few questions..
0 views
Skip to first unread message
shrihari balasubramani
Mar 7, 2014, 11:19:08 AM3/7/14
to mozill...@googlegroups.com
1)Where can I find the "bodgeit" site you used in one of the "OWASP zap" demo video
2)Do I have to include a zest script return status in the add-on or would you want it to be linked to zap?
3)How do i generate certificate to be included on my browser if I don't do it the first time i configured zap?
4)What's the whole point of having an add-on that just records and runs zest scripts ,when zap does the same better?
5)If the add-on just records and runs the zest script then will the input to it be the vulnerability we found in zap through zest?
sorry for asking silly questions...:P
thanks for ur time...:)
Simon Bennetts
Mar 7, 2014, 11:36:40 AM3/7/14
to mozill...@googlegroups.com
The Bodgeit Store can be downloaded from https://code.google.com/p/bodgeit/
You'll need to run it in a servlet engine - I use Tomcat.
The return value is probably more useful in a tool like ZAP - I cant think of a reason off hand why a Zest script recorded and running in Firefox would need to use one.
If you are using the latest version of ZAP then the certificate will have been generated for you.
You can regenerate it or export it to a file so that you can manually import it into a browser via the menu:
ZAP is quite a heavy weight tool, and if someone doesnt already have it installed then having to install ZAP (and potentially Java) could be off-putting.
We hope that people like that will be more prepared to install a lightweight Firefox add-on.
And people may well come up with 'non-security' uses for Zest, for example as QA tests.
We want people to be able to create and run Zest scripts using their tools of choice, rather than forcing them to use ZAP.
If you're already using ZAP then I dont think this plugin will add much.
It will be much more useful for someone who hasnt got ZAP installed.
You dont have to be a security expert to find potential security vulnerabilities.
We sometimes get security bugs raised by people who 'just happened to notice' something that looked wrong.
For these sort of people we'd like to be able to say: 'Just download this add-on, start recording, reproduce the vulnerability, stop recording and send us the script'.
There are also some organizations that dont allow employees to install security tools like ZAP :)
Does that sound reasonable?
Cheers,
Simon
You'll need to run it in a servlet engine - I use Tomcat.
The return value is probably more useful in a tool like ZAP - I cant think of a reason off hand why a Zest script recorded and running in Firefox would need to use one.
If you are using the latest version of ZAP then the certificate will have been generated for you.
You can regenerate it or export it to a file so that you can manually import it into a browser via the menu:
Tools / Options ... / Dynamic SSL Certificates
ZAP is quite a heavy weight tool, and if someone doesnt already have it installed then having to install ZAP (and potentially Java) could be off-putting.
We hope that people like that will be more prepared to install a lightweight Firefox add-on.
And people may well come up with 'non-security' uses for Zest, for example as QA tests.
We want people to be able to create and run Zest scripts using their tools of choice, rather than forcing them to use ZAP.
If you're already using ZAP then I dont think this plugin will add much.
It will be much more useful for someone who hasnt got ZAP installed.
You dont have to be a security expert to find potential security vulnerabilities.
We sometimes get security bugs raised by people who 'just happened to notice' something that looked wrong.
For these sort of people we'd like to be able to say: 'Just download this add-on, start recording, reproduce the vulnerability, stop recording and send us the script'.
There are also some organizations that dont allow employees to install security tools like ZAP :)
Does that sound reasonable?
Cheers,
Simon
shrihari balasubramani
Mar 7, 2014, 11:48:29 AM3/7/14
to mozill...@googlegroups.com
oh wow,that was quick thank you.
I just wish we had a owasp zap session in India..:(
shrihari balasubramani
Mar 9, 2014, 10:13:38 AM3/9/14
to mozill...@googlegroups.com
Are zest javascript runtime available?
Simon Bennetts
Mar 10, 2014, 7:43:08 AM3/10/14
to mozill...@googlegroups.com
No, thats part of the proposed GSoC project :)
On Sunday, 9 March 2014 14:13:38 UTC, shrihari balasubramani wrote:
On Sunday, 9 March 2014 14:13:38 UTC, shrihari balasubramani wrote:
Are zest javascript runtime available?
shrihari balasubramani
Mar 10, 2014, 8:27:38 AM3/10/14
to mozill...@googlegroups.com
wow thts a lot of work...can u guide me through the steps I need to do follow considering I have
1>understood how zap works
2>know to run, record and play with zest scripts
3>know to make add-ons..
what do I do next?
Simon Bennetts
Mar 10, 2014, 10:42:41 AM3/10/14
to mozill...@googlegroups.com
It would be quite a lot of work to reproduce all of the Zest functionality that ZAP has, but I dont think thats required here.
How would the user use Zest in Firefox?
What parts of the Zest runtime would that mean you need to implement?
You could then just implement the just those features in the JS runtime.
Right now you should be starting to put your proposal together.
Let me know if you have any more questions, and I'm always happy to review student applications before they are submitted.
Cheers,
Simon
How would the user use Zest in Firefox?
What parts of the Zest runtime would that mean you need to implement?
You could then just implement the just those features in the JS runtime.
Right now you should be starting to put your proposal together.
Let me know if you have any more questions, and I'm always happy to review student applications before they are submitted.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages