StudyDaddy Computer Science Lab6 -Introduction to OWASP

Lab6 -Introduction to OWASP

1 Introduction to OWASP ZAP Overview This lab walks you through using ZAP by OWASP. ZAP is a vulnerability analysis tool used to scan Web applications for possible software flaws. As an introduction to using ZAP, you will scan and interrupt http protocols in PHP code we developed in week 4. You will also run the attac k scanner on code you developed in week 4. Important: Do not attempt to use these tools against any live Web site. It is illegal to do so. You can only scan sites you have written permission to scan . You should use the virtual machine on applications you developed running on the localhost and disconnect from the Internet when running ZAP. Learning Outcomes: At the completion of the lab you should be able to: 1. Launch ZAP and view Web sites history and input parameter s 2. Use ZAP to intercept http messages and change their content to Identify possible vulnerabilities 3. Read and analyze reports produced from ZAP and prioritize and fix alerts associated with software issues Lab Submission Requirements: After completing this lab, you will submit a word (or PDF) doc ument that meets all of the requirements in the description at the end of this document. In addition , your associated file s should be submitted . You can submit multiple files in a zip file. Virtual Machine Account Information Your Virtual Machine has been preconfigured with all of the software you will need for this class. The default username and password are: Username : umucsdev Password: umuc$d8v Part 1 – Launch ZAP and view Web sites history and input parameter s This exercise will walk you through Launching ZAP and allow you to become comfortable with the G UI for ZAP within your virtual machine. We will use ZAP to begin to analyze some of the PHP Web applications we created in week 4. 1. Important: Disconnect your machine from the Internet when using ZA P. This will ensure you are only scanning applications on your localhost. You can do this by unplugging the Internet cable on your machine or if you have Wireless connection, you should turn your Wi -Fi off. 2. Start your Virtual Machine as you would normally by clicking the Oracl e VM VirtualBox, starting the SDEV32Bit image and then logging into the machine. 3. Verify your Firefox browser has the Proxy properly configured. To do this, launch Firefox and go to Options -> Preferences menu. 2 4. Click on the Advanced icon and select the Network tab. 3 5. Select the Settings button and then enter localhost for the HTTP Proxy with Port of 8080. Also, be sure Use this proxy server for all protocols is selected and the No proxy for: textarea is blank. 6. Click Ok and your Browser will send HTTP messages to the already preconfigured ZAP proxy.

Note: You will need to change your Browser settings back to “No proxy ” once you are ready to perform normal Browsing to either the localhost or the Internet for the f uture. 7. To Launch ZAP, open up a shell prompt and change to the ZAP_2.3.1 folder. 4 8. Type the following command to start ZAP: ./zap.sh The ./ characters are important for properly and securely launching programs in Linux. After launching the ZAP GUI will be revealed. 5 9. The GUI will look very complicated at first as there is much functionality that this tool can perform. Over the next couple of weeks you will be exposed to most of the critical features. 10. To use the Sites and History tabs, you will need to launch your Browser. Open your Browser and launch the DemoGetForm.html file from week 4. The URL should be:

localhost/week4/DemoGetForm.html. If you review the ZAP tool you will see the Sites Icon has listed the GET:DemoGetForm.html file. Also, notice the History tab as information related to this site. 11. If you click on the Request and Response tabs on the right site of the tool, you will see both the header and body of the DemoGetForm.html file. 6 12. You should carefully review the request and response details noting how much information is revealed from this transaction. Information such as Web Server and Operating system are revealed. All HTML source code and comments are also provided . 13. Complete the DemoGetForm.html and notice the addition of the get_ Submit.php(fname,lname mypass) to the history and sites tab. Also, notice the Request and Response tabs as well the Params tab near the bottom. 7 You should experiment with using ZAP by running the other Web applications you created in week 4. As you run these applications , be sure to review the Sites, History, Request, Response and Params tabs. Part 2 Use ZAP to intercept http messages and change their content to Identify possible vulnerabilities One of the strong features of the ZAP tool is the ability to interrupt HTTP message and change the values in an attempt to find software flaws. In this exercise , we will use the week4 PHP web applications and demonstrate how the input parameters sent from the form can easi ly be changed and redirected back to the application with the new parameters. To interrupt an HTTP transmission, you use the Break Points functionality within ZAP. 1. As before, be certain you have disconnected your machine from the Internet, launch your virtual machine and then start ZAP. 2. To set a Break point, right mouse click the specific site you want to Break on. For example, if we want to put a Break point for th e get_Submit.php file, we would right mouse click that site, select break and then select save. 8 3. Once the Break Point is set, it will display in the Break Points tab. 4. To test the break point, launch the DemoGetForm.html application, complete the form and then press submit. You will notice the browser seems to hang as the http request has been intercepted by the proxy and is awaiting action in ZAP. 5. You can now modify the original data by right mouse clicking in the Break tab and selecting resend. When the resend frame appears, modify the GET string as appropriate and select the send button. 9 6. You will then be able to see the new response in the window. 10 7. To release the break point, you can click on the arrows at the top which allow you to Submit and step to the next break. Once you select those arrows, the data will be submitted and the browser will show the results. Note, you can also modify the text in the break tab itself and then click the submit arrows to show the results in your browser. This is where the person -in-the -loop analysis and discovery takes place. Manipulating the data sent into the applications provides insight into the vulnerabilities of the application. For example, you may discover that sending in a null password allows access to the system. You may also discover providing an admin username and brute force password guess may provide additional system privileges. You should experiment with all of the week4 PHP applications to see how parameters and information can be changed and the resulting impact on the application. Part 3 Read and analyze reports produced from ZAP In this lab, we will run the automatic scanning feature of ZAP and then generate HTML Alert reports for the DemoGetForm.html and DemoPostForm.html and discuss approaches to prioritize and mitigate the issues found in each Web applications. 1. As before, be certain you have disconnected your machine from the Internet, launch your virtual machine and then start ZAP. 2. Under the Quick Start tab of ZAP, enter the localhost/week4/DemoGetForm.html URL and click attack. 11 3. As the scan runs, you will see hundreds of requests logged into the Active Scan tab. You will also see several Alerts. Alerts from the scan provide possible vulnerabilities. The color of flag indicates the risk level of issue found. 4. To generate a report from the scan in HTML format, open the Report menu from the top of tool bar and select Generate HTML report. 12 5. Save the report to a folder and filename of your choice. For this example, a ScanResults folder was created and the HTML report was saved to the DemoGetFormReport file. Click Save to continue. 6. The HTML report should automatically open in your Browser. If not, use the file manager to open the report. 13 7. You should review the report carefully comparing the risk levels, descriptions, URL, Parameter, Attack, Solution, Referenc e CWE ID and WASC ID. When you prepare your lab for this week, you will use each of fields to describe your findings as well as formulate your solutions. The solutions provided may work but you may need to dig deeper into the references to mitigate the iss ue. Typically, y ou should work to mitigate the higher risk issues first. 8. After you have resolved the issues, you can rescan the application and see if any Alerts remain.

