OWASP ZAP – add-ons that will enrich your discovery

In this article i will refer to number of add-ons that i think may help enrich the vulnerability discovery and also give a clear understanding about the system under test.

First of all what is OWASP ZAP?

Zap is a famous open source automated pen testing tool , created and maintained by the OWASP community. Pen testing is mostly on the application level , but you can extend the testing to cover things like open ports as an example.

I will list some add-ons that enrich the testing capabilities and you may find it useful.

  1. Wappalyzer – Technology Detection :

    This add-on can gather information about the system used technology like the application server , used frameworks , hosting service and also the OS used.

As shown above , this add-on can give you an overview about the used technologies on the system under test.

2. Port Scanner

This add-on can gather information about the open ports on the destination application/ web server , this will help you close all unnecessary ports to eliminate attacks.

3. FuzzDB Files

In Zap you have the ability to fuzz a parameter and with Fuzz here i mean to replace a parameter value with lots of patterns to test things like SQL Injection , XSS , OS Injection and more patterns that help you discover more vulnerabilities.

Fuzz DB files provide you with lots of patterns categorized by the test type as the following screen shots.

In the following example , i used the fuzzDB XSS patterns to exploit a vulnerable search field , and here are the results.

That’s for today 🙂 , hope you find it useful.

Please share your tips, experience, comments, and questions for further enriching this topic of discussion.

API Security Testing With Postman and OWASP Zap

Most of the content around API testing is about functional testing or recently about API automation testing , so what about Security Testing?

We’re going to use Postman and consume our existing collections.

The idea here is to send the Postman requests to OWASP Zap to be able to start automated pen-testing.

Why?
Sometimes we don’t have the proper API definition file that can be imported to OWASP Zap , so this is an easy workaround.

Step 1 :

Open OWASP Zap , go to application settings and look for “Local Proxy” as shown on the following screen shot.

On Windows : Go to “Tools” -> “Options”

On Mac OS : Go to “Zap” -> “Preferences”

In our case the local proxy is on port 8081 remember this number because we will use it very soon.

*Port number may be different on your machine , use the number displayed in your setting on the next step.

Step 2 :

Open “Postman” , go to application settings and press “Proxy” tab as shown on the following screen shot.

On Windows : Go to “File” -> “Settings”

On Mac OS : Go to “Postman” -> “Preferences”

Select “Add custom proxy configuration” and fill the following values :

  • Proxy Server : Localhost
  • Port : 8081 (the port acquired from the OWASP Zap settings in step 1)

Step 3 :

On Postman start to send API requests from the desired API collection as shown on the following Postman example.

All api calls you just did from Postman should be added to OWASP Sites list as the following screen shot.

*Don’t forget to return the Postman proxy settings to the previous / default settings after you finish.

Step 4 :

It is time to start the scan on OWASP ZAP.

Right Click on the main directory and select “Attack” then select “Active Scan”

The scan will be started and you should notice some findings under “Alerts” section as the following screen shot.

Indeed you can do more than active scan on OWASP Zap , and this may be another post I will do in the future to dig more deeper into ZAP 🙂

The API used in this demo is called VAmPI , it is a vulnerable api and you can find it on the following Github link :

https://github.com/erev0s/VAmPI

I hope you find it useful and I really enjoyed the time I was trying it.

Please share your tips, experience, comments, and questions for further enriching this topic of discussion.

How to add security checks to your manual / automation test suite

Let me tell you that you can have a basic / moderate security checks in your manual test suite by extending your test cases in two different areas :

  • Input validation
  • Authentication

Most of test suites if not all of them are already testing the sections mentioned above but mostly just a basic checks like if the field accepting numbers we try characters and alpha numerics. What I am suggesting here is to test any input field against major web app vulnerabilities like XSS & SQL Injection

The same case for authentication instead of trying different combinations for right / wrong usernames and passwords .You can extend your test against major web app vulnerability like SQL Injection

XSS : XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

We’re going to use demo.testfire.net as a safe place to practice on.

Example :

The field we’re going to test here is the Search field , I am assuming that we already executed test cases with character , numbers , alphanumeric and also very long characters / numbers input to validate the input boundary.

Lets try an XSS payload as input.The input will be “<ScRipT>alert(“XSS”);</ScRipT>”

According to the above screen shot it seems that the web app under test is vulnerable to XSS attacks.

XSS payloads example :

  • </script><script>alert(1)</script>
  • <IMG SRC=jAVasCrIPt:alert(‘XSS’)>
  • <iframe %00 src=”&Tab;javascript:prompt(1)&Tab;”%00>
  • <form><isindex formaction=”javascript&colon;confirm(1)”

You can find XSS payload list in the following URL :
https://github.com/pgaijin66/XSS-Payloads/blob/master/payload.txt

SQL Injection : SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

The element we’re going to test here is the Login form , I am assuming that we already executed test cases with valid and invalid username , password also very long characters / numbers input to validate the input boundary.

