OWSAP ZAP is a useful website security testing tool, that any web savvy tester could use effectively. Apart from the annoyingly vague setup (ensure first task is to set up your browser to use same proxy as defined in ZAP), there are useful tools that you can start at a click. I ran the “Active Scan” option, just to see what this could do out-the-box. I would recommend “Passive Scan” really, as this is far safer to use (remember to try and use this tool only on test sites, as it does have potential to crash websites).
Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets.
Impressive – firstly, I was surprised by how much of a site directory is viewable – when using CMS’s like Drupal or WordPress, a lot of assumptions are made as to security. The number of updates to these CMS’s purely on security issues should highlight the need to keep a handle on your website security in general. Click more to view the reports I generated, as it will illustrate that this tool is capable of.
ZAP Scanning Report
Report generated at Sat, 30 Apr 2011 15:02:52.
Summary of Alerts
Risk Level |
Number of Alerts |
High | 1 |
Medium | 0 |
Low | 2 |
Informational | 0 |
Alert Detail
High (Warning) | Cross site scripting |
Description |
Cross-site scripting or HTML injection is possible. Malicious script may be injected into the browser which appeared to be genuine content from the original site. These scripts can be used to execute arbitrary code or steal customer sensitive information such as user password or cookies. Very often this is in the form of a hyperlink with the injected script embeded in the query strings. However, XSS is possible via FORM POST data, cookies, user data sent from another user or shared data retrieved from database. Currently this check does not verify XSS from cookie or database. They should be checked manually if the application retrieve database records from another user’s input. |
|
http://%5BURL under test]/wp-content/plugins/yd-recent-posts-widget/timthumb/timthumb.php?src=%3CSCRIPT%3Ealert(%22OWASP%20ZAP%22);%3C/SCRIPT%3E&h=100&w=100&zc=1&q=100 |
|
src=<SCRIPT>alert(“OWASP ZAP”);</SCRIPT> |
Solution |
Do not trust client side input even if there is client side validation. Sanitize potentially danger characters in the server side. Very often filtering the <, >, ” characters prevented injected script to be executed in most cases. However, sometimes other danger meta-characters such as ‘ , (, ), /, &, ; etc are also needed. In addition (or if these characters are needed), HTML encode meta-characters in the response. For example, encode < as <
|
Reference |
|
Low (Warning) | Password Autocomplete in browser |
Description |
AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved. |
Solution |
Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE=’OFF’ |
Reference |
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp |
Very much Linux based tools so far, but here another windows-friendly open source version of commerical product – http://pages.eeye.com/RetinaCommunity.html
Re the “annoyingly vague setup”.
What would you like us to provide?
There is fairly comprehensive help (via F1) which is alos available online.
That includes this section:http://code.google.com/p/zaproxy/wiki/HelpStartStart
Many thanks,
Psiinon
Its OK, I have revised my opinion since this was posted 🙂 see newer zap post from homepage. The awkwardness was not around zap, to be fair – it is when you are operating behind company proxies. But I got the hang of it, and recommend this tool often.