Project 4: Zed Attack Proxy (20 pts.)

What You Need

Purpose

You will configure the Zed Attack Proxy and learn a few of its basic features.

Get Chrome

If you don't have Chrome, download and install it from www.google.com/chrome

Viewing Hackazon

In a browser, go to http://hackazon.samsclass.info

Explore the site bit--it's an imitation of Amazon, as shown below:

Click the "New User?" button and create an account using any username and password. Explore the personalized site a bit, then log out. Make a note of your username and password for later use.

Installing Java

In a Web browser, go to http://www.java.com/en/

Download and install the latest Java version.

Downloading ZAP

In a Web browser, go to https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

On the right side of the page, click "Download OWASP ZAP!".

On the next page, download the appropriate version for your OS.

Run the installer and install the software. If you are using a Mac, drag the "OWASP ZAP.app" icon into the Applications folder.

Troubleshooting

One student's ZAP refused to launch on Windows 10 from the desktop icon. To fix it, we changed the target from ZAP.exe to ZAP.bat.

Task A: Scanning the Hackazon App with ZAP

Start ZAP. A box asks "Do you want to persist the ZAP Session?". Accept the default of "No..." and click Start.

A "Manage Add-ons" box appears. Click Close.

In the top right pane, enter a "URL to attack" of http://hackazon.samsclass.info, as shown below.

Click the Attack button. A series of messages scrolls by in the lower pane as ZAP attacks the site, searching for vulnerabilities.

Let the scan complete. There's a progress bar in the lower center of the ZAP window. It took 30 minutes to get to 52% when I did it.

When the scan is at least 50% complete, in the lower pane, click the Alerts tab. You should see red flags, for "Cross Site Scripting" and "SQL Injection", as shown below.

Saving the Screen Image

Make sure red flags, for "Cross Site Scripting" and "SQL Injection" are visible, as shown above.

Save a whole-desktop image with a filename of "Proj 4a from YOUR NAME".

Task B: Verifying an XSS Vulnerability

You can never trust a scanner. They often report false positives. So you must verify the vulnerability with manual testing.

In the lower left pane of ZIP, expand the "Cross Site Scripting (Reflected)" item, and click the URL. In the lower right pane, the entire URL is shown. In the lower right pane, carefully highlight the entire URL, as shown below.

Copy the URL and paste it into Chrome. As shown below, this attack involves entering script into the search field. If it worked, there would be a pop-up box, but there is none.

Instead, chrome shows a "ERR_BLOCKED_BY_XSS_AUDITOR" message, as shown below.

This is what security professionals call a compensating control--even though the Web site has a security flaw, customers using Chrome are protected by their browser.

Saving the Screen Image

Make sure a message saying "ERR_BLOCKED_BY_XSS_AUDITOR" is visible, as shown above.

Save a whole-desktop image with a filename of "Proj 4b from YOUR NAME".

Task C: Verifying a Remote File Inclusion Vulnerability

In the lower left pane of ZIP, expand the "Remote File Inclusion" item, and click the URL. In the lower right pane, carefully highlight the entire URL, as shown below.

Copy the URL and paste it into Chrome. You see a login screen, as shown below. Nothing is obviously wrong here.

Now log in with the valid username and password you created at the start of this project. When the login is complete, your page redirects to google.com, not to Hackazon.

This is a serious vulnerability! The user could be redirected to a page that installs malware, or steals their credentials, or other evil things.

We'll use Chrome Developer Tools to document this vulnerability.

Open a new Chrome window and open hackazon.samsclass.info

You are currently logged in, as shown below.

At the upper right, click Logout.

From the Chrome menu bar, click View, Developer", "Developer Tools". In the Developer Tools pane, click the Network tab.

Paste this into the URL bar in Chrome and then press Enter:

http://hackazon.samsclass.info/user/login?return_url=http%3A%2F%2Fwww.google.com%2F
Several elements load and scroll by in the Developer Tools pane, and the Login page loads, as shown below. In the Developer Tools pane, click the "Preserve log" box, as outlined in green in the image below.

Log in with a valid name and password. Scroll through the Network items--you should see a hackazon login URL, followed by about 15 other elements, and then www.google.com with a status code of "307 Internal Redirect", as shown below. This is not a normal load of Google, which would show a 200 Status, and it demonstrates the vulnerability.

Saving the Screen Image

Make sure www.google.com is visible with a status code of "307 Internal Redirect", as shown above.

Save a whole-desktop image with a filename of "Proj 4c from YOUR NAME".

Task D: Verifying a SQL Injection Vulnerability

In the lower left pane of ZIP, expand the "SQL Injection - MySQL" item, and click URL ending in "login". In the lower right pane, carefully highlight the entire URL, as shown below.

Copy the URL and paste it into Chrome. At the top right, click Logout.

Paste the URL in again and press Enter. You see a login screen. Look at ZAP again--it specifies that the parameter is username and that the Attack is "ZAP' AND '1'='1' --".

To test the attack, enter this text into both the username and password fields, as shown below.

ZAP' AND '1'='1' --

Click the "Sign In" button.

You see a big SQL error message, as shown below.

Turning In Your Project

Email the image to cnit.129s@gmail.com with a subject of "Project 4 from YOUR NAME".


Updated 2-13-18