Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to use OWASP ZAP & Vulnerabilities Slikmap

F9b27b006dc2c4f3ca6613073c661834?s=47 Yuho Kameda
September 14, 2019

How to use OWASP ZAP & Vulnerabilities Slikmap

OWASP ZAPと脆弱性診断士スキルマップを使いこなそう
in OWASP Nagoya 2019/9/14

F9b27b006dc2c4f3ca6613073c661834?s=128

Yuho Kameda

September 14, 2019
Tweet

Transcript

  1. OWASP ZAP   @YuhoKameda 2019/9/14 in OWASP Nagoya

  2. Agenda •     •  • OWASP

    ZAP 2.8.0
  3.    

  4. 1% /$-( • &% 0+> – ;;=7(*"/! •  

    . ,> – 84:2' )1 – 6=93<510+ .#/
  5. %$#! •  !%$ – **,' /  • 

     – " •   • (,&)+% – EOL%$ •   • (,&)+%
  6.   •  •    • OS

     •   • (CMS) 
  7. !!$  • !!$  – # / $"# •

      –  $(RSS) – SNS   – JPCERT/CCIPA  / $"# – #
  8. *-)+,(# ' • %! &(# ' –  ( ("'*-)+,)(

    – *-)+,$ – ("'( – & 
  9. =B:?A1 2 • =B:?A9 *7>@;< – #(8+9)0%- 4.$7 – .,&7'/#)

    ((85* )9.$7 • /2!… – 9)0%- .20 –   "60 9 30 '/2 
  10.   0 !+ • =I7BH$ '0," –  '

    0," – &"-58<0," • ).*"(D:I80 – 28;@19!#0& – >EIAGI30/%6D6D #?F4 CA&"-
  11. # %@ • -/43"& )% – WordPress%1-5>9$ *?@ – Apache

    Struts%&*?@ –  *;.7;<'8;0.=,*?@ • 6>2:=), ( • +! ",(
  12.    

  13.  '#40*..6&!$, • Pentester Skillmap Project JP ( WG) –

    JNSA(  -*,79$(#13+ ) ISOG-J((#13+ "/59%28) – OWASP Japan – PJ39)9:  https://www.owasp.org/index.php/Pentester_Skillmap_Project_JP
  14. &+ B=MHCGGNA<>E • @MFP(Silver) – -% • '$6Web;GL?P@JOS@BDI6&+Q 9R:(0 •

    &+ 6:!1Q 54R –  3 • GoldKO>6%6#6/&+:(0 • '$IT@BDI6&+:(0 – 18) • IT@BDI:+182Q.R*5)7",: 
  15. 37ZSea[``fYRT] • Vhe^(Gold) – ;2 • WebQ`dUhXcgkXZ\bJ37i O&%jP 4> •

    37PWh_ZGCEDN' IDN – ' G • 37' P/+C=7<J)='.J= 71$J0%?MK8P4>BG@FAN • 37J !PC=5,H9 @FAN – #DN5(* • 37Wh_ZPDNJI6 H5L-:P "
  16.  4/A<6;;B3-08 • ;B3-08& – 4/A<6;E2?:4 •  )!&$)%"( •

     & & – .,9?,C •  )!#'&  – 5/=@7+ • Web*;@1D2>C) %"(#'& 
  17. 84C@9>H7A=8 •   + *84C, • %)+84C0"& – ()

    – ( ) – () – (:GC) – D?G;1E6FB85 – F32<A2E • '$(-*#!B85/. 
  18. *'-/'1 •   !#  &  % %

    –  ",+0!  $ –  ().
  19. WebDTYL^MW\ #IE RXE\ • IERXE\%; – * : SQLE\NFJMW\ –

    #C 4=1 : 4=6 – UE[^R]SP^\ : ‘ (M\KZJH^Q) – C!.$ : SXV^P^ – # • SXV^P^;:SP^\C3+YJGOQC' – 0,A • DB)(;GX^0"2BA/+ 7 09A – 09- • DB)(;GX^<"2B9- 8;:C ?&>/ 8.#3571:+8;@.: 35/
  20. 51=@80 • Web348;DWeb/:@2C3>A'"%' ,*)!& +.-51=@80'$%  –   

    • 1. B • 2. 573>A • 3. 9?<C6C • 4.  • 5. HTTPS • 6. cookie • 7.  • 8. #(
  21.  

  22. OWASP ZAP

  23. +H • (H%AQ& HYmd3KBI,c^akmWG @DHLZVhlR*9O9G@D<C?84 • `m\JH2N+ H3+-JH.); 7QBM3" J+RAQ>FI1=D<C?84

    • Sl]UTiZ[ea;F@/R0AQ ';7P KA4 • +I3 #G5fj_Wagmb6R!@3+-HZ XmfR$G@B9:E!@D<C?84
  24. OWASP ZAP4 • OWASP Zed Attack Proxy(ZAP) •  

    "! -+*13 &.2)'*(30 • Web$,/%3&.2 # • #   !
  25. 2.0.0ZAP 2013 2013/01/30 ver 2.0.0 2013/04/18 ver 2.1.0 2013/09/11 ver

