Monday, 10 December 2012

ZAP 2.0.0 and the Google Summer of Code 2012 Projects

We are getting close to releasing the next major version of ZAP.

As there are so many changes we've decided to go to version 2.0.0 rather than 1.5, and some of the biggest changes have come about thanks to the Google Summer of Code (GSoC).

This is the first year in which ZAP has taken part in the GSoC, and it has been a resounding success.

In this post I'll give you an overview of the 3 GSoC projects, and an easy way to try them out if you cant wait for the full release.

New Spider (plus session awareness)

The current ZAP spider is showing its age.
It was inherited from the original Paros code, and is not as fast or effective as we would like.
Cosmin Stefan completely rewrote the spider, which is now much faster and more comprehensive than the old one.

This on its own would have been a great addition to ZAP.
But Cosmin also added session awareness to ZAP, so that ZAP can keep track of multiple sessions.
This extension allows you to switch between sessions on the fly as follows:
  1. Login to the target application
  2. Check to make sure the session is recognised in the Http Sessions tab
  3. Click the "New Session" button
  4. Select another page in your application - your browser should be logged out now
  5. Login to the target application as another user
  6. Both sessions will be active, so you can switch between then using ZAP without having to do anything in your browser


Note that  the session awareness applies to all of the other ZAP tools, like the spider and active scanner, so you can easily run these tools in different sessions.

Ajax Spider using Crawljax

As mentioned above, the old spider wasnt really effective enough, so we've actually replaced it with 2 spiders!

Cosmin implemented a traditional spider, which analyses the HTML code for any links it can find. This is fast as works well with 'traditional' web applications. However its not so effective with Ajax applications which use a lot of javascript, so Guifre Ruiz has added an Ajax spider.

Software reuse is one of the core principles we try to follow when developing ZAP, so for this development Guifre made use of the Crawljax project.

In this spider:
  • Guifre's code drives Crawljax
  • which uses Selenium
  • to drive a browser
  • which proxies via ZAP
The Ajax spider follows all of the links it can find via the browser, and so can discover any links an application generates, even ones generated client side via javascript.

This is a great compliment to Cosmin's spider, and means that ZAP will be able to effectively spider a very wide range of applications.

The current version of ZAP only managed to discover 10% of the links in the wivet test application. As you can see the next Ajax spider is much more effective:

 

WebSockets support

The first 2 projects were OWASP GSoC projects, but we also had a third GSoC project thanks to Mozilla.

Robert Kock enhanced ZAP to support WebSockets, so ZAP can now see all WebSocket messages sent to and from your browser.

And as with HTTP based messages, ZAP can also intercept WebSocket messages and allow you to change them on the fly.

Not only that, but he also integrated the ZAP fuzzer, so you can fuzz WebSockets messages as well using all of the fuzzing payloads included in ZAP from projects like JBroFuzz and fuzzdb. And of course you can easily add your own fuzzing files.



As far as I'm aware, this means that currently ZAP has better WebSockets support than any other security tool out there. So if you are performing a pentest on a app that uses WebSockets then you really need to use ZAP.

Try them now

These three projects are great additions to ZAP, and will form a very significant part of the new 2.0.0 release.

I've been very impressed by the quality of the work all three students produced, and they all required much less supervision than I or the other mentors expected.

I'd like to thank them again for all of their hard work, and am delighted that they are carrying on contributing to ZAP. I'd also like to thank to mentors who managed them, the other ZAP developers who supported then, and Google for organising such a great initiative.

And if you want to try out these projects, then you can do so right now :)

Guifre's Ajax Spider can be downloaded and added to ZAP 1.4 via the zap-extensions project.

And all 3 projects are included in the latest weekly release - so please try this out and let us know what you think!

Monday, 22 October 2012

ZAP Weekly Releases

I've been struggling with the question of ZAP releases.
We've made loads of enhancements to ZAP recently, and I want them to be available to as wide an audience as possible.
But I also want to make sure our 'full' releases remain as robust and stable as possible.
I want to get the next full release (2.0.0) out of the door asap, but I still want to get a load more features into it.

So I've discussed this with the other ZAP developers, and we've decided to do weekly ZAP releases from the source trunk.
And thats starting today (Monday 22nd October) so theres a weekly release available now at:
http://code.google.com/p/zaproxy/downloads/list

How do 'weekly' releases differ from the 'full' releases?


  • No installers, just one cross platform archive (ZIP)
  • No release notes, although we will put info about some features on the wiki and link to committed issues
  • No specific testing - they will be 'bleeding edge' - stuff may be broken
  • No guarantee that the help files will be up to date (although ideally it shouldnt be too far out)
  • They use a different default home directory to full releases, so they will not interfere with each other
  • Less localization (probably)

Who will these release be suitable for?

  • Anyone who wants to use the features we've added since 1.4.* but doesnt want the hassle of building ZAP from the source code
  • Anyone who would like to help test ZAP as its being developed

Who will these releases not be suitable for?

  • Anyone who has not used ZAP before (they would be better off with a full release)
  • Anyone building security distributions (ditto)
  • Anyone developing or extending ZAP (they should use the trunk)

What are some of the significant changes since the last full ZAP release?

