Jython script

[Ailton Caetano]

Hello all,

  I'm SQLi testing a client's web application and i'm using OWASP ZAP for that. As the web page that receives the injected value always redirects the user by issuing a JSON response (HTTP status code is still 200 OK), i'm trying to develop a jython-based script to make the tool issue a request to the json-provided redirection url (so that i can compare these responses in ZAP). The problem is that i cannot understand how i'm supposed to reference things in the "Scripts" tab.

I tried the following "Proxy" script:

def proxyResponse(msg):
  # Debugging can be done using print like this
  print(msg.getResponseBody.toString());

  return True;

but all i get is a java.lang.reflect.UndeclaredThrowableException error. "Output" tab is empty and i could not find any other information. The script above was just a test. What i'm really trying to do is to make ZAP request the url returned by the JSON response mentioned above.

Does you know how to solve this or where can i find the docs about the expected language or a jython example script to help me accomplish this?

[]'s Ailton

[Simon Bennetts]

Hiya :)

The jython proxy template would be a good place to start - thats included with the jython add-on.
Look in the Templates/Proxy directory in the Scripts tab, right click "Proxy default template.py" and select "New Script..."

It looks to me like your code is missing "()" after the getRequestBody, ie:

  print(msg.getResponseBody().toString());

So do you want to extract the redirection URL from the JSON and automatically follow it?
If you can provide a sanitized example of the JSON we should be able to provide the code to do that.

Cheers,

Simon

[Ailton Caetano]

Hi Simon,

  i just about did that and arrived at the same result you have, thanks. This is the json response (they are using a framework called "Genexus") i get:

{"gxCommands":[{"redirect":{"url":"hnuc001.aspx"}}]}

Another question, just to make sure a got things right: everything that is included in ZAP goes under that "org.zaproxy.zap.utils" package, right?

If that is so, could that ContentMatcher class get the job done or is there a better solution to it (maybe a json parser)?


[]'s Ailton

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Bennetts]

Think I've got it working - see attached.

It may need customization and more error checking + tidying up.
And I'm sure I've made some fundamental python faux pas ;)

But at least it works for me ;)

And I can see why its non trivial for someone who doesnt understand the ZAP internals to do that with minimal docs :/
Have to see what we can do about that...

Cheers,

Simon

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.

[Ailton Caetano]

Simon,

  while trying to sort this out, i went throught the javadocs and collected a few links that could be posted in the wiki, as they helped me in a few attempts (although i'm still learning my way through it).

Thanks for the script. I'll try it right away.

Attached follows the text mentioned above (already in wiki syntax). I'm just not much sure about the "Fuzz" script javadoc link, i think that you'll have to check that one out... =P

[]'s Ailton

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

[Simon Bennetts]

Thanks - I'll put them on the wiki!

Just realized my script included 'test' coode - the line:

json = '{"gxCommands":[{"redirect":{"url":"contact.jsp"}}]}'

should be:

json = msg.getResponseBody().toString()

:)

[kingthorin+owaspzap]

The json response you listed seems to me like it might be vulnerable to Open Redirect or Open Forward.

Interestingly they claim that type of vulnerability doesn't apply to them:
http://wiki.genexus.com/commwiki/servlet/hwiki?OWASP+2010+Top+10+Security+Risks+in+GeneXus+Applications,

[Ailton Caetano]

Simon,

  yeah, i noticed it and changed accordingly. Just to find out that it did not create the entries in the history tab when i started the sqli fuzzer... It looks like i created the script in the wrong interface.

  Anyway, i just created a page containing these links in the zaproxy github wiki, hope you won't mind it...

Thorin,

  nah, the redirection link is always the same... It seems to store the constructed query somewhere server-side and only returns the result when you access the json-provided url. But i'm still trying the sqli.

[]'s Ailton

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

[Ailton Caetano]

Okay guys,

  finally got the time to adapt and make it work, so the (almost) final version got like this:

import net.sf.json.JSONSerializer

import org.apache.commons.httpclient.URI

import org.parosproxy.paros.network.HttpSender

import org.parosproxy.paros.model.Model

import sys

import time

def proxyRequest(msg):

  # Debugging can be done using print like this

  # print('proxyRequest called for url=' + msg.getRequestHeader().getURI().toString()); 

  return True;

def proxyResponse(msg):

