W 220: Zed Attack Proxy (25 pts extra)

What You Need

Purpose

You will configure the Zed Attack Proxy and learn a few of its basic features.

Installing ZAP

On your Google Cloud Linux server, in an SSH window, execute these commands:
sudo su -

echo 'deb http://download.opensuse.org/repositories/home:/cabelo/Debian_9.0/ /' \
> /etc/apt/sources.list.d/home:cabelo.list

wget -nv https://download.opensuse.org/repositories/home:cabelo/Debian_9.0/Release.key \
-O Release.key

apt-key add - < Release.key

apt-get update

apt-get install owasp-zap -y

exit

Launch ZAP

In Chrome, using the Google Chrome Desktop on your Linux cloud server, open a Terminal and execute this command:
owasp-zap

Get Chrome

If you don't have Chrome, download and install it from www.google.com/chrome

Viewing Hackazon

On any computer, in Firefox, go to http://hackazon.samsclass.info

It's an imitation of Amazon, as shown below:

At the top right, click "Sign Up". Create an account using any username and password. Log out of Hackazon. Make a note of your username and password for later use.

Task A: Scanning the Hackazon App with ZAP

Start ZAP. A box asks "Do you want to persist the ZAP Session?". Click the "No..." button and click Start.

A "Manage Add-ons" page appears. At the top right, click the X to close it.

The main ZAP window appears, as shown below.

In the top right pane, enter a "URL to attack" of http://hackazon.samsclass.info, as shown below.

Click the Attack button. A series of messages scrolls by in the lower pane as ZAP attacks the site, searching for vulnerabilities.

You can see the progress of the scan in the bottom center, outlined in red in the image below. It takes about 7 minutes to finish.

Flag M 220.1: XSS Type (10 pts)

When the scan is complete, in the lower pane, click the Alerts tab. You should see five red flags, as shown below.

The flag is covered by a green box in the image below.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image showing the flag.

Save the image as "Proj W 220.1 from YOUR NAME".

Verifying an XSS Vulnerability

You can never trust a scanner. They often report false positives. So you must verify the vulnerability with manual testing.

In the lower left pane of ZIP, expand the "Cross Site Scripting" item, and click the GET line. In the lower right pane, the entire URL is shown. In the lower right pane, highlight the URL. Press Ctrl+C to copy it.

On your Cloud Server's desktop, open Firefox. Click in the Address bar. Press Ctrl+V to paste the URL and press Enter.

Flag M 220.2: Pop-Up Message (5 pts)

The injected script runs, popping up a box, as shown below. The flag is the message in the box, covered by a green box in the image below.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image showing the flag.

Save the image as "Proj W 220.2 from YOUR NAME".

Verifying a Remote File Inclusion Vulnerability

In the lower left pane of ZIP, expand the "Remote File Inclusion" item, and click the URL. In the lower right pane, carefully highlight the entire URL, as shown below.

Copy the URL and paste it into Firefox. You see a login screen, as shown below. Nothing is obviously wrong here.

Flag M 220.3: Redirection (5 pts)

Now log in with the valid username and password you created at the start of this project. When the login is complete, your page redirects to a different site. The URL of that site is the flag.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image of Firefox showing the URL of the new site.

Save the image as "Proj W 220.3 from YOUR NAME".

Verifying a SQL Injection Vulnerability

In Firefox, in Hackazon, at the top right, click "Log Out".

In the lower left pane of ZAP, expand the "SQL Injection - MySQL" item, and click the shorter POST request, as shown below.

In the lower right pane, carefully highlight the entire URL, as shown below.

Copy the URL and paste it into Firefox. Press Enter.

You see a login screen. Look at ZAP again--it specifies that the parameter is username and that the Attack is "ZAP' AND '1'='1' --".

To test the attack, enter this text into both the username and password fields, as shown below.

ZAP' AND '1'='1' --

Flag M 220.4: SQL Error (5 pts)

Click the "Sign In" button.

You see a big SQL error message. The flag is covered by a green box in the image below.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image of Firefox showing the flage.

Save the image as "Proj W 220.4 from YOUR NAME".

Turning In Your Project

Email the images to cnit.129s@gmail.com with a subject of "W 220 from YOUR NAME".

Sources

owasp-zap from home:cabelo project

Updated 1-30-2020 to use a Cloud server