You will find some of the warnings are easy to fix. Some are more challenging – particularly the Cross -Site Scripting issues. 9. You can use the File -> New Session option to clear the current session. 10. Next, run a similar scan and analysis of the week4/DemoPostForm.html application. Save the results to a file named DemoPostSubmitReport. You will find similar number and types of alerts for this web application: 14 11. Work through the report to analyze the results and remove alerts where possible. The analysis and mitigation of issues is a repetitive process that should be done often i n development and after each release to make sure issues are not introduced during updates. ZAP is just one tool for use in this process. Be aware that ZAP is not the only approach for finding software vulnerabilities nor 15 will it eliminate or find all of t he issues. Other scanners and techniques should be used to help secure your web application. Lab submission details: For this lab, you will provide a detailed analysis using both manual interception techniques and automatic scanner attacks on the http://localhost/week4/loginAuth.html . You should run the manual interception techniques first , and describe in detail the information revealed to you during your analysis. Be sure to provide screen captu res of you running of the tool and analyze all files used for the application (loginAuth.html, authcheck.php and logout.php). Try to modify the http messages and look for possible vulnerabilities. This is the important discovery portion of your analysis. When you run the automatic scan, be sure to generate an HTML report showing all alerts. Also, describe the active scan activity . For each alert, discuss all of the output and try possible solutions. Be sure to describe how you prioritized alert messages. Tr y to resolve all alerts and document specifically your process in resolving those alerts. Rerun the scanner after you have fixed as many issues as you can to demonstrate your success. For your deliverables, you should submit a zip file containing your word document (or PDF file) with screen shots of your scans. Be sure to include the descriptions and analysis of your results, your prioritization and approach to mitigating the issues. Also, include the reports from your scan. Your report should be well -organ ized and clearly written. This report is aimed at your Chief Security officer who pays your salary. He is a technical geek and wants details, clarity and something he can pass on to others to make sure you have job security for years to come. Have fun with this! Include your full name, class number and section and date in the document. Grading Rubric: Attribute Meets Does not meet ZAP analysis 6 points Run s the manual interception techniques , and describe s in detail the information revealed to you during your analysis. (1 point) Analyze s all files used for the application (loginAuth.html, authcheck.php and logout.php). (1 point) Modif ies the http messages and look s for possible vulnerabilities. (1 point) 0 points Does not r un the manual interception techniques , and describe s in detail the information revealed to you during your analysis. Does not a nalyze all files used for the application (loginAuth.html, authcheck.php and logout.php). Does not modif y the http messages or look for possible vulnerabilities. 16 Run s the automatic scan, and generate s an HTML report showing all alerts. (1 point) Discuss es all of the output and tr ies possible solutions for all alerts. (1 poin t) Rerun s the scanner after you have fixed as many issues as you can to demonstrate your success. (1 point) Does not r un the automatic scan, or generate an HTML report showing all alerts. Does not d iscuss all of the output and tries possible solutions for all alerts. Does not r erun the scanner after you have fixed as many issues as you can to demonstrate your success. Docume ntation and submission 4 points Submit s a zip file containing your word document (or PDF file) with screen shots of your scans. (1 point) Include s the descriptions and analysis of your results, your prioritization and approach to mitigating the issues. (2 points) Include s the reports from your scan. (0.5 points) Your report is well -organ ized and clearly written. (0.5 points) 0 points Does not s ubmit s a zip file containing your word document (or PDF file) with screen shots of your scans. Does not include s the descriptions or analysis of your results, or the prioritization and approach to mitigating the issues. Does not include the reports from your scan. Your report is not well -organ ized or clearly written.

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!