Monday, 27 October 2014

OWTF 1.0 "Lionheart": Zest support and ZAP integration

REMINDER: We just released OWTF 1.0 "Lionheart", Please try it and give us feedback!

NOTE: This blog post is a guestpost by Deep 'dscarson' Shah, who authored one of the most amazing GSoC 2014 projects this year: Zest support and ZAP integration.

And with that, a big welcome and THANK YOU to Deep!


OWASP OWTF - Zest support and ZAP integration
As part of my GSoC project , I had to integrate Mozilla Zest and OWASP ZAP into OWTF.


This image summarizes my work :


 
Lets dive into details :


    → Zest is an experimental specialized scripting language developed by the Mozilla security team and is intended to be used in web oriented security tools.
Generating Zest scripts from OWTF provides an automated mechanism to replicate exploitation of security vulnerabilities in a format that facilitates information exchange between tools such as ZAP and others which can reproduce the same vulnerabilities in their own development environment.

ZAP is an easy to use integrated penetration-testing tool for finding vulnerabilities in web applications, which has in-built functionality to run Zest Scripts.
The ZAP supports allows OWTF to export its HTTP transactions to OWASP ZAP for further analysis and fuzzing.

The features implemented are :


  • Zest script creation from single HTTP transaction
  • Zest script creation from multiple HTTP transaction (macro of requests)
  • HTTP request editing window (from which you can replay the request)
  • Zest script Console
  • “ Record a Zest script ” functionality
  • Zest script Runner
  • Forward HTTP request to ZAP


1) Zest script creation from single HTTP transaction:


    


Clicking on the button “Create a Zest Script” creates a Zest script for the given transaction in owtf_review/targets/given_target/zest directory.


2) Zest script creation from multiple HTTP transactions:


A single zest script can be created from multiple transactions of a specific target.




Clicking on the button “Create Zest Script” lets you select the transactions you want to include in zest script which resides at owtf_review/targets/given_target/zest directory.

3) HTTP Request Editing Window (Replay Function)


An editing window similar to ZAP to change/modify/edit the particular request and get response according to that.


1)Select View from the transaction you wish to edit and replay.
2)Click replay.
3)Edit the request.
4)Click Send.


4) Zest scripting console


A new window where all the target scripts and record scripts are listed and viewed.




You can go to zest console from transaction_log window by clicking ‘Zest Script Console’.

5) Record Functionality


A functionality to record the transactions while browsing the web using OWTF proxy, and creating a Zest script from the recorded transactions. Similar to record a zest script functionality in ZAP.


  1. Go to zest console and click button ‘Record a Zest Script’
  2. Now browse the web
  3. Hit ‘Stop recording’ when done



A zest script will be created in owtf_review/misc/recorded_scripts/ directory.


6) Zest Running Functionality


Runs the zest script from the zest console and displays its output there.


Click ‘Run the Zest Script’ in zest console.


7)Forward HTTP request to ZAP


A functionality to forward HTTP requests to ZAP to analyse and testing purpose.




Just click ‘Forward to ZAP’ in particular transaction window. (Make sure ZAP is running).

Resources :


Project wiki pages (with diagrams)


Documentation of other project (zest-owtf):


A video showing all the features of this GSoC project :