  # Debugging can be done using print like this

  #print( msg.getRequestHeader().getURI().getPath().lower() );

  req = msg.getRequestHeader();

  if( ( req.getURI().getPath().lower() == '/hnuc004.aspx' ) and ( req.getMethod() == 'POST' ) ):

    json = msg.getResponseBody().toString();

    try:

      print( msg.getResponseBody() );

      jo = net.sf.json.JSONSerializer.toJSON(json);

      url = jo.get('gxCommands')[0].get('redirect').get('url');

      print('Got url: ' + url);

      baseUri = msg.getRequestHeader().getURI();

      newLoc = org.apache.commons.httpclient.URI(baseUri, url, False);

      msg.getRequestHeader().setURI(newLoc);

      msg.getRequestHeader().setMethod('GET');

      msg.getRequestHeader().setHeader('Content-Length', None);

      sender = org.parosproxy.paros.network.HttpSender(

        org.parosproxy.paros.model.Model.getSingleton().getOptionsParam().getConnectionParam(), True, 6)

      msg.setRequestBody('');    # Nulling the request body as it is not a POST anymore

      sender.sendAndReceive(msg);

    except:

      # Ignore

      print ('no dice');

      e = sys.exc_info();

      print( e );

  return True;

And it leaves me with two problems:

• The request made to the json-provided url is not logged in the history tab (so, i cannot diff it with other requests)

• I know, i put it as a proxy script, but it was only because i couldn't find how to make a Fuzz script. Can anyone help to rewrite it as the appropriate type, so that it gets executed inside a fuzzing session?

  By the way, i'm trying to get into ZAP scripting so i that can contribute with the OWASP Rio de Janeiro Chapter with some ZAP presentations (and obviously for my own knowledge). ZAP is widespread among security professionals, but i noticed that people don't have a profound knowledge about its full capabilities.

[]'s Ailton

[Ailton Caetano]

Can anyone help with this?

[]'s Ailton

[kingthorin+owaspzap]

• I know, i put it as a proxy script, but it was only because i couldn't find how to make a Fuzz script. Can anyone help to rewrite it as the appropriate type, so that it gets executed inside a fuzzing session?

Only active and passive scripts are "triggered" by other normal operations. i.e.: If you run an active scan then active and passive scripts are triggered by that mechanism. At this time we don't have a fuzz script type that is triggered by running the standard fuzzer.

From https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts :

Script types

Different types of scripts are supported:

• Stand Alone - scripts that are self contained and are only run when your start them manually
• Active Rules - these run as part of the Active Scanner and can be individually enabled
• Passive Rules - these run as part of the Passive Scanner and can be individually enabled
• Proxy Rules - these run 'inline', can change every request and response and can be individually enabled. They can also trigger break points
• Targeted Rules - scripts that invoked with a target URL and are only run when your start them manually
• Authentication - scripts that invoked when authentication is performed for a Context. To be used, they need to be selected when configuring the Script-Based Authentication Method for a Context.
• Script Input Vectors - scripts for defining exactly what ZAP should attack

[Simon Bennetts]

Fuzzing scripts are coming - they should be included in the last change we're working on for 2.4.0 ;)

[thc...@gmail.com]

Well, they are already available in 2.3.1 through the MultiFuzz add-on.
Though it requires some work to get them going, if the templates are not
automatically loaded (and the templates are only available for JavaScript).

Best regards.

On 17/03/15 14:16, Simon Bennetts wrote:
> Fuzzing scripts are coming - they should be included in the last change
> we're working on for 2.4.0 ;)
>
> On Tuesday, 17 March 2015 14:14:38 UTC, kingthorin+owaspzap wrote:
>

> * I know, i put it as a proxy script, but it was only because

> i couldn't find how to make a Fuzz script. Can anyone help
> to rewrite it as the appropriate type, so that it gets
> executed inside a fuzzing session?
>
>
> Only active and passive scripts are "triggered" by other normal
> operations. i.e.: If you run an active scan then active and passive
> scripts are triggered by that mechanism. At this time we don't have
> a fuzz script type that is triggered by running the standard fuzzer.
>
> From
> https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts

> <https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts> :
>
>
> *Script types*

>
> Different types of scripts are supported:
>

> * Stand Alone - scripts that are self contained and are only

> run when your start them manually

> * Active Rules - these run as part of the Active Scanner and
> can be individually enabled
> * Passive Rules - these run as part of the Passive Scanner and
> can be individually enabled
> * Proxy Rules - these run 'inline', can change every request

> and response and can be individually enabled. They can also
> trigger break points

> * Targeted Rules - scripts that invoked with a target URL and

> are only run when your start them manually

> * Authentication - scripts that invoked when authentication is

> performed for a Context. To be used, they need to be
> selected when configuring the Script-Based Authentication
> Method for a Context.

> * Script Input Vectors - scripts for defining exactly what ZAP
> should attack
>
>
>

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

> <mailto:zaproxy-user...@googlegroups.com>.

