add payloads to active scan

[Javi D R]

Hi

Can i edit the payloads that are automatically sent in the active scan?

I would like to add my own payloads, and... why not? Would be good to share this with you to see if it worths to include them in ZAP

Thanks

[Simon Bennetts]

In ZAP there are 2 different concepts: active scanning and fuzzing.
Fuzzing is chucking loads of bad things at a URL. We have lots of ways for you to define what you want to send. However you need to work out if the bad stuff you sent did something 'interesting'.
Active scanning is where ZAP sends specific attacks and based on the responses works out if the attacks were likely to be effective or not.
You cant just add payloads - how would ZAP know what effect the payloads were supposed to have?
However we do make it as easy as possible for you to define your own active scan scripts, in which you can add both the payloads and the code for working out what happenned.
We've got a couple of examples here: https://github.com/zaproxy/community-scripts/tree/master/active

We're not against you adding your own payloads in principal, we just cant see how they would work in practice :)

Cheers,

Simon

[Javi D R]

You are totally right about active scan and fuzzing. In fact, i am referring to fuzzing

But, fuzzing attack is not an option that is available in the API, right? It needs to be a manual action

So, the only way i can see to do automated attacks against an url from the ZAP API is using active scan and adding more payloads there

Does it make more sense now? Is there any better option to do it?

Thanks

[Simon Bennetts]

Ah ok, that makes more sense :)

You are right, fuzzing is not yet available via the API - we have a bug open for that: https://github.com/zaproxy/zaproxy/issues/1689
You can definitely use active scanning as a form of fuzzing.
The question I have for you - how do you want to detect something gone wrong?
We kind of do this in the API scan: https://github.com/zaproxy/zaproxy/wiki/ZAP-API-Scan
In this case we dont actually send additional attacks, but we do add 2 http_sender scripts to report 'interesting' things: https://github.com/zaproxy/zaproxy/tree/develop/build/docker/scripts/scripts/httpsender
So you can just add active scan scripts which supply the payloads you want.
I've highlighted the relevant bits of the JavaScript active scan template: https://github.com/zaproxy/zaproxy/blob/develop/src/scripts/templates/active/Active%20default%20template.js#L64-L71
You can always loop around those lines supplying as many attacks as you like.

Does that help?

Cheers,

Simon

[Javi D R]

Yep, it helps thanks

In general, i am using a payload list of 170 payloads that covers most of the attacks (sql injection, xss, ldap attack, transversal path etc..) and this is the list of payloads i would like to send as part of the active scan. That link for the template script would do what i want,  i think.

Detection would be the same, rules are already good (apart from that infamous reflected xss flag when the response contains the payload in the request). It is just adding the number of payloads sent to the attacker

Thanks!

[Simon Bennetts]

Let us know how you get on with that - I'm sure a lot of other people will be interested too.
So if you fancied writing a blog post once you've got it all sorteds ... ;)

[Javi D R]

Hi

I have never used a script before in ZAP, so i am sure i am doing something wrong. I am unable to run the scripts from the active scan

I have added my js script to active rules, i have enabled that, and in active scanner options i have ticket the option to enable script input vectors

However, none of those are executed

Even in the script tab, the play button is greyed out

How can i run scripts here?

Thanks

[Simon Bennetts]

Hum, sounds like you are doing the right things, although you dont need to enable the script input vectors (unless you also have script input vector scripts).
Do you have 'Script Active Scan Rules' (in the Miscellaneous) enabled in the scan policy you are using?
Are there any erros shown in the Script Console?
The play button will be greyed out because active scan scripts need a target to run against.

Cheers,

Simon

[Javi D R]

Ups, i didnt enable that in misc. It works now

Good, i will try to progress this during this week. Hope it will bring what i want 

Thanks!

