Explore the site bit--it's an imitation of Amazon, as shown below:
Click the "New User?" button and create an account using any username and password. Explore the personalized site a bit, then log out. Make a note of your username and password for later use.
Download and install the latest Java version.
On the right side of the page, click "Download OWASP ZAP!".
On the next page, download the appropriate version for your OS.
Run the installer and install the software. If you are using a Mac, drag the "OWASP ZAP.app" icon into the Applications folder.
TroubleshootingOne student's ZAP refused to launch on Windows 10 from the desktop icon. To fix it, we changed the target from ZAP.exe to ZAP.bat.
A "Manage Add-ons" box appears. Click Close.
In the top right pane, enter a "URL to attack" of http://hackazon.samsclass.info, as shown below.
Click the Attack button. A series of messages scrolls by in the lower pane as ZAP attacks the site, searching for vulnerabilities.
Let the scan complete. There's a progress bar in the lower center of the ZAP window. It took 30 minutes to get to 52% when I did it.
When the scan is at least 50% complete, in the lower pane, click the Alerts tab. You should see red flags, for "Cross Site Scripting" and "SQL Injection", as shown below.
Save a whole-desktop image with a filename of "Proj 4a from YOUR NAME".
In the lower left pane of ZIP, expand the "Cross Site Scripting (Reflected)" item, and click the URL. In the lower right pane, the entire URL is shown. In the lower right pane, carefully highlight the entire URL, as shown below.
Copy the URL and paste it into Chrome. As shown below, this attack involves entering script into the search field. If it worked, there would be a pop-up box, but there is none.
Instead, chrome shows a "ERR_BLOCKED_BY_XSS_AUDITOR" message, as shown below.
This is what security professionals call a compensating control--even though the Web site has a security flaw, customers using Chrome are protected by their browser.
Save a whole-desktop image with a filename of "Proj 4b from YOUR NAME".
Copy the URL and paste it into Chrome. You see a login screen, as shown below. Nothing is obviously wrong here.
Now log in with the valid username and password you created at the start of this project. When the login is complete, your page redirects to google.com, not to Hackazon.
This is a serious vulnerability! The user could be redirected to a page that installs malware, or steals their credentials, or other evil things.
We'll use Chrome Developer Tools to document this vulnerability.
Open a new Chrome window and open hackazon.samsclass.info
You are currently logged in, as shown below.
At the upper right, click Logout.
From the Chrome menu bar, click View, Developer", "Developer Tools". In the Developer Tools pane, click the Network tab.
Paste this into the URL bar in Chrome and then press Enter:
Several elements load and scroll by in the Developer Tools pane, and the Login page loads, as shown below. In the Developer Tools pane, click the "Preserve log" box, as outlined in green in the image below.
Log in with a valid name and password. Scroll through the Network items--you should see a hackazon login URL, followed by about 15 other elements, and then www.google.com with a status code of "307 Internal Redirect", as shown below. This is not a normal load of Google, which would show a 200 Status, and it demonstrates the vulnerability.
Save a whole-desktop image with a filename of "Proj 4c from YOUR NAME".
Copy the URL and paste it into Chrome. At the top right, click Logout.
Paste the URL in again and press Enter. You see a login screen. Look at ZAP again--it specifies that the parameter is username and that the Attack is "ZAP' AND '1'='1' --".
To test the attack, enter this text into both the username and password fields, as shown below.
ZAP' AND '1'='1' --
Click the "Sign In" button.
You see a big SQL error message, as shown below.
Email the image to email@example.com with a subject of "Project 4 from YOUR NAME".