Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Need Help to understand the functioning of ZED / w3af - web application vulnerability scanners  RSS feed

 
Sasha Mckinsey
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey,

Got a quick question.

I know HTML 5, CSS, Javascript and core Java

I was looking at Zed Attack Proxy (ZAP) and W3af : Website Vulnerability tools. I was wondering if I have to write a basic tool to cover the Ten OWASP -2013 and a handful more across sites irrespective of the technology then do I need to "Know"

  • 1
  • all the scripting languages - Java script, Ruby, Pearl etc
  • 2
  • middle ware .Net, Java as well
  • 3
  • all the frame works too - hibernate, struts etc
  • 4
  • how to query all various kinds of databases - SQL, Oracle, MySQL etc

    Good Day !



     
    Tapas Chand
    Ranch Hand
    Posts: 614
    9
    BSD Java
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Sasha Mckinsey wrote:...I was wondering if I have to write a basic tool to cover the Ten OWASP -2013...

    By "basic tool" do you mean that you will write a "web application".
    If you want to cover the top ten vulnerabilities defined by OWASP, I am not sure about .NET, but I can tell about knowledge required in Java.

    1. JSP/Servlets
    2. JavaScript
    3. JDBC
    4. Server like Apache Tomcat or JBOSS for starter
    5. Database like MySql or PostgreSql or Oracle express edition for starter

    I hope I am not missing anything.

    Later you can move onto Spring MVC/Struts as they provide some security flaws mitigation out of the box.
     
    Sasha Mckinsey
    Greenhorn
    Posts: 9
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    By "basic tool" do you mean that you will write a "web application".


    Not a web application. I want to make is a scanner which will scan any site for atleast top 10 OWASP vulnerabilities if not more. Its for my learning purpose.

    Since websites /application consist of other languages and frame works (as well) other than Java...so i was wondering do I need to know other languages (dot net, rub, pearl, php, python etc) so that my scanner scans sites effectively written in these languages as well.
     
    Simon Bennetts
    Greenhorn
    Posts: 2
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    First things first, writing code to test for vulnerabilities is a really good way to learn about those vulnerabilities
    However dont underestimate the task ;)
    And the whole OWASP Top Ten isnt necessarily the best place to start.
    As I wrote on https://www.owasp.org/index.php/ZAPpingTheTop10
    Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’!

    And vulnerabilities like XSS and SQL injection might sound simple enough, but detecting them can be very tricky.

    But I dont want to put you off. I'm a firm believer in getting stuck in and its exactly the approach I took when I wanted to learn about security.
    However I would (and did;) start by looking at how existing open source tools detect vulnerabilities - for info about the ZAP ones see:
  • http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-3-passive-scan-rules.html
  • http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-4-active-scan-rules.html

  • There are a variety of deliberately vulnerable applications, which are documented here: https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
    Of particular interest in this context are 'benchmark apps' which typically have very focused examples that are easier to understand, and are often fully documented:
  • Wavsep: http://sourceforge.net/projects/wavsep/
  • OWASP Benchmark: https://www.owasp.org/index.php/Benchmark
  • Webseclab: https://github.com/yahoo/webseclab
  • Google Firing Range: https://github.com/google/firing-range
  • WIVET: https://github.com/bedirhan/wivet
  • Watcher test cases: http://www.testcases.org/watcher/

  • If you really want to learn about them then try improving existing open source tools to detect more vulnerabilities
    If you're interested in doing that with ZAP then head over to the ZAP Developer Group and we'll help you get stuck in http://groups.google.com/group/zaproxy-develop

    Simon (ZAP Project Lead)
     
    Campbell Ritchie
    Marshal
    Posts: 56599
    172
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Welcome to the Ranch and thank you for the helpful 1st post.
     
    Sasha Mckinsey
    Greenhorn
    Posts: 9
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Thanks for your help. Appreciate it. I will right away get on with the resources that you have suggested.

    As for my original question - Shall I ignore all other languages and frameworks (Dot Net, Ruby, pearl, struts, hibernate etc) or will they come in later?

    My skill set is : HTML 5, Javascript, Core Java

    Thanks once again!
     
    Simon Bennetts
    Greenhorn
    Posts: 2
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    It depends on what you're trying to learn.
    A lot of web vulnerabilities are completely independent of the underlying code, at least from the browsers perspective.
    So you should know enough with your skillset - I'd concentrate on understanding the vulnerabilities from the browser and/or server side without worrying about the server side languages.
    They are important for some vulnerabilities, but I'd start with the generic ones (SQL injection, XSS etc) first.

    If you want to learn how to prevent such vulnerabilities then definitely learn as much as possible about the languages that you will use.

    FYI I know Java very well, HTML 5 / Java script etc fairly well (but have loads to learn), I can get by in Python, Perl, Struts, Hibernate but have very little knowledge of DotNet, Ruby and other languages.
    Theres always too much to learn ;)

    Cheers,

    Simon
     
    Consider Paul's rocket mass heater.
    • Post Reply Bookmark Topic Watch Topic
    • New Topic
    Boost this thread!