  • Completely rewritten spider (c/o Cosmin Stefan and the GSoC)
  • New Ajax Spider (using Crawljax, c/o Guifre Ruiz and the GSoC)
  • Web sockets support (c/o Robert Koch and the GSoC)
  • Performance improvements (both speed and memory)
See http://code.google.com/p/zaproxy/wiki/WeeklyReleases for a more complete list.

Anything else you should know?

  • The weekly releases will use Java 1.7 as opposed to Java 1.6 - you'll need to install this yourself if you havnt already got it

Want to know some more details?

  • The plan is to generate and upload the releases every Monday morning.
  • Thats not guaranteed - a weekly release could be delayed (or completely skipped) if, for example, there were significant problems with the code in the trunk.
  • The releases will be built from the trunk, but will include selected extensions from zap-extensions.
  • The release number is be based on the date generated, eg D-2012-10-15 (YYYY-MM-DD)
  • The check-for-updates mechanism has been updated so that weekly releases check for new weekly releases, while full releases still just report new full releases. Unless you disable it of course.
  • New weekly releases will not be announced on the twitter @zaproxy account, new full releases will still be announced there.
  • Issues will stay as Committed until they are included in full release, but they will have the label 'Weekly-Build
Feedback, as always, much appreciated!

Thursday, 13 September 2012

OWASP ZAP – the Firefox of web security tools

The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications.
My name is Simon Bennetts, and I am the ZAP Project Leader; there is also an international group of volunteers who develop and support it. Future posts on this blog will describe the features that ZAP provides and how you can use them, but this post will concentrate on the philosophy behind ZAP.
Some of the ideals that have driven ZAP are listed below and will be expanded upon in the rest of this post:
  • help users develop and apply application security skills
  • build a competitive, open source, and community oriented platform
  • provide an extensible platform for testing
  • designed to be easy to use
  • raise the bar for other security tools

Helping users learn about Application Security

Unlike many security tools ZAP is designed to be used by people new to application security as well as security professionals.
My background is in development, and I started playing around with the Paros Proxy (from which I forked ZAP) as a way to learn about security tools. Helping people to learn about application security has been, and will remain, an essential goal for ZAP.
The open nature of ZAP is key here – users can delve into the code to see how it works. Anyone who thinks they can make an improvement has the opportunity to implement those changes, feed them back and be credited for them. Developers can work on ZAP to help them learn about security, and security people can work on ZAP to help them learn about coding.

An Open Source, Community based project

Like all OWASP projects, ZAP is open source and completely free to use. This means that there is no ‘pro’ version, so there is no incentive for us to hold back features for the ‘paid-for’ version. ZAP is also a community based project, which is an important distinction when compared with some other tools.
There are many security tools that are open source but are still tightly controlled by one individual or company. While a user can see how these products work it is often difficult to change them or influence their direction.
Anyone can get involved with the ZAP development – once someone has shown that they can produce good quality code and conform to ZAP guidelines then they can get commit access!
There are plenty of opportunities for non coders to get involved too – testing, documentation, training videos, translating – all contributions are welcomed and credited.

An Extensible platform for testing web applications

In addition to improving the core feature set for ZAP, we are working to ensure that as much of ZAP functionality is implemented as extensions or addons, which can easily be added to existing ZAP releases. This means that new features can be added dynamically without having to wait for full ZAP releases, and also means that we can accommodate features that will only appeal to a small subset of our users.
The ZAP community is very supportive of people who want to learn about coding or security, and we have just benefited from 3 students producing excellent enhancements to ZAP as part of the Google Summer of Code.

Ease of use as a design goal

We realize that developers and functional testers will probably spend a relatively small amount of time using security tools, so we want ZAP to be as intuitive as possible.
But we try to maintain a balance between making things as simple as possible while at the same time not over simplifying them.
While there is no ‘big red button’ in ZAP which will solve all of your security problems,
ZAP provides a set of automated tools which will help individuals assess the security of applications.
ZAP also provides a set of manual tools which can be used by people with more knowledge, which is one of the reasons it has been so enthusiastically adopted by professional pentesters. Inexperienced users can start off using the automated tools and gradually use more and more of the manual features as they improve their knowledge of application security.

Raising the bar for security tools

Another way ZAP can help application security in general is by raising the bar for other security tools, commercial or otherwise. Other products are free to reuse our source code (with acknowledgement;) and also free to copy or be ‘inspired’ by features that are implemented in ZAP.
In fact we welcome such reuse as it will provide the following benefits:
  • improving other tools, which increases user choice
  • broadens the availability of effective security tools
  • allows feature parity across tools which will drive innovation and competition

Conclusion

In conclusion, ZAP is a free, open-source community developed tool aimed at making the online world more secure. Anyone can get involved developing the core engine, or by creating addons which have full access to the core functionality. And that will probably sound vaguely familiar as its very close to the philosophy behind Mozilla Firefox.
Its why I’m working for Mozilla as a security automation engineer, and the justification for this blog’s title:)
If you have any interest in application security then you should download ZAP and try it out. And if you would like to learn more, or help to make ZAP better then please get in touch with me.

Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Automation Engineer