User Account

All Pages

Analyze some of the php web applications we created

Assignment Help Operating System
Reference no: EM131396121

Lab Assignment: Introduction to OWASP ZAP

Overview

This lab walks you through using ZAP by OWASP. ZAP is a vulnerability analysis tool used to scan Web applications for possible software flaws. As an introduction to using ZAP, you will scan and interrupt http protocols in PHP code we developed in week 4. You will also run the attack scanner on code you developed in week 4.

Important: Do not attempt to use these tools against any live Web site. It is illegal to do so. You can only scan sites you have written permission to scan. You should use the virtual machine on applications you developed running on the localhost and disconnect from the Internet when running ZAP.

Learning Outcomes:

At the completion of the lab you should be able to:

1. Launch ZAP and view Web sites history and input parameters
2. Use ZAP to intercept http messages and change their content to Identify possible vulnerabilities
3. Read and analyze reports produced from ZAP and prioritize and fix alerts associated with software issues

Lab Submission Requirements:

After completing this lab, you will submit a word (or PDF) document that meets all of the requirements in the description at the end of this document. In addition, your associated files should be submitted. You can submit multiple files in a zip file.

Virtual Machine Account Information

Your Virtual Machine has been preconfigured with all of the software you will need for this class. The default username and password are:
Username : umucsdev Password: umuc$d8v

Part 1 - Launch ZAP and view Web sites history and input parameters

This exercise will walk you through Launching ZAP and allow you to become comfortable with the GUI for ZAP within your virtual machine. We will use ZAP to begin to analyze some of the PHP Web applications we created in week 4.

1. Important: Disconnect your machine from the Internet when using ZAP. This will ensure you are only scanning applications on your localhost. You can do this by unplugging the Internet cable on your machine or if you have Wireless connection, you should turn your Wi-Fi off.

2. Start your Virtual Machine as you would normally by clicking the Oracle VM VirtualBox, starting the SDEV32Bit image and then logging into the machine.

3. Verify your Firefox browser has the Proxy properly configured. To do this, launch Firefox and go to Options -> Preferences menu.

4. Click on the Advanced icon and select the Network tab.

5. Select the Settings button and then enter localhost for the HTTP Proxy with Port of 8080. Also, be sure Use this proxy server for all protocols is selected and the No proxy for: textarea is blank.

6. Click Ok and your Browser will send HTTP messages to the already preconfigured ZAP proxy. Note: You will need to change your Browser settings back to "No proxy" once you are ready to perform normal Browsing to either the localhost or the Internet for the future.

7. To Launch ZAP, open up a shell prompt and change to the ZAP_2.3.1 folder.

8. Type the following command to start ZAP:
./zap.sh

The ./ characters are important for properly and securely launching programs in Linux. After launching the ZAP GUI will be revealed.

9. The GUI will look very complicated at first as there is much functionality that this tool can perform. Over the next couple of weeks you will be exposed to most of the critical features.

10. To use the Sites and History tabs, you will need to launch your Browser. Open your Browser and launch the DemoGetForm.html file from week 4. The URL should be: localhost/week4/DemoGetForm.html. If you review the ZAP tool you will see the Sites Icon has listed the GET:DemoGetForm.html file. Also, notice the History tab as information related to this site.

11. If you click on the Request and Response tabs on the right site of the tool, you will see both the header and body of the DemoGetForm.html file.

12. You should carefully review the request and response details noting how much information is revealed from this transaction. Information such as Web Server and Operating system are revealed. All HTML source code and comments are also provided.

13. Complete the DemoGetForm.html and notice the addition of the get_Submit.php(fname,lname mypass) to the history and sites tab. Also, notice the Request and Response tabs as well the Params tab near the bottom.

You should experiment with using ZAP by running the other Web applications you created in week 4. As you run these applications, be sure to review the Sites, History, Request, Response and Params tabs.

Part 2 Use ZAP to intercept http messages and change their content to Identify possible vulnerabilities

One of the strong features of the ZAP tool is the ability to interrupt HTTP message and change the values in an attempt to find software flaws. In this exercise, we will use the week4 PHP web applications and demonstrate how the input parameters sent from the form can easily be changed and redirected back to the application with the new parameters.

To interrupt an HTTP transmission, you use the Break Points functionality within ZAP.

1. As before, be certain you have disconnected your machine from the Internet, launch your virtual machine and then start ZAP.

2. To set a Break point, right mouse click the specific site you want to Break on. For example, if we want to put a Break point for the get_Submit.php file, we would right mouse click that site, select break and then select save.

3. Once the Break Point is set, it will display in the Break Points tab.

4. To test the break point, launch the DemoGetForm.html application, complete the form and then press submit. You will notice the browser seems to hang as the http request has been intercepted by the proxy and is awaiting action in ZAP.

5. You can now modify the original data by right mouse clicking in the Break tab and selecting resend. When the resend frame appears, modify the GET string as appropriate and select the send button.

6. You will then be able to see the new response in the window.

7. To release the break point, you can click on the arrows at the top which allow you to Submit and step to the next break. Once you select those arrows, the data will be submitted and the browser will show the results. Note, you can also modify the text in the break tab itself and then click the submit arrows to show the results in your browser.

This is where the person-in-the-loop analysis and discovery takes place. Manipulating the data sent into the applications provides insight into the vulnerabilities of the application. For example, you may discover that sending in a null password allows access to the system. You may also discover providing an admin username and brute force password guess may provide additional system privileges.

You should experiment with all of the week4 PHP applications to see how parameters and information can be changed and the resulting impact on the application.

Part 3 Read and analyze reports produced from ZAP

In this lab, we will run the automatic scanning feature of ZAP and then generate HTML Alert reports for the DemoGetForm.html and DemoPostForm.html and discuss approaches to prioritize and mitigate the issues found in each Web applications.

1. As before, be certain you have disconnected your machine from the Internet, launch your virtual machine and then start ZAP.

2. Under the Quick Start tab of ZAP, enter the localhost/week4/DemoGetForm.html URL and click attack.

3. As the scan runs, you will see hundreds of requests logged into the Active Scan tab. You will also see several Alerts. Alerts from the scan provide possible vulnerabilities. The color of flag indicates the risk level of issue found.

4. To generate a report from the scan in HTML format, open the Report menu from the top of tool bar and select Generate HTML report.

5. Save the report to a folder and filename of your choice. For this example, a ScanResults folder was created and the HTML report was saved to the DemoGetFormReport file. Click Save to continue.

6. The HTML report should automatically open in your Browser. If not, use the file manager to open the report.

7. You should review the report carefully comparing the risk levels, descriptions, URL, Parameter, Attack, Solution, Reference CWE ID and WASC ID. When you prepare your lab for this week, you will use each of fields to describe your findings as well as formulate your solutions. The solutions provided may work but you may need to dig deeper into the references to mitigate the issue. Typically, you should work to mitigate the higher risk issues first.

8. After you have resolved the issues, you can rescan the application and see if any Alerts remain. You will find some of the warnings are easy to fix. Some are more challenging - particularly the Cross-Site Scripting issues.

9. You can use the File-> New Session option to clear the current session.

10. Next, run a similar scan and analysis of the week4/DemoPostForm.html application. Save the results to a file named DemoPostSubmitReport.

You will find similar number and types of alerts for this web application:

11. Work through the report to analyze the results and remove alerts