Dynamic Security Analysis with OWASP ZAP

Dynamic Security Analysis.

Dynamic testing is done when the code is in operation mode. Dynamic testing is performed in runtime environment. When the code being executed is input with a value, the result or the output of the code is checked and compared with the [2]. expected output. With this we can observe the functional behavior of the software, monitor the system memory, CPU response time, performance of the system. Dynamic testing is also known as validation testing, evaluating the finished product. Dynamic testing is of two types: Functional Testing and Nonfunctional testing.

Dynamic Testing Techniques.

The Dynamic testing techniques can be classified into two categories. They are:

  1. Functional Testing.
  2. Non-Functional Testing.

Levels of Dynamic Testing.

There are various levels of Dynamic Testing Techniques. They are:

  • Unit Testing
  • Integration Testing
  • System Testing
  • Acceptance Testing

To do this analysis you can use any dynamic security analysis tool which are existing, here it is used OWASP ZAP (OWASP Zed Attack Proxy) tool.

What is OWASP ZAP?

OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It is one of the most active OWASP projects and has been given Flagship status. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https. It can also run in a ‘daemon’ mode which is then controlled via a REST Application programming interface. This cross-platform tool is written in Java and is available in all of the popular operating systems including Microsoft Windows, Linux and Mac OS [1].

You can download Zap using this link address:

https://github.com/zaproxy/zaproxy/wiki/Downloads

 

Demonstration of OWASP ZAP.

Vulnerable image that has used in this practical can be download the link below:

https://pentesterlab.com/exercises/from_sqli_to_shell

After download and install the above software and applications, Configure the proxy setting in browser and the ZAP. Open zap by typing command in terminal “zaproxy”, it’s easy than navigating through the menu.

Web Security Dynamic Analyses 1

Then configure browser Manual proxy setting as follows.

2

Port:-8080

HTTP Proxy: – 127.0.0.1

Then we need to setup local proxy setting in ZAP as same as browser proxy settings. To do that go to ZAP,

3

tools->Options->Local Proxy

4

Now following screenshots explains how the scanning can be done through the ZAP.

Right click on site link -> include in context -> new context

5

Then the following steps should be completed for retreving a ZAP report.

Now your site will appear in the context category. Now Select scan mode into Protected Mode. Then go to tools->Ajax Spider , in that opened window, click select and select our site in contexts category next select the browser as HtmlUnit (if we are use firefox we need to import some plug-in to do the analysis, HtmlUnit is in-build part in zap). Then click the start scan button.

After complete the Ajax spider,  Again Go to tools->Spider in that opened window click select button in starting point and select our site and click start scan button.

To perform final scan, go to tools->Active Scan, in that opened menu select the site and start the scan.

6

7

 

After finished all above scans we can get a report. To Get the report go to Report->Generate HTML Report and give a name for report, set the path and click Save.

89

According to the Report, There is 2 high risk level vulnerabilities.

  • XSS (Cross Site Scripting)
  • SQL Injection

Now it is going to check, these vulnerabilities are really exists in this application.

XSS exploit

10

Solutions for XSS vulnerability.

We can validate the text boxes,

<script type=”text/javascript”>

$(document).ready(function () {

    $(‘#ctl00_topNavigation_txtSearch’).keyup(function () {

        var $th = $(this);

        $th.val($th.val().replace(/[^.%a-zA-Z0-9 ]/g,

        function (str) {

            alert(‘Special characters not allowed except %’);

            return ”;

        }));

    });

});

Following are some other solutions for XSS

  • HTML escape questionable input characters like <>'”& to their equivalents (e.g., < goes to &lt ;). Additionally, if you needed to allow some formatting (e.g., users can submit links, insert bold text) use a safe subset of a lightweight markup language so you convert user input like [Google link] (http://www.google.com) to Google link.
  • JavaScript Escape before Inserting Untrusted Data into JavaScript Data Values. [3]
  • HTML escape JSON values in an HTML context and read the data with JSON.parse. [3]
  • HTML Escape before Inserting Untrusted Data into HTML Element Content [3]
  • CSS Escape and Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values. [3]
  • Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes [3]
  • URL Escape before Inserting Untrusted Data into HTML URL Parameter Values. [3]
  • Sanitize HTML Markup with a Library Designed for the Job. [3]
  • Prevent DOM-based XSS. [3]

Sql Injection Vulnerability verification

SQL injection is guessing or fuzzing the SQL query used in the backend server script and sending some SQL input string to the script for processing so it leads to manipulating the SQL query in the backend and hence generating suitable response. It is the topmost web application vulnerability in OWASP Top 10

11

Solution for These type of SQL injection.

To protect a web site from SQL injection, you can use SQL parameters.

SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

  • Build parameterized queries.

txtUserId = getRequestString(“UserId”);

sql = “SELECT * FROM Customers WHERE CustomerId = @0”;

command = new SqlCommand(sql);

command.Parameters.AddWithValue(“@0”,txtUserID);

command.ExecuteReader();

  • Insert Statement using php using parameterized queries.

$stmt = $dbh->prepare(“INSERT INTO Customers (CustomerName,Address,City)

VALUES (:nam, :add, :cit)”);

$stmt->bindParam(‘:nam’, $txtNam);

$stmt->bindParam(‘:add’, $txtAdd);

$stmt->bindParam(‘:cit’, $txtCit);

$stmt->execute();

Following are some general solutions for sql injections.

  • Prepared Statements (with Parameterized Queries)Language specific recommendations:
    • Java EE – use PreparedStatement() with bind variables
    • .NET – use parameterized queries like SqlCommand() or OleDbCommand() with bind variables
    • PHP – use PDO with strongly typed parameterized queries (using bindParam())
    • Hibernate – use createQuery() with bind variables (called named parameters in Hibernate)
    • SQLite – use sqlite3_prepare() to create a statement object
  • Stored Procedures.
  • White List Input Validation.
  • Escaping All User Supplied Input

 

 

References

[1] https://en.wikipedia.org/wiki/OWASP_ZAP

[2] http://www.guru99.com/static-dynamic-testing.html

[3]https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

 

By S.H.M Lahiru Prabath Balasuriya.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s