Download - OWASP 2013 APPSEC USA ZAP Hackathon
OWASP
Zed Attack Proxy
Hackathon
Simon Bennetts
OWASP ZAP Project LeadMozilla Security
[email protected]
The Plan
Overview of how to extend ZAP
Describe the topics I could talk about
Find out what you really want to know ;)
Agree topics to cover
For each topic: Talk for a bit, hack for a bit
But its all up for grabs, so we can change anything
And feel free to do your own thing!
I'll help out during the hacking sections
How you can extend ZAP
Without a dev environment: 3rd party tools
Scripts
Translations
Documentation
With a development environment Active & passive scan rules
'Full' extensions
What can you plug in?
Scripts
Script types
Active and Passive rules
UI elements tabs, popups, toolbar buttons, menus, right click options...
API calls
Request / Response views
Breaking, Fuzzing, Searching
Topics I could talk about
The ZAP project structure
Setting up a ZAP development environment
ZAP documentation and internationalization
Implementing 'standard' scripts
Implementing Zest scripts
Implementing active and passive scan rules
Implementing Add-ons and extensions
Features and fixes to work on
More topics I could talk about
Key classes
Accessing core functionality and extensions
Internal events
The user interface
The API
The database
Request / Response views
Breaking, fuzzing, searching
Project Structure
zaproxy http://code.google.com/p/zaproxy/
The 'core' plus a lot more
zap-test http://code.google.com/p/zaproxy-test/
Unit tests
zap-extensions http://code.google.com/p/zap-extensions/
The add-ons
Trunk, alpha and beta branches!
Project Structure
zaproxysrcAll the 'core' source codeorg/parosprozyThe 'old' Paros code
org/zaproxyThe 'new' ZAP code
helpHelp files
langProperty files (UI)
buildBuild directory
libJar files
scriptsDefault script templates
Development Environment
Java 7
Eclipse (or your favorite Java IDE)
Subversive SVN (or equivalent)
Import ZAP projects via SVNhttps://zaproxy.googlecode.com/svn/trunk/
https://zaproxy-test.googlecode.com/svn/trunk/
https://zap-extensions.googlecode.com/svn/trunk/
https://zap-extensions.googlecode.com/svn/branches/alpha/
https://zap-extensions.googlecode.com/svn/branches/beta/
Add 'lib' jars to build path
Run org.zaproxy.zap.ZAP.java
Creating the Projects
File / New / Other...
SVN / Project from SVN
Create a new repository location
URL, e.g. https://zaproxy.googlecode.com/svn/
Select Resource, e.g. trunk
Check out .. using the New Project Wizard
Select a wizard: Java / Java Project
Add all lib/*.jar files to the build path
Dev Rules and Guidelines
http://code.google.com/p/zaproxy/wiki/DevGuidelines
Ease of use and consistency are key
All UI string must in internationalized
Comment all changes to orp.parosproxy.paros
All functionality should have help pages
Keep a clean split between functionality and UI
Check in code cleaner that you checked out
Write unit tests
Extensions should expose functionality, not UI elements (older ones still do)
Documentation and i18n
ZAP Help filesrc/help
{addon}/resource/help
http://code.google.com/p/zaproxy/wiki/HelpIntro
Home pageshttps://www.owasp.org/index.php/ZAP'Official' home page, 'outward' facing?
http://code.google.com/p/zaproxy/More details, 'internal' facing?
http://crowdin.net/project/owasp-zap
Scripting
Passive RulesPassive scanner
Active RulesActive Scanner
ProxyInline
Stand AloneUser controlled
TargetedRight click invoke
LibraryWork in progress ;)
PlugableRegister at runtime
'Standard' Scripts
No IDE required :)
JavaScript (and Zest) built in
Python and Ruby download from Marketplace
All other JSR 223 scripts supported with no templates
Templates give basic structure
But you still need some idea of ZAP internalshttp://code.google.com/p/zaproxy/wiki/InternalDetails
http://code.google.com/p/zaproxy/wiki/JavaDocs
Zest Scripts
Built in, same script types
But they are graphical
Implement JSR 223
And very new
Effectively ZAP's macro language
Right click everywhere!
