How to Proxy Web Traffic through OWASP ZAP. Each survey that you complete, Zap Surveys will either make a donation to stop child starvation, or a full meal is donated to a starving child. The surveys provide at Zap Surveys are from Peanut Labs and SaySo For Good.As its a proxy it will sit between your browser and the web application allowing it to inspect all traffic. Configuring OWASP Zap I will be using OWASP Zap version 2.2.2, which can be downloaded here. Also I will explain its various findings and how to solve them. In this blog post I will explain how to configure your browser to use the OWASP ZAP Proxy to click through a web application running on local host. Even in passive mode, where it just inspects the traffic generated by your browser, it can give valuable pointers for securing your web application against abuse.
![]() ![]() Zap Owasp Review Full Meal IsWhile navigating through your web application, more and more warnings will appear (at least it did with mine :-) Below I have compiled a list of the alerts I was able to create and what can be done about them in terms of Java software development. Safe mode is sufficient for now, the other options, protected and standard mode, also allow offensive tests to be performed. Also notice the top left drop down box, it allows you to set the mode ZAP is working in. Clicking on the URL with the alert will display the offending part in the response tab. In the right part of this tab there is an explanation of the issue. When there is something potentially wrong with a request or response a warning will appear here. Solving this alert is easy if you have a Servlet 3.0 web container, just put the following snipped in the web.xml. This is bad as it allows session hijacking. When the Session ID is in the request it may be bookmarked, cached or disclosed in the referer header. This is typically used as a fallback if the browser doesn't support cookies as a session mechanism. The referer header tells the website receiving the request who referred to them (and yes, referer is a typo which got into the HTTP specification -) Secure pages including mixed content (Medium Risk) This alert is given when the page itself is delivered through HTTPS but some of its resources (such as images and scripts) are not. Referer expose session ID (Medium Risk) This is actually the same as the above alert only this time it warns about a link to an external host which may allow the Session ID to be exposed using the HTTP referer header. For example in Tomcat 6 you can put the disableURLRewriting="true" attribute in the context.xml. COOKIE If you use a container supporting an older Servlet specification where are container specific ways to do this. Get universal access on mac for steamThe solution? Have a generic error page and log the stacktrace. This is bad as this information can be used to launch further attacks against the web application. Yes, blog.42.nl is an excellent example of this warning :-) Application Error disclosure (Medium Risk) This alert is triggered when ZAP thinks an error message containing implementation details (such as a stacktrace or a file path) is present in the response. The solution? Make sure all your resources are delivered over HTTPS. Make sure that the http-only modifier is set on the cookie. When the page has a cross site scripting (XSS) vulnerability the value of the cookie may be stolen and used to hijack the session if its a session cookie. Cookie no http-only flag (Low Risk) If a cookie has no http-only flag its accessible from JavaScript. /oops.html 500/oops.html 503/oops.html Content-Type header missing (Low Risk) If the Content-Type header is missing in the response the browser must guess the content. For older Servlet versions a little more work is needed. Cross-domain JavaScript source file inclusion (Low Risk) The page includes one or more script files from a third-party which is outside the control of this web application and as such may contain 'unexpected' functionality. In a Servlet API 3.0 container you can set the secure tag to true in the web.xml to make the cookie https only. If it is not set, it may also be used over non HTTPS connections allowing for session hijacking. The easiest is when you have a Servlet API 3.0 container, there you can just declare it in the web.xml: web.xml true Cookie without secure flag (Low Risk) The secure flag of a cookie makes sure that the cookie is only used over HTTPS connections. Not setting these options may cause the personal data to be stored somewhere and worst case delivered to some other user. No-store disallows storing the page and private disallows caching by a shared cache such as a proxy. In most cases the no-cache, must-revalidate options are sufficient, however if your page holds data of a personal nature additional options are required. However, in most web applications a page is different on each request so caching must be disabled. However this also imposes a security risk: any one using that browser can now access the application protected by the password. Password Autocomplete in browser (Low Risk) Most users find remembering a password hard so they are quite happy with the browser remembering them. You will need to add the following headers: VersionNo-cache, no-store, must-revalidate, privateFor more information see RFC2616. One of them is the nosniff option which prevents browsers from guessing the right content type if for some reason the wrong one was specified. X-Content-Type-Options header missing (Low Risk) Besides the Content-Type header its also possible to serve some options with it using the X-Content-Type-Options. This may be helpful for further attacks targeting internal systems. Private IP disclosure (Low Risk) A private IP address such as 10.x.x.x, 172.x.x.x or 192.168.x.x has been found in the HTTP response body. HttpServletResponse.addHeader("X-Content-Type-Options", "nosniff") IE8's XSS protection filter not disabled (Info) The XSS protection filter in IE8+ protects against reflected cross site scripting (this is the kind of cross site scripting where the evil script is in the request URL or parameters). The upcoming Spring-Security 3.2 has built in support for this and other headers. Adding a header is easy using for example a Servlet filter. Read this for more details. Turning the filter on or off (for Internet Explorer only) works like this: httpServletResponse.addHeader("X-XSS-Protection", "1 mode=block") // on httpServletResponse.addHeader("X-XSS-Protection", "0") // off X-Frame-Options header not set (Info) Without this header present your web application may put into an IFRAME on any another page, perhaps as part of a clickjacking scheme. Read this stackoverflow entry for more details.
0 Comments
Leave a Reply. |
AuthorSamantha ArchivesCategories |