angle-up arrow-clockwise arrow-counterclockwise arrow-down-up arrow-left at calendar card-list chat check envelope folder house info-circle pencil people person person-plus phone plus question-circle search tag trash x

OWASP Zed Attack Proxy (ZAP) security testing

13 January 2020 Updated 13 January 2020 by Peter

When you are a developer of websites you can get vulnerabilities the easy way using the OWASP Zed Attack Proxy (ZAP) application.

post main image
https://unsplash.com/@ostshem

Time for joy or crisis: running the OWASP Zed Attack Proxy (ZAP) application to check vulnerabilities of our web application. Developers often know there are weak points in their code, but there always is a date of delivery. So why not use a tool that list the well-known and  important ones? This is my first time using ZAP so if are an expert you best stop reading here. In the links below there is information how to install and run, also when logged in. On my Ubuntu 18.04 system installation was a breeze, just download, in the terminal go to the download directory and type:

./zap.sh

I did not run this against my production site but on the same machine where the development version of my website runs. To run when logged in, you go to 'Manual Explore', type the URL of local website, and then click the 'Launch Browser' button. This starts a new browser window with your website with ZAP buttons on the left side and right side. Login as usual and click on (Spider) Start to start a run. The login button of my website was a bit under the left side buttons, I had to change the width of the screen to reposition and access the button.

Alerts reported by ZAP

Below are some alerts that ZAP reported. All texts in the blocks below are from the ZAP application. I only show a few lines but in many cases there is much more information. 'After investigation' means most of the time that I:

  • Click the tab Alerts
  • Select a line with the problem
  • Click the tab Request and look at the request
  • Click the tab Response and look at the response

Path Traversal

Reported by ZAP:

Alert priority: High
Path Traversal
Evidence: etc
Description: 
The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. 
An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. 
Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.
...

After investigation:

Although this needs far more investigation it appeared that the theme selector processor did not check if the requested theme was in the available themes. Fixed. Also after looking at response more in detail I noticed that I had a sentence in a blog post containing the word 'etc'. This was highlighted in the response. This is about attacks on /etc of c:\etc. No problem.

Absence of Anti-CSRF Tokens

Reported by ZAP:

Alert priority: Low
Absence of Anti-CSRF Tokens
Evidence: <form name="search" action="/en/blog/posts/search" method="post">
Description: No Anti-CSRF tokens were found in a HTML submission form.
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. 
The underlying cause is application functionality using predictable URL/form actions in a repeatable way. 
The nature of the attack is that CSRF exploits the trust that a web site has for a user. 
...

After investigation:

The search forms were using incorrectly the POST method. I changed the method to GET and of course the called Flask method only accepts the GET method.

Private IP Disclosure

Reported by ZAP:

Alert priority: Low
Private IP Disclosure
Evidence: 192.168.0.0
Description: A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) 
has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.
...

After investigation:

The message came from the text of a blog post where I mentioned this IP address. No problem.

Format String Error

Reported by ZAP:

Alert priority: Medium
Format String Error
Parameter: lc
Attack: ZAP %1!s%2!s%3!s%4!s%5!s%6!s%7!s%8!s%9!s%10!s%11!s%12!s%13!s%14!s%15!s%16!s%17!s%18!s%19!s%20!s%21!n%22!n%23!n%24!n%25!n%26!n%27!n%28!n%29!n%30!n%31!n%32!n%33!n%34!n%35!n%36!n%37!n%38!n%39!n%40!n
Description: A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. 
...

After investigation:

The response showed a 500 error with the text:  sqlalchemy.exc.DataError: (pymysql.err.DataError) (1406, &quot;Data too long for column 'request_url' at row 1&quot;) In this case it was the PageRequest SQLAlchemy object where I store every incoming request. I was hoping, expecting, that too long values would automatically be truncated but this was a wrong assumption! Maybe this can happen elsewhere in the program as well. I changed this for this object anyway by getting the length of the column and truncating the value before inserting it.

