Slides from my ZAP Scripting Workshop at DevSecCon in 2017: http://www.devseccon.com/london-2017/session/zap-workshop/

1. Join the conversation
#DevSecCon
By Simon Bennetts
Scripting OWASP ZAP

2. ●
Session 1 : 2pm
– Introduction
– Standard Scripts (JavaScript, Python, Ruby)
– Proxy and Http Sender Scripts
– Passive and Active Scan rule Scripts
●
Session 2 : 3pm
– Zest Scripts
– Standalone and Targeted Scripts
The Plan

3. ●
Session 3 : 4pm
– How to use scripts in automation
– How to add scripting support in add-ons (overview)
– Authentication Scripts
– More chance to write any or all of the above types
●
Session 4 : 5pm
– Optional – keep writing scripts, ask more questions...
The Plan

4. ●
We want more script examples
● Submit PRs to https://github.com/zaproxy/community-scripts
●
Can be anything useful – eg copies of existing scripts in different
languages :)
●
Anything useful will earn a ZAP Contributor sticker (max one per
person)
●
Lots of useful scripts will earn a ZAP T-shirt!
●
Only valid for this workshop
Competition Time!

5. ●
Advantages:
– Quick to write and test
– Full access to ZAP classes and data structures
– No need for separate development environment
●
Disadvantages
– Documentation could be (much) better
– No auto complete
– No sandbox – only run scripts you trust!
Introduction – why do we need scripts?

6. ●
JavaScript – built in
●
Python – optional add-on
●
Ruby – optional add-on
●
Zest – built in, macro language on steroids
●
JSR 223 languages relatively easy to add
●
Beanshell – optional, no longer really maintained
Introduction – What languages are supported?

7. ●
Stand Alone
– Run manually
●
Targeted
– Run manually against a specified requests
●
Proxy
– Change proxied browser requests on the fly
●
HTTP Sender
– Change any request on the fly (proxy, spider, active scanner ...)
Script types (built in)

8. ●
Passive Scan Rule
– Detect potential issues just by looking
●
Active Scan Rule
– Detect potential issues by attacking
●
Authentication
– Automatically login to sites
●
Script Input Vector
– Define exactly what ZAP will attack
Script types (built in)

9. ●
Fuzzer HTTP Processor
– Called before and after HTTP messages are fuzzed
●
Fuzzer Websocket Processor
– Called before and after Websocket messages are fuzzed
●
Payload Generator
– Generate attacks to be used in the fuzzer
●
Payload Processor
– Change fuzzer payloads before they are used
●
Sequence
– Define sequences of requests to be attacked (alpha)
Script types (add-ons)

10. ●
All roughly equivalent
●
All have good Java integration
●
JavaScript (ECMAScript)
– Java 7 – Rhino
– Java 8 – Nashhorn
– Can write to local filestore via Java classes
– Use load("nashorn:mozilla_compat.js"); for Rhino scripts in Nashorn
●
JavaScript Nashhorn – supports loading scripts from files
– https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions
●
Python – supports modules path
‘Standard’ Script languages

11. ● Scripts group: https://groups.google.com/group/zaproxy-scripts
● Dev group: https://groups.google.com/group/zaproxy-develop
● Community Scripts: https://github.com/zaproxy/community-scripts
● JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0
Useful links

12. ●
Fire up ZAP
●
Check for Updates (Help / Check for Updates...)
●
Update everything
●
Install Community Scripts
●
Optionally install Python / Ruby Scripting
●
Demo: “Hello world”
Getting started

13. ●
Scripts tab
– Shows all of the scripts an templates
– Allows you to select, add, remove, duplicate, enable, disable and save scripts
– Icons show state – enabled / disabled, error and not saved
●
Script Console tab
– Top pane – edit scripts
– Bottom pane – output and error messages
– Run and Stop buttons – enabled when appropriate
– Output pane buttons – control that pane
– Right click for lots more options!
The tabs

14. ●
Proxy Scripts
– Only affect requests and responses proxied via a browser
●
HTTP Sender Scripts
– Affect all requests and responses (proxy active scan, spider …)
– Initiator param gives the component that initiated the request
– Provides helper to make new requests
●
Both
– Must enable scripts before they will take effect
– Will be disabled on error
Proxy and HTTP Sender scripts

15. ●
Key ZAP class: org/parosproxy/paros/network/HttpMessage.html
●
Provides methods like
– getRequestBody()
– getRequestHeader()
– getResponseBody()
– getResponseHeader()
● See JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0
● Or the code: https://github.com/zaproxy/zaproxy
Script parameter: HttpMessage - msg

16. ●
Proxy Scripts
– Replace in request or response body.js
– Drop requests not in scope.js
– Return fake response.js
●
HTTP Sender Scripts
– Alert in HTTP Response Code Errors.js
– Alert on Unexpected Content Types.js
– Capture and Replace Anti CSRF Token.js
Proxy and HTTP Sender scripts - examples

17. Suggestions:
●
Replace headers
●
Auto redirect from one page to another
●
Do different things based on content, eg:
– Replace different content
– Redirect to different pages
Exercise – write Proxy &/ HTTP Sender scripts

18. ●
Passive Rule Scripts
– Can only view requests and responses (should not change anything)
●
Active Rule Scripts
– Attack nodes or specific parameters
– Can do pretty much anything you like :)
– Must Enable Script Input Vectors
●
Both
– Can raise alerts
– Must enable scripts before they will take effect
– Will be disabled on error
Passive and Active Rule scripts

