reading-notes

Dedicated to my thoughts while learning cybersec

View the Project on GitHub jakeoverall/reading-notes

Automated AppSec with ZAP

11/22/2020

everybodys problem

AppSec

Application security encompasses measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities. Different techniques are used to surface such security vulnerabilities at different stages of an applications lifecycle such as design, development, deployment, upgrade, maintenance.

An always evolving but largely consistent set of common security flaws seen across applications below.

Category Threats & Attacks
Input Validation Buffer overflow; cross-site scripting; SQL injection; canonicalization
Software Tampering Attacker modifies an existing application’s runtime behavior to perform unauthorized actions; exploited via binary patching, code substitution, or code extension
Authentication Network eavesdropping; Brute force attack; dictionary attacks; cookie replay; credential theft
Authorization Elevation of privilege; disclosure of confidential data; data tampering; luring attacks
Configuration management Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts
Sensitive information Access sensitive code or data in storage; network eavesdropping; code/data tampering
Session management Session hijacking; session replay; man in the middle
Cryptography Poor key generation or key management; weak or custom encryption
Parameter manipulation Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation
Exception management Information disclosure; denial of service
Auditing and logging User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks

zap

Zed Attack Proxy (ZAP)

https://www.zaproxy.org

ZAP is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications.

Zap has been designed specifically to emulate the common man-in-the-middle proxy attack. The man-in-the-middle attack as it’s name sounds allows an attacker to sit and monitor the traffic between a client and a server. the client’s browser and the web application rarely will identify this attack is occuring which often allows the attacker to sit quietly and glean private information without the user being aware anything is happening. The attacker also has the ability to modify the contents of messages being sent or recieved between the client and the server.

ZAP provides functionality for a range of skill levels and practice attacks that developers testers and security professionals can all find useful. Zap also has the abilty to have scripts setup for automation and alerting with vulnerability scans detect issues.

| ⚠ WARNING: Testing applications without permission can be illegal. Please use ZAP within the bounds that you have been specifically given permission to test. | | — |