https://developer.mozilla.org/en-US/docs/zest
Add-ons
Available from the ZAP Marketplace
Name format: id-status-version.zap
Status: alpha, beta, release
Standard ZIP file, containing: ZapAddOn.xml
Active scan rules
Passive scan rules
Extensions
Files
ZapAddOn.xml
Short text name (no HTML) Longer description Author (no HTML)
ZapAddOn.xml
Add-on file structure
Package: org.zaproxy.zap.extension.namefilesWill be included as
files
resource
helpHelp files
iconsImages
libJars (will be expanded)
Classes and sub packages
Message.properties
Message_locale.properties
ZapAddOn.xml
Building Add-ons
zap-entensions/build/build.xml
zap-extensions/branches/alpha/build/build.xml
zap-extensions/branches/beta/build/build.xml
Typically just need to add your add-on to targets: build-all
deploy-addon-id
deploy-all
Everything will be handled if you stick to the standard file structure
Passive Scan Rules
Extend org.zaproxy.zap.extension.pscan.
PluginPassiveScanner
Called for every request and response
Run in background thread
Cant change anything look but dont touch ;)
Receive HttpMessage and DOM Source
Use PassiveScanThread.raiseAlert(..)
Lots of examples (trunk, beta, alpha?)
Active Scan Rules
Extend org.parosproxy.paros.core.scanner.
AbstractPlugin AbstractAppPluginEvery nodeAbstractAppParamPlugin
Every param
AbstractHostPluginHosts/1st node
Can change anything make new request etc
AbstractPlugin lots of utility methods
Lots of examples (trunk, beta, alpha?)
Extensions
Extend org.parosproxy.paros.extension.Extension
Can do anything much of the 'core' is really extensions
Should have their own language files
Lots of examples pick one that does something vaguely similar?
Features and Fixes
Scripts, in Javascript, Python, Ruby, Zest
New script templates Groovy, Scala ...
Active and passive scan rules
http://code.google.com/p/zaproxy/wiki/Projects
http://code.google.com/p/zaproxy/issues/list
'IdealFirstBug' tag
Wrap / port another tool (retire.js, ..)
Whatever you want to do!
Extension Hooks
OptionsChangedListener
ProxyListener
SessionChangedListener
SiteMapListener
PersistentConnectionListener
AddonFilesChangedListener
CommandLineListener
Key Classes
ZAPmain class
Modelsingleton
Viewsingleton
Controlsingleton
Sessionaccess via Model
SiteMapaccess via Session
SiteNodea SiteMap node
HttpMessagefull request/response
HistoryReferencesubset of HttpMessage
Alerta vulnerability
Accessing Extensions
Core Extensions (ie included by default)
ExtensionXXX extXXX =
Control.getSingleton().
GetExtensionLoader().getExtension(
ExtensionXXX.NAME);
if (extXXX != null) {
// Now you can use it...
extXXX.someFunction();
}For Extensions not included by default you must use a String name
and access functions via reflection
API
org.zaproxy.zap.extension.api.API - singleton
api.registerApiImplementor (ApiImplementor impl)
ApiElement ApiView- return structured info - ApiResponse
ApiAction - make changes (return structured info)
ApiOther - return raw data
API generators JavaAPIGenerator
PythonAPIGenerator
WikiAPIGenerator
Database
http://code.google.com/p/zaproxy/wiki/InternalDatabase
HSQLDB can access directly via SQL tools
Package: org.parosproxy.paros.db
Shouldnt typically access the db directly use the extension that 'owns' the data
Add-ons can create new tables see websockets
The schema must be backwards compatible between releases
Pluggable HttpPanels
org.zaproxy.zap.extension.httppanel
Request and Response display options
Good examples websockets & plugnhack (?)
httppanel
component
XxxComponent
models
extend Abstract*HttpPanelViewModel
views
extend HttpPanelTextArea...
Feedback?
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.