[thc...@gmail.com]

> The request made to the json-provided url is not logged in the
history tab (so, i cannot diff it with other requests)

It can be done with:

from org.parosproxy.paros.model import Model
from org.parosproxy.paros.model import HistoryReference
from org.parosproxy.paros.control import Control

def addToHistoryTab(msg):
extHistory =
Control.getSingleton().getExtensionLoader().getExtension("ExtensionHistory");
if extHistory:

extHistory.addHistory(HistoryReference(Model.getSingleton().getSession(), HistoryReference.TYPE_ZAP_USER,
msg));


Tested with ZAP 2.3.1 (though it should also work with latest weekly
releases).

> I know, i put it as a proxy script, but it was only because i
couldn't find how to make a Fuzz script. Can anyone help to rewrite it
as the appropriate type, so that it gets executed inside a fuzzing session?

Following a code snippet to do that, with ZAP 2.3.1, you must create a
"Fuzz script" (which requires MultiFuzz add-on).
The (enabled) "Fuzz Scripts" are run with "Advanced Fuzz...".

from org.parosproxy.paros.model import Model
from org.parosproxy.paros.model import HistoryReference
from org.parosproxy.paros.control import Control

def addToHistoryTab(msg):
extHistory =
Control.getSingleton().getExtensionLoader().getExtension("ExtensionHistory");
if extHistory:

extHistory.addHistory(HistoryReference(Model.getSingleton().getSession(), HistoryReference.TYPE_ZAP_USER,
msg));

def resendMessage(msg):
# resend message as done in proxy script and add the new message to
history tab
# addToHistoryTab(msg)
pass

def processPayload(p):
pass

def preProcess(msg, p):
pass

def postProcess(res):
resendMessage(res.getMessage())


Note that the current "Fuzz Script"s can't add the messages directly to
"Fuzzer" tab (or in this case "Multifuzzer" tab).
That will be possible only in 2.4.0.

Best regards.

On 17/03/15 13:39, Ailton Caetano wrote:
> Can anyone help with this?
>
>
> []'s Ailton
>
> 2015-03-12 13:12 GMT-03:00 Ailton Caetano <ailtonc...@gmail.com

> <mailto:ailtonc...@gmail.com>>:

> * The request made to the json-provided url is not logged in the

> history tab (so, i cannot diff it with other requests)
>
>

> * I know, i put it as a proxy script, but it was only because i

> couldn't find how to make a Fuzz script. Can anyone help to
> rewrite it as the appropriate type, so that it gets executed
> inside a fuzzing session?
>
>
>
> By the way, i'm trying to get into ZAP scripting so i that can
> contribute with the OWASP Rio de Janeiro Chapter with some ZAP
> presentations (and obviously for my own knowledge). ZAP is
> widespread among security professionals, but i noticed that people
> don't have a profound knowledge about its full capabilities.
>
>
> []'s Ailton
>
> 2015-02-27 16:21 GMT-03:00 Ailton Caetano <ailtonc...@gmail.com

> <mailto:ailtonc...@gmail.com>>:

>
> Simon,
>
> yeah, i noticed it and changed accordingly. Just to find out
> that it did not create the entries in the history tab when i
> started the sqli fuzzer... It looks like i created the script in
> the wrong interface.
>
> Anyway, i just created a page containing these links in the
> zaproxy github wiki, hope you won't mind it...
>
>
> Thorin,
>
> nah, the redirection link is always the same... It seems to
> store the constructed query somewhere server-side and only
> returns the result when you access the json-provided url. But
> i'm still trying the sqli.
>
>
> []'s Ailton
>
> 2015-02-27 16:02 GMT-03:00 kingthorin+owaspzap

> <kingt...@gmail.com <mailto:kingt...@gmail.com>>:

>
> The json response you listed seems to me like it might be
> vulnerable to Open Redirect or Open Forward.
>
> Interestingly they claim that type of vulnerability doesn't
> apply to them:
> http://wiki.genexus.com/commwiki/servlet/hwiki?OWASP+2010+Top+10+Security+Risks+in+GeneXus+Applications,
>
> --
> You received this message because you are subscribed to the
> Google Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails
> from it, send an email to
> zaproxy-user...@googlegroups.com

> <mailto:zaproxy-user...@googlegroups.com>.

> For more options, visit https://groups.google.com/d/optout.
>
>
>
>

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com

> <mailto:zaproxy-user...@googlegroups.com>.

[Ailton Caetano]

Thanks a lot!

[]'s Ailton

<mailto:ailtoncaetanos@gmail.com>>:

    <mailto:ailtoncaetanos@gmail.com>>:

            zaproxy-users+unsubscribe@googlegroups.com
            <mailto:zaproxy-users+unsub...@googlegroups.com>.

            For more options, visit https://groups.google.com/d/optout.




--
You received this message because you are subscribed to the Google
Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send

an email to zaproxy-users+unsubscribe@googlegroups.com
<mailto:zaproxy-users+unsub...@googlegroups.com>.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.