OWASP ZAP User Group
Thank you again for your reply,
So you want me to setup proxing on a chosen browser, then run the spider against https://qa.blahblahblah.com/cart?
thc...@gmail.com
May 30, 2018, 2:03:01 PM5/30/18
to zaprox...@googlegroups.com
The spider is no required, just access that page while proxying through
ZAP. ZAP should passively scan that page and hopefully alert on mixed
content (if not it's the scanner that needs to be updated).
Best regards.
ZAP. ZAP should passively scan that page and hopefully alert on mixed
content (if not it's the scanner that needs to be updated).
Best regards.
ro da
May 30, 2018, 3:52:43 PM5/30/18
to OWASP ZAP User Group
I just did exactly that and it didnt flag anything. Here is a pic of the history using proxy mode and navigating to the mixed content page where the vulnerability exists:
OWASP ZAP
and Firefox Web Tools:
ro da
May 30, 2018, 3:56:11 PM5/30/18
to OWASP ZAP User Group
A screen-shot with the tags
kingthorin+owaspzap
Jun 7, 2018, 6:47:40 AM6/7/18
to OWASP ZAP User Group
Are you able to create or share a page or test case that manifests the issue? There have been snippets throughout this thread but nothing that seems reproducible.
ro da
Jun 13, 2018, 5:26:22 PM6/13/18
to OWASP ZAP User Group
Is there somewhere in ZAP where I can add custom http headers to the passive spider so that it can use auth credentials to proceed forward and possible find this mixed content? Thanks for all your help.
thc...@gmail.com
Jun 13, 2018, 5:29:44 PM6/13/18
to zaprox...@googlegroups.com
It's possible with Replacer add-on [1] (or with a HTTP Sender script [2]).
[1]
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsReplacerReplacer
[2] https://github.com/zaproxy/community-scripts/tree/master/httpsender
Best regards.
[1]
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsReplacerReplacer
[2] https://github.com/zaproxy/community-scripts/tree/master/httpsender
Best regards.
Reply all
Reply to author
Forward
0 new messages