19. ●
Passive Rule Scripts
– Server Header Disclosure.js
– Find emails.js
●
Active Rule Scripts
– User defined attacks.js
– gof_lite.js
●
Demo: testing passive and active rule scripts
Passive and Active Rule scripts - examples

20. ●
Hacking ZAP Blog posts
– https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html
– https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html
●
Java code
– https://github.com/zaproxy/zap-extensions
– master branch – org/zaproxy/zap/extension/ascanrules and pscanrules
– beta branch – org/zaproxy/zap/extension/ascanrulesBeta and pscanrulesBeta
– alpha branch – org/zaproxy/zap/extension/ascanrulesAlpha and pscanrulesAlpha
Passive and Active Rule links

21. ●
Global Variables
– Variables can be shared between all scripts
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value")
org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name")
●
Script Variables
– Variables can be shared between separate invocations of the same script
org.zaproxy.zap.extension.script.ScriptVars.setScriptVar(
this.context, "var.name","value")
org.zaproxy.zap.extension.script.ScriptVars.getScriptVar(
this.context, "var.name")
Variables (all script types)

22. Suggestions:
●
Rewrite existing java rules (see previous links)
●
Alert on anything that ZAP doesn’t currently find :)
Exercise – write Passive &/ Active Rule scripts

23. ●
Domain Specific Language (DSL)
●
Its domain is security and automation
●
Closer to a macro language .. on steroids :)
●
Format – JSON :O
●
Intended to be ‘written’ graphically
●
Its tool independent (no access to ZAP internals)
●
Demo: “Hello world”
Zest Scripts

24. ●
Creating from templates
●
Duplicating existing script
●
Recording
●
Selecting and adding requests
●
Manually
●
Demo: playing with BodgeIt
Zest Scripts - creating

25. ●
Double click to edit nodes
●
Right click:
– Add and delete nodes
– Delete nodes
– Surround with loops, conditionals
– Cut, copy and paste
– Comment
– Move up / down
●
Drag and drop
●
Selecting and adding requests
Zest Scripts - editing

26. ●
Request – make requests (and make assertions)
●
Action – scan, script, print, fail, sleep
●
Assignment – assign things to variables
●
Client – launch and control browsers
●
Conditions – and, or, equals, length, etc ...
●
Loop – though strings, files, integers, regexes, client elements
●
Comment – comment :)
●
Controls – return, break, next
Zest Scripts – statement types

27. ●
Paste Zest variables (right click in Zest text boxes)
●
Parameterize strings (right click in requests)
●
Redact strings (right click in requests)
●
Drag and drop
●
Change prefix – applies to all requests
●
Anti CSRF tokens – automatically handled
●
Generate Zest script from alert
Zest Scripts – hidden extras

28. ●
You have to start by launching a browser in Zest
●
No record option at the moment :(
●
Browser - View source / Inspect is your friend
●
Demo: Persona video …
Zest Scripts – client side

30. Suggestions:
●
Passive script – alert on the presence of 2 strings
●
Rewrite a script you’ve just written in another language
●
Rewrite one of the existing a/pscan rules
●
Record a script and start changing it
Exercise – write Zest scripts

31. ●
Both run ‘on-demand’ only
●
Standalone – run from the console
●
Targeted – right click on requests
●
Standard scripts (not Zest) – can access ZAP internals, eg:
– Sites tree
– History
– Other extensions
Standalone and Targeted scripts

32. ●
Standalone Scripts
– loop through history table.js
– traverse sites tree.js
– domainFinder.js
– window_creation_template.js
●
Targeted Scripts
– Resend as a GET request.zst
– Find HTML comments.js
Standalone and Targeted scripts - examples

33. Suggestions:
●
Count number of static vs dynamic pages
●
Detect authentication, registration and password changing?
(1 2 and 3 password fields)
Exercise – Standalone and Targeted scripts

34. -config script.scripts(0).name="Remove STS"
-config script.scripts(0).engine="Mozilla Zest"
-config script.scripts(0).type=proxy
-config script.scripts(0).enabled=true
-config script.scripts(0).file="/scripts/Remove STS.zst"
-config script.scripts(1).name="Another one..."
Scripts in Automation – set via cmd line

35. zap.script.load("Remove STS", “proxy”, "Mozilla Zest",
"/scripts/Remove STS.zst")
zap.script.enable("Remove STS")
●
Pro Tip: Configure in the UI, look at whats set in config.xml ;)
Scripts in Automation – set via API

36. ●
Implement a script interface
●
Implement one or more templates / examples which implement
the interface
●
Register a new script type:
ExtensionScript extensionScript = Control.getSingleton().
getExtensionLoader().getExtension(ExtensionScript.class);
extensionScript.registerScriptType(new ScriptType(
"newname", "i18nKey", icon, true, true));
Adding script support in add-ons

37. ●
Use the enabled scripts:
ExtensionScript extensionScript = Control.getSingleton().
getExtensionLoader().getExtension(ExtensionScript.class);
List<ScriptWrapper> scripts = extension.getScripts("newname");
for (ScriptWrapper script : scripts) {
try {
if (script.isEnabled()) {
MyScript s = extension.getInterface(
script, MyScript.class);
// Do something with it...
}
Adding script support in add-ons

38. ●
For when simple form based auth isnt enough
●
Need to configure context
●
Demo: BodgeIt authentication
● https://github.com/zaproxy/zaproxy/wiki/FAQformauth - auth FAQ
Authentication Scripts

39. Suggestions:
●
Authenticate against any vulnerable app you have installed
Exercise – Authentication scripts

40. Join the conversation
#DevSecCon
Many thanks
PRs always appreciated ;)