Buffer Overflow

Reported by ZAP:

Alert priority: Medium
Buffer Overflow
Parameter: lc
Attack: GET http://127.0.0.1:8000/en/auth/register?lc=aofyVsiquNyUZJJWRvcyMtmOKToYwtFlLIjVPAnQbvLMSuvapNZbePEuuZUgyEVHmcDklTcXYhZDCGFNtEFpbiJaafhHTrJobQWgcGKHjrYuDDaYbddfJxoemFoxRtesJrGieOviBIdFHhoYngoGNKaowenBuwavrUdOAfKElNWLoGHVTTsQDUTRgZMYKUTAOQJuNqQqBNkjuuMgAxqCQKvEvSvHviRyXrFRylXFjQuDeRosheUMCjjEFZRLMFpmRcYsjYZKPaALNOBvjLMcYJtoUIxGCKqYBSPwRTilwkaxxPmCekriFLVOkVtpVlSMWvtgHdrnjuAEesIuwfWyByZQjJKblYBXbRBHoHjCJKssKKdynuuGTnGlCMrRQHUnTcgbOPhCoTgIAcyDxBerlYELKJlCiIEbAnkFbtgCqnBKaUsHglhcVcyjqFnXtUEAKoHDSXMHhTJmXFvmYBxvEFITqJQgaWOsHIutVZYDiuRBSMwOXQYlmTenZHXPnchCHTfxtvsqlgZQZYmyNKYXRETmBRKyHKTbgoJGtVFaMCOPkvQAGasEylqdVEutnJiHSIBhovlKfMbPpctsMTsukniTThWTFqLJLS
Description: Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way.  
...

After investigation:

Again the response showed a 500 error with the text: sqlalchemy.exc.DataError: (pymysql.err.DataError) (1406, &quot;Data too long for column 'request_url' at row 1&quot;) And again it was the PageRequest SQLAlchemy object where I store every incoming request. Same solution.

Application Error Disclosure

Reported by ZAP:

Alert priority: Low
Application Error Disclosure
Url: http://127.0.0.1:8000/run
Evidence: HTTP/1.0 500 INTERNAL SERVER ERROR (KeyError: 'babel' // Werkzeug Debugger)
Description: 
This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
...

After investigation:

The url was discovered by ZAP because of Content-Security-Policy-Report-Only header containing the (csp) report-uri. The /run url is not part of the visible application. I just used the application error handlers that call Babel for translations. Changed this by adding single language basic error pages for the application on the /run url.

X-Content-Type-Options Header Missing

Reported by ZAP:

Alert priority: Low
X-Content-Type-Options Header Missing
Url: http://127.0.0.1:8000/run/raw?__debugger__=yes&cmd=resource&f=console.png
Parameter: X-Content-Type-Options
Description: 
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. 
...

After investigation:

A non-existing image was returned. I added security headers, of course excluding the CSP-header, to the response. Also I added basic HTTP error pages. The browser shows a non-existing image. Fine.

Application Error Disclosure

Reported by ZAP:

Alert priority: Low
Application Error Disclosure
Url: http://127.0.0.1:8000/admin/static/
Evidence: HTTP/1.0 500 INTERNAL SERVER ERROR
Description: 
This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
...

After investigation:

This only happens in (local) Flask development mode. In production, all static items are served by by Nginx. No problem ... I think.

Summary

A tool like the OWASP Zed Attack Proxy (ZAP) lets even a noob like me find vulnerabilities the easy way. I can recommend this tool to all developers. And because it tries attack your site on all available urls it is also extremely useful to find other problems like missing pages and CSP violations.

Links / credits

Getting Started with ZAP and the OWASP Top 10: Common Questions
https://www.denimgroup.com/resources/blog/2019/09/getting-started-questions/

How can ZAP automatically authenticate via forms?
https://github.com/zaproxy/zaproxy/wiki/FAQformauth

OWASP ZAP for Dummies
https://devonblog.com/security/owasp-zap-for-dummies/

proxy settings for localhost not obeyed unless network.proxy.allow_hijacking_localhost is set
https://bugzilla.mozilla.org/show_bug.cgi?id=1535581

Running Penetration Tests for your Website as a Simple Developer with OWASP ZAP
https://medium.com/volosoft/running-penetration-tests-for-your-website-as-a-simple-developer-with-owasp-zap-493d6a7e182b

The Open Web Application Security Project (OWASP)
https://www.owasp.org

The OWASP Zed Attack Proxy (ZAP)
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Leave a comment

Comment anonymously or log in to comment.

Comments

Leave a reply

Reply anonymously or log in to reply.