Enhanced AJAX Integration in ZAProxy
Short description: Throughout this project, a plugin for the OWASP Zed Attack Proxy will be developed to improve its integration with the OWASP AJAX Crawling Tool. This will facilitate users performing penetration tests to web sites that use AJAX technologies, whose popularity has increased since the growth of the web 2.0.
Additional info: https://www.owasp.org/index.php/GSoC2012_Ideas#...
The OWASP Zed Attack Proxy (ZAP) is a penetration testing tool for finding vulnerabilities in web applications. It is widely used by the security community, and it was recently elected tool of the year by a widely known security blog.
One of the main features of ZAP is a crawler that inspects all pages of the targeted site, as a result of which, a map of the site is generated. This map will be later used to find vulnerabilities in each one of the pages. Unfortunately, ZAP does not support crawling dynamic generated links with AJAX.
On the other hand, there is a OWASP tool called AJAX Crawling Tool (ACT) that performs this task. My objective is to develop a plugin for ZAP to facilitate users scanning AJAX based web pages. This plugin will call ACT to accomplish this, and the resulting information will be properly integrated with the ZAP interface and features.
After discussing the idea with the pertinent OWASP project leaders, we have set the following goals:
- Develop a plugin for ZAP to improve its integration with ACT.
- Improve the ACT command line invocation capabilities.
- Design a system to mark the HTTP requests made by ACT and implement also this system in ACT to recognize what URLs come from ACT.
These were the main goals. Nevertheless, there are a few requirements that we will need to comply with:
- The plugin will be easy to use by a developer with no security training.
- The code will need to be very clean to facilitate its comprehension.
- Both of the tools will be able to be updated separately without breaking integration.
- The information provided by ACT will be completely integrated with the ZAP user interface. Links will appear in the site tree, also marked as spidered and shown in the history tab.
The implementation of the previous goals will be carried out as follows: First, we will set up a generic plugin for ZAP as documented in its wiki page. After it, we will identify the needed configuration parameters to carry out the scan of the site and if they were not available in ACT, we would implement them. Once the ACT is doing its job as expected, we will develop the part of the code were the results are shown in the ZAP user interface, the links will be shown in the site tree, also in the spidered and history tabs.
In Figure 1, we show a general architecture data-flow diagram of our plugin interacting with the rest of the components.
When the plugin is invoked, a system call that contains a set of configuration parameters is performed and ACT is executed. Then, ACT performs the HTTP requests to the targeted site with special headers and crawls the new links. ZAP is able to detect which new URLs come from ACT because of the previous special headers. Finally, the links are shown in the ZAP user interface as if they had been crawled by ZAP.
Since usability is a priority factor in our project, below we show a few diagrams of how our plugin will look like in the ZAP user interface:
In Figure 2, we show how the plugin would be seen in the Attack menu of the Sites tab in the user interface as 'Spider Ajax site' action.
In Figure 3, we show the crawled URLs of an AJAX site by the current ZAProxy spider functionality. The dynamic built links have not been found, and consequently, ZAP is not able to find vulnerabilities in those.
In Figure 4, we show the results of scanning an AJAX site with our plugin, which has carried out a system call to ACT and crawled dynamic built links. Once scanned, these are shown in the sites tree of the ZAP user interface, and treated as normal ZAP-scanned ones.
Finally, in Figure 5, we show that the new links scanned by our plugin are also shown in other the rest of the ZAP tabs such as the History one, as normal ZAP crawled URLs.
The project is planned to be completed in 4 phases to accomplish the goals of Section 2. Below we show its timeline.
- March-April: Setting up the Eclipse environment for developing ZAP, cloning the repository, compiling it, getting in touch with the development team and potential mentors, discussing the ideas with them and writing the proposal (already done).
- April-May: Getting to know the code, defining the requirements and specifications of the project start writing the prototype and modifications to ACT.
- May-June: Develop the functional specifications and the resulting prototype. Get feedback from the mentor and community.
- June-August: Performing the modifications needed, refining the code, carry out the needed tests and documentation.
I am a 23 years old CS graduate student at The Autonomous University of Barcelona (UAB) finishing a master's degree in Information Theory and Security. In 2011, I received a M.Sc. in High Performance Computing and did a software engineer internship at the Department of Architecture of SIGMA Gestion Universitaria of 8 months. In 2010, I finished my Bachelor's degree of Computer Science, and did a research assistant internship at The University of Wisconsin-Madison. You can find more information regarding my professional and academic experience in my Linkedin profile and Home page.
I think I am the right person for this project because I have been using the OWASP documentation and tools since I started working on security three years ago, so I am very familiar with them. Furthermore, as I worked as a Java software developer for 8 months, it would be easier with me to code in such language.
Aside, I am a passionate software engineer, I like to spend my free time working on anything related to coding and security, and sharing it in my blog and twitter. I am trying to make the world a better place by by seeking and reporting vulnerabilities of services I daily use such as those of Google.
Finally, I am also a free-software enthusiast, and for me GSoC is the perfect excuse to get involved with the ZAP and ACT OWASP projects, and to get to know their development process and team by receiving mentorship guidance. I have always been a passionate developer specifically I enjoy security topics (check my master's thesis and bachelor's final project in my home page), and I would really love to keep contributing regularly to ZAP and ACT with new ideas after the summer.
- OWASP Zed Attack Proxy Project, 2011. https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.
- Toolsmith Tool of the Year: OWASP ZAP. http://holisticinfosec.blogspot.com.es/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html
- OWASP AJAX Crawling Tool, 2011. https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool.
- Wiki Page ZAProxy UI Development. http://code.google.com/p/zaproxy/wiki/UiDevelopment.
- My Linkedin Profile. http://www.linkedin.com/in/guifre.
- My Home Page. http://caos.uab.es/~gruiz.
- My Web Log. http://guifreruiz.blogspot.com/.
- My Twitter Profile. https://twitter.com/#!/GuifreRuiz.
- Tuenti Cross-Site Scripting Vulnerability (XSS), 2011. http://guifreruiz.blogspot.com/2012/02/xss-vulnerability-in-tuenticom.html.
- Google Security Hall of Fame, 2011. http://www.google.com/about/company/halloffame.html
Name: Guifre Ruiz
Location: Barcelona (Spain)
Time Zone: GMT+1
Freenode IRC Nick: guifre
Current OS: Debian (at the university), Mac OSX (at home) I can set up any box in a VM.