Interpreting active scan messages from ZAP API
974 views
Skip to first unread message
Beccy Stafford
May 30, 2017, 7:03:20 AM5/30/17
to OWASP ZAP User Group
Hi there,
I've got some guesses, but I'm not sure how to definitively find out - is there any documentation that can help me understand what each attack is trying to do?
I'm new to security testing, and am learning by doing at the moment. I'm looking through some of the messages returned to me from the ZAP API, and I'm not sure what kind of vulnerabilities they are trying to find. I'm getting ambiguous results from googling, so thought I would ask on here. The ones that are puzzling me are:
$TEST_URL?query=query%3Bstart-sleep+-s+15
$TEST_URL?query=query%3Bget-help+%23
$TEST_URL?query=%2Fetc%2Fpasswd
$TEST_URL?query=thishouldnotexistandhopefullyitwillnot
$TEST_URL?query=http%3A%2F%2Fwww.google.com%2F (is this trying to see if we can get the url to redirect to another (potentially malicious) url?
$TEST_URL?query=%22%3E%3C%21--%23EXEC+cmd%3D%22dir+%5C%22--%3E%3C
$TEST_URL?query=%27%22%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E (is this trying to get an alert to appear in front of the user from an innocent looking url?)
$TEST_URL?query=%29
$TEST_URL?query=query+AND+1%3D1+--+ (Is this an attempt at SQL injection?)
$TEST_URL?query=query%7Ctimeout+%2FT+%7B0%7D
I've got some guesses, but I'm not sure how to definitively find out - is there any documentation that can help me understand what each attack is trying to do?
Thanks,
Beccy
Beccy Stafford
May 30, 2017, 8:08:44 AM5/30/17
to OWASP ZAP User Group
An additional one is:
I think this is cookie poisoning - is that right?
$TEST_URL?query=Set-cookie%3A+Tamper%3D2320bb51-c3b3-4c74-9f4d-6573979e2765
Simon Bennetts
May 30, 2017, 8:29:52 AM5/30/17
to OWASP ZAP User Group
Hi Beccy,
I'm afraid the only documentation we will have on individual requests will be in the code :/
Theres a blog post which has links to all of the relevant packages: https://zaproxy.blogspot.co.uk/2014/04/hacking-zap-4-active-scan-rules.html
You can either try to work out which rules cause which requests by the order the rules run, or you can just run one rule at a time and focus on that.
You can also search for relevant strings in the source code.
Generally anything with "AND" "OR" or a single quote is going to be SQL injection.
If theres a '<script>' tag then its probably going to be XSS.
The Set-cookie example is probably going to be from TestInjectionCRLF.java
Cheers,
Simon
I'm afraid the only documentation we will have on individual requests will be in the code :/
Theres a blog post which has links to all of the relevant packages: https://zaproxy.blogspot.co.uk/2014/04/hacking-zap-4-active-scan-rules.html
You can either try to work out which rules cause which requests by the order the rules run, or you can just run one rule at a time and focus on that.
You can also search for relevant strings in the source code.
Generally anything with "AND" "OR" or a single quote is going to be SQL injection.
If theres a '<script>' tag then its probably going to be XSS.
The Set-cookie example is probably going to be from TestInjectionCRLF.java
Cheers,
Simon
kingthorin+owaspzap
May 30, 2017, 8:42:56 AM5/30/17
to OWASP ZAP User Group
In the order you've posted them:
Command Injection - PowerShell
Command Injection - PowerShell
Command Injection or File Include
404 Check (not sure which scanner)
Open Redirect
Command Injection
XSS (Cross-site Scripting)
Are you sure about this one? %29 is a URL encoded right bracket ")"
SQLi
SQLi
CRLF Injection
Command Injection - PowerShell
Command Injection - PowerShell
Command Injection or File Include
404 Check (not sure which scanner)
Open Redirect
Command Injection
XSS (Cross-site Scripting)
Are you sure about this one? %29 is a URL encoded right bracket ")"
SQLi
SQLi
CRLF Injection
Beccy Stafford
May 30, 2017, 9:11:07 AM5/30/17
to OWASP ZAP User Group
Hi,
Is this not something ZAP should be doing?