Lets try SQL Injection payload in the “username” field and any characters in the password field.

username value will be = ‘ ‘
password value will be = test

Lets try more advanced input as below

username value will be = ‘ UNION SELECT sum(columnname ) from tablename —
password value will be = test

According to the above screen shot it seems that the web app under test is vulnerable to SQL Injection attacks.

You can find SQL Injection payload list in the following URL :
https://github.com/payloadbox/sql-injection-payload-list

Conclusion :

By adding more test cases to your existing test suite you can help discover security vulnerabilities in the system under test without the need to learn a new tool.Of course it will increase the testing execution time but the benefit here is to catch those issues as soon as the testing started.

Of course this not a replacement for security testing a web app but the idea here is cover at least some basic security checks in the normal testing process.

Please share your tips, experience, comments, and questions for further enriching this topic of discussion.

WordPress Security testing using WP-Scan

Do not use the following instructions to exploit websites , Usage of WP-Scan for attacking targets without prior mutual consent is illegal.

WordPress now powers 30 percent of the web, according to data from web technology survey firm W3Techs.

WordPress is important framework and as the aove statistics it is widely used thats why securing a web site based on WordPress framework is something obvious.

What is WP-Scan ?

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.

Installation

You can install it via Docker with the following commands :

docker pull wpscanteam/wpscan

Scan WordPress Site

Default Scan

docker run -it –rm wpscanteam/wpscan –url Website URL

screen shot 2019-01-12 at 1.16.09 pm

screen shot 2019-01-12 at 1.18.17 pm

Using default options is a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings.

Only Display Vulnerable Plugins

docker run -it –rm wpscanteam/wpscan –url Site URL –enumerate vp

screen shot 2019-01-12 at 1.28.00 pm

screen shot 2019-01-12 at 1.29.27 pm

Enumerate User Name

docker run -it –rm wpscanteam/wpscan –url Site URL –enumerate

screen shot 2019-01-12 at 1.33.51 pm

screen shot 2019-01-12 at 1.34.41 pm

Useful Links

WPScan Vulnerability Database

https://wpvulndb.com/

WPScan on GitHub

https://github.com/wpscanteam/wpscan

SQL Map

Do not use the following instructions to exploit others websites / services , Usage of SQL Map for attacking targets without prior mutual consent is illegal.

According to the Open Web Application Security Project (OWASP), injection attacks are first on the list of the top 10 web vulnerabilities. Diving into these, SQL injections are responsible for a big chunk of this. Exploitation of SQL injections is trivial.

SQL Map is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

We’re going to use SQL Map in 2 examples one for testing a  Get request and the other for testing a POST request also listing some extra commands that will be useful in further steps.

1) Installation

  1. Download & install python if you don’t have it from the following link https://www.python.org/downloads/
  2. Download SQL Map from the following link
    http://sqlmap.org/
  3. Extract the Zip folder then we’re ready to start

2) Exploit Get Request

  1. Open command prompt in Windows as administrator
  2. Go to the extracted SQL Map folder
  3. Type the following command
    sqlmap.py -u “Target URL”
    as the following picture
    Inkedsqlmap_1_LI
  4. If the database engine is identified you have the choice to use the specific payloads for the identified db or use all the available payloads
    sqlmap_2
    sqlmap_3
  5. According to previous screen shots , SQL map identified the parameter “id” as a vulnerable parameter and also listed the used patterns and their types.

3) Exploit POST Request

In this case we need to capture / intercept the post request and save it to text file then use SQL Map to exploit it , you can use any HTTP interceptor like “Fiddler” or “BurpSuite” or use the developer tool of your browser as the following examples.

Fiddler

sqlmap_Fiddler

Chrome Dev Tools 

ChromeDevTools

Lets start.

  1. Go to “http://demo.testfire.net/default.aspx&#8221;
  2. Click “Sign in” link in the top right
  3. Use the following credentials to login
    User Name : admin , Password : admin
    before you sign in make sure you’re going to intercept the login request as the above examples
  4. Save the raw post request in .txt file and move it to SQL map folder root
  5. Type the following command to start the exploit
    sqlmap.py -r filename.txt
    Inkedsqlmap_post1_LI
    sqlmap_post2
     In this case we have 2 vulnerable parameters , you have to choose which parameter you want to continue testing with as the above screen shot.

4) Useful Commands

sqlmap.py -r filename.txt –dbs
When the session user has read access to the system table containing information about available databases, it is possible to enumerate the list of databases.

sqlmap.py -r filename.txt –dump-all
It is possible to dump all databases tables entries at once that the session user has read access on.

SQL Map usage Wiki
https://github.com/sqlmapproject/sqlmap/wiki/Usage