[Simon Bennetts]

Cool - looking forward to seeing how you get on :)

[Javi D R]

Hi Simon

With a couple of line codes i can now read from a file and use active scanner as a fuzzer. It reads all my payloads and sends all the requests both in the GET parameters and POST parameters

The problem i have now is that although i am exploiting a SQL injection, i have no condition in the script to validate if the attack is successful or not. I think i should apply the standard conditions already defined to trigger alerts. I was wondering if instead of using this as a custom script, does it worth to include this in the main ZAP engine? It will solve the fuzzer problem

It would only need two changes in the ZAP engine:

1 - Add a custom policy called fuzzing, and a subsequent method in the API. This method will receive a list of payloads

2 - This method will internally call the standard active scan with each of the payloads sent (maybe calling scan and scannode methods) and validate the alerts against the internal rules it already have

I can write to your email directly to avoid bothering other members of the group with this discussion :)

Thanks

[Simon Bennetts]

Hiya,

I'm good with this discussion being in this group - that way other people can learn from it and maybe also chip in :)

ZAP doesnt have _any_ built in internal rules.
Every rule defines the attacks and works out whether they worked or not - the ZAP core is oblivious of all of this.
For example, here are the files that define some of the existing SQL rules:

• https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/ascanrules/TestSQLInjection.java
• https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/ascanrulesBeta/SQLInjectionHypersonic.java
• https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/ascanrulesBeta/SQLInjectionMySQL.java
• https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/ascanrulesBeta/SQLInjectionOracle.java
• https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/ascanrulesBeta/SQLInjectionPostgresql.java

As you'll see, the test code is tightly integrated with the attacks.

I'd recommend having separate ascan scripts with related attacks and the associated code for working out if they work or not.
Or helping to improve the existing rules so that they work better ;)

Cheers,

Simon

[kingthorin+owaspzap]

Refer to Simon's earlier replies. You can only detect the impact of the payloads if you have an idea hown they're going to impact applications and are able to model and analyse the responses programmatically. There are no "normal" mechanisms. Each scan rule has its own.

[Javi D R]

It makes it more difficult then as my payload list has a bit of everything (xss, sqli, etc...) so i will need to specify for each one which rules i need to validate

I assume it is the same with fuzzer rules, isnt it?

Maybe the easiest way is define an error result - eg - reload the same page, or redirect to an error page, and use this pattern as the assertion. It is, anything that is not that expected result is a possitive, but... it will generate a hell of false possitives

[Simon Bennetts]

The fuzzer doesnt detect any vulnerabilities - it just chucks bad stuff at the target and you have to work out if anything worked.
It tells you if the payload was reflected and allows you to search for things, but you have to decide what the real impact was.

Scanning websites is actually quite hard ;)

Is there any reason why you're not using the existing rules?
They may not be perfect but they're a pretty good start.
And if they dont work in some cases then you can work with us to improve them.
I'd have thought that would be easier than starting from scratch...

Cheers,

Simon

[Javi D R]

Yes, looks like using the default rules is the best option here... 

[Simon Bennetts]

OK, so we now have another option :)

We've just added this script to the communityScripts repo: https://github.com/zaproxy/community-scripts/blob/master/active/User%20defined%20attacks.js
You can pull that or install the communityScripts addon: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsCommunityScriptsCommunityScripts

In this script you can define you own attacks and the regexes to use to detect potential vulnerabilities.
And you can, of course, change it to do whatever you want :)

Feedback appreciated!

Simon

[Javi D R]

Sound really well. Will test it tomorrow!

Thanks

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/c7ThyVbCawo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/097e7234-4287-4674-bff9-7eeb31e984be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tbhuv...@gmail.com]

Hi Simon, 

Tried using below script as part of Active rule with 2.7 zap version. 

There is an issue while running the script with active rule. The added script gets disabled (which was enabled and saved before scan)  during scan. 

Can you plz guide me on how to use script which should remain in enabled mode and gets executed during scan. 

Used the ZAP help document on scripts  which is not clear on how to use the scripts and which should remain enabled throughout  the scan. 

Regards, 

Bhuvi

[kingthorin+owaspzap]

If it was disabled automatically that's because it encountered an exception (which is likely displayed in the script console), you'd have to debug and correct the problem.