Owasp zap cloudflare

[Melody]

Dear User Group,

I need to pentest a telecom company and when I try to scan it with owasp zap it doesn't go through the cloudflare (are you human). Anyone knows how I can go through that?

Kind Regards,

Melody

[Simon Bennetts]

Hi Melody,

I guess this could be seen as a philosophical question - can ZAP ever be human? :D

But more seriously .. this does come up from time to time so this should probably be a FAQ.

It isnt, but this answer might become one ;)

If you do DAST on an app protected by any sort of firewall then you are testing the firewall and not the app.

If you have been instructed to test the app then you need to explain that you need access to an instance without any such controls in place, otherwise you're essentially wasting your time.

For info, some firewalls do very basic blocking based on the default ZAP User Agent. Changing that can get you past them.

Cloudflare is not like that.

I'm not aware of any bypasses for it, and if any were to be made public then theres a good chance they would change to block them.

I dont see this as a ZAP problem.

ZAP is designed to be used by people with permission to test their apps.

It is not our job to bypass all of the things firewalls could do, its up to the relevant org to make an instance available without such controls in place.

Cheers,

Simon

[Melody]

Thank you for your reply.

I have been instructed to test the website and the app (mobile). To be honest I don't really know where to start that is why I wanted to test owasp zap out but sadly it doesn't work because of cloudflare. It makes sense that you can use owasp zap for your own webapplication.

Kind Regards,
Melody

Op donderdag 29 februari 2024 om 10:03:11 UTC+1 schreef psi...@gmail.com:

[psiinon]

Hi Melody,

As I said before: you need to explain to whoever gave you this task that you need access to an instance without any such controls in place, otherwise you're essentially wasting your time.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c767ce48-381e-4c1b-9163-b6a86ce11d26n%40googlegroups.com.

--

ZAP Project leader

[Matt Seil]

I wanted to chime in an agreement with what psiinon says here.  I do work in the defense world and your goal is to evaluate the security risk that the *application* presents to your company.  You cannot do that with any kind of WAF in place.  As psiinon said, you’re now testing the WAF.  Which is great IF you’re buying a new WAF.  On that note, there is an OWASP cheat sheet designed to evade WAF filtering, but you really have to know what you’re doing!  That’s normally reserved for a red team.  

Sent from my iPhone

On Feb 29, 2024, at 05:28, Melody <melody...@gmail.com> wrote:

Thank you for your reply.

--

[Saul Javier]

Hi melody, I just want to add something here, what cloudflare is probably doing is filtering ZAP by the tls fingerprint, if you don't know about it you can search on internet but in short it can identify that you are using a software that is not usually used for "good purposes" let's say by the TLS handshake, while I have never had to try to bypass this measure the first thing I would try would be putting something after ZAP so the TLS fingerprint cloudflare gets is from that software, the first thing that comes to my mind would be a squid proxy since it shouldn't be that hard to set up and I think squid would be recognized as a "bening" software. You can find projects on internet of how to bypass this measure (some of them just create a random fingerprint that while not recognized as a common software, shouldn't be flagged as "malicious" either, other ones try to imitate the fingerprint of common browser which should be more effective), but most of them are for making custom requests and not for forwarding the traffic of any http proxy so you would have to write your own one. An alternative that would not require any external software would be modifying the cipher suite used by ZAP by modifying the code, I don't know how to do that nor how much you could customize it to mimic a browser (which I think would be the ideal case).

Anyways outside of that as people said, since you were authorized to test the site you should be in a position to ask them to put you on a withelist, I've seen people who refuse to do so, in that case the only thing you can do is leave that clear in any formal document, a lot of people are more worried about the WAF being able to block the tools used rather than making a secure site.

[Matt Seil]

One way around that handshake issue would be to have your company’s root CA issue you a cert.  or get a copy of the corporate proxy cert and install that.  

Sent from my iPhone

On Mar 2, 2024, at 20:02, Saul Javier <sjavi...@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/32c9d274-27ed-4d4e-b26f-b7c812b1c785n%40googlegroups.com.