0

We've got a very large Web application with about 1000 pages to be tested (www.project-open.com, a project + finance management application for service companies). Each page may take multiple parameters (object-id, filters, column name to use for sorting, ...). We are now going to implement additional security checks on these parameters, so we need to systematically test that a) offensive parameter values are rejected and b) that the parameter values actually used by the application are accepted correctly.

Example: We might want to say that the sort_column parameter in a page should only consist of alphanumeric characters. But the application in reality may include a column name with a space in it, leading to a false positive security alert (space character not being an alphanumeric character).

My idea for testing this would be to 1) manually navigate to each of these pages in proxy mode, 2) tell ZAP to start spidering all links on this page for one or two levels and 3) tell ZAP to start fuzzing on these URLs.

How can this be implemented? I've got a basic understanding of ZAP and did some security testing of ]project-open[. I've read about a ZAP extension for scanning a list of URLs, but in our case we want to execute some specific ZAP actions on each of these URLs...

fraber
  • 1,204
  • 1
  • 8
  • 21

1 Answers1

1

I'll summarise some of your options:

I'd start by using the ZAP desktop so that you can control it and see exactly what effect it has. You can launch a browser, explore you app and then active scan the urls you've found. The standard spider will find explore traditional apps very effectively but apps that make a lot of use of JavaScript will probably require the ajax spider.

You can also use the 'attack mode' which attacks everything that is in scope (which you define) that you proxy through ZAP. That just means the ZAP effectively just follows what you do and attacks anything new. If you dont explore part of your app then ZAP wont attack it.

If you want to implement your own tests then I'd have a look at creating scripted active scan rules. We can help you with those but I'd just start with exploring your app and running the default rules for now.

Nimantha
  • 6,405
  • 6
  • 28
  • 69
Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • thanks for the answer so far. Yes, there is JavaScript in some parts, so I already understood that I'd need to use manually browsing in order to get a base list of URLs. But then there are literally hundreds of parameters on some pages that may influence the way contents are shown. So 1000 pages x 100 params is too much for manual exploring. But no, ZAP is not doing very well with automatic 'attacking', just because of the number of parameters, and the number of values each parameter can take. I'll continue the discussion on the Google groups. Thanks! – fraber Jun 09 '20 at 14:21