    2.2.0 2013/09/27 ver 2.2.2 2013/11/04 ZAP Evangelist  2014 2014/03/17 AppSec APAC#++!),"+ 2014/03/27 ZAP Evangelist  2014/04/10 ver 2.3.0 2014/05/21 ver 2.3.1 2015 2015/04/14 ver 2.4.0 2015/07/30 ver 2.4.1 2015/08 ZAP(%!+ ! 2015/09/07 ver 2.4.2 2015/12/04 ver 2.4.3 2016 2016/06/03 ver 2.5.0 2016/06/03 bugcrowd$$+ %*'& 2017 2017/03/29 ver 2.6.0 2017/11/28 ver 2.7.0 2019 2019/6/8 ver 2.8.0 2019/8/28 ver 2.8.1 : Kali
  26. ZAP &6% • Twitter (ZAP)5%) – https://twitter.com/zaproxy • ZAP Blog

    (  ) – https://zaproxy.blogspot.jp/ • ZAP User Guide (" -*03) – https://github.com/zaproxy/zap-core-help/wiki • ZAP Introduction Wiki ( 525-*03) – https://github.com/zaproxy/zaproxy/wiki/Introduction • ZAP User Group (16$".0*') – https://groups.google.com/group/zaproxy-users • Crowdin ZAP GUI translation (GUI!36,) – https://crowdin.com/project/owasp-zap • Crowdin ZAP User Guide Translation (User Guide !36,) – https://crowdin.com/project/owasp-zap-help • Open Hub (OSS  ".0*'#() – https://www.openhub.net/p/zaproxy • Bountysource (ZAP +!+5',4!2/) – https://www.bountysource.com/teams/zap/issues • ZAP-*03 Ver.2.1.0 () – https://docs.google.com/file/d/0B1e1Cma1GUllazNUNVp6OWdGYzg/edit
  27. ZAP  • Active Scan • Passive Scan • &("'

    • ( • AJAX( •  $ • #'"%( •  • '(/( • &"(  •  • Fuzzer • Web Sockets • Replacer • Zest • %!
  28. ZAP"    /  • "  %$&/

    • !#% $& / •  " 
  29. ZAP*  • (/$)$*" – 4620+ (") • (315/!) %.315

    –  &.':<;/78* %.315) • (#/ ) * – 8891),- )
  30. ZAP= • ()(/.).= , – JLHF?! ;&,< • (IGK/+) 3CIGK

    – " 5C8PRQEMN= 3CIGK< • (-/ )&*= – %NNOG <@B&*< JLHF6;1A&104:D, ,7>2/D<*D ' *<@B#$;*  *<@B' *9CB=
  31. OWASP ZAP 2.8.0 • 2019/6/8

  32. The Heads Up Display • ZAP    https://github.com/zaproxy/zap-hud

  33. *>C4 ; @76 ; @ 7 %$Kr^anr ; @\jpUcr\9 khr\

    aDGl GpNlrTip '& #" ^XaD Kr^ranr NnURG\ UNkbZFpO(XSS) NnURG\ kNIU\ aJrTHkr (CSRF) DoS(Rr`U:0) 1B#"(nOGp) 1B#"(VXSip8 ) 1B#"([FmN\k/aDGl) 1B#"(NmTX\Lr]) QpZpYqUbraFpO ., Rr^rA5eU EbkPrSipA5eU https://github.com/zaproxy/zaproxy/blob/develop/zap/src/main/dist/lang/vulnerabilities_ja_JP.xml [FmN\kAGp[XNSpO ; @aDGlSUZfA_r eXSip Credential and Session Prediction SQL GpTHNSip ; @ / Insufficient Anti automation ; @ / XML GpTHNSip HTTPkNIU\A HTTPmUcpUA HTTP kNIU\UdOkpO HTTP Response Smuggling Null ^G\ GpTHNSip LDAP GpTHNSip grl Qdp] GpTHNSip OSQdp] GpTHNSip Routing Detour _U \j^rRl !-3@kWrUA2 SOAP Array Abuse SSI GpTHNSip VXSip aFNVrSip URL Redirector Abuse XPath GpTHNSip Insufficient Process Validation XML Attribute Blowup +3A0 XML External Entities XML Entity Expansion aFpMr bkp\ XQuery GpTHNSip ; @VXSip()< ?@=Gp[XNU ; @_Uor]
  34. Active Scan Rule •  #"),*-* • Release / Beta

    / Alpha – Release$'!*% ,#%-* – Beta( +-& –    Release 
  35. Active Scan Rule • Active Scan Rules   

     
  36. Active Scan Rule •  !  !  •

     
  37. Active Scan Rule •  CVE   

  38. Passive Scan Rule • (2/-4).,57#686 • Release / Beta /

    Alpha – Release#%03+61!*7.186 – Beta$&' ( – (&" ( – " ) (Release) 
  39. Passive Scan Rule •   https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules

  40. Http "# •  !   "#  •

      "# 
  41. Http •     

  42. Http •    

  43. ZAP   • .2+%,/4- – Protect Mode • (&4.(&3+$(,)

    – Context •  141  – Active Scan Rules – Passive Scan Rules • )*'03  !#"3, – Http)*'03
  44. ZAP •  (&!%#' ) • Custom Fuzzer #' )$(

    !"
  45. 9"9 •  ;!)1*:/64 –  #4JTCNS'8 – /02 ;

    2(: •  D@QLFKKRC>AH – D@QLFKUBOJD – ?=IO=S – E@MPG< • OWASP ZAP 2.8.0 – ZAP;4$+3./65; ,&7% –  D@QLFKKRC>AH5 ;-7%
  46. Profile • Mail : yuho.kameda@owasp.org • Twitter : @YuhoKameda •

    WebSite () : – https://www.owasp.org/index.php/User:Yuho_Kameda – https://speakerdeck.com/ykame