Thanks both - that is super helpful.
Regarding the %29 one - I thought that was odd too - the API output suggests there's a few similar urls being requested:
?query=%27 ?query=query%27 ?query=%22 ?query=query%22 ?query=%3B ?query=query%3B ?query=%29 ?query=query%29
Is this not something ZAP should be doing?
Thanks,
Beccy
thc...@gmail.com
May 30, 2017, 9:18:57 AM5/30/17
to zaprox...@googlegroups.com
Hi.
That's done by SQL Injection scanner, to try cause SQL errors.
Best regards.
That's done by SQL Injection scanner, to try cause SQL errors.
Best regards.
kingthorin+owaspzap
May 30, 2017, 10:01:57 AM5/30/17
to OWASP ZAP User Group
On a related note. Trying to figure out in realtime what ZAP is doing might not be terribly handy via the API.
If you want to understand what's going on then I'd suggest running in GUI mode while trying to get a handle on things.
The active scanner GUI has a progress dialog that shows actually what rule is running at a given time, and the message history part of the tab lets you review things.
The number of message displayed in that tab can be adjusted in the options:
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsAscan#max-results-to-list
Keep in mind that it can impact performance.
You could also switch to the weekly:
https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly
Which as of mid-April displays the last n requests instead of a static list of the first n requests: https://github.com/zaproxy/zaproxy/issues/1681
Food for thought, just might make your life easier while learning and getting the hang of things.
If you want to understand what's going on then I'd suggest running in GUI mode while trying to get a handle on things.
The active scanner GUI has a progress dialog that shows actually what rule is running at a given time, and the message history part of the tab lets you review things.
The number of message displayed in that tab can be adjusted in the options:
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsAscan#max-results-to-list
Keep in mind that it can impact performance.
You could also switch to the weekly:
https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly
Which as of mid-April displays the last n requests instead of a static list of the first n requests: https://github.com/zaproxy/zaproxy/issues/1681
Food for thought, just might make your life easier while learning and getting the hang of things.
Beccy Stafford
May 30, 2017, 10:40:23 AM5/30/17
to OWASP ZAP User Group
That's good advice - thanks :).
Beccy Stafford
May 30, 2017, 11:16:21 AM5/30/17
to OWASP ZAP User Group
So I've gone away and used all the resources suggested on this thread, which has been super useful and I've managed to identify a lot from isolating scanners on an active scan run. The one thing that's perplexing me still is calls like this:
I've searched in the code, the internet in general and the ZAP UI - I can't see where they are coming from - does anyone know what kind of attack this is?
?query=ZAP+%251%21s%252%21s%253%21s%254%21s%255%21s%256%21s%257%21s%258%21s%259%21s%2510%21s%2511%21s%2512%21s%2513%21s%2514%21s%2515%21s%2516%21s%2517%21s%2518%21s%2519%21s%2520%21s%2521%21n%2522%21n%2523%21n%2524%21n%2525%21n%2526%21n%2527%21n%2528%21n%2529%21n%2530%21n%2531%21n%2532%21n%2533%21n%2534%21n%2535%21n%2536%21n%2537%21n%2538%21n%2539%21n%2540%21n%0A
?query=ZAP
?query=%5C%5C820728101120098054.owasp.org
Beccy Stafford
May 30, 2017, 11:22:11 AM5/30/17
to OWASP ZAP User Group
Ignore me - I just found it - it's Format String Error :)
Beccy Stafford
May 30, 2017, 11:29:16 AM5/30/17
to OWASP ZAP User Group
And External Redirect :)
Reply all
Reply to author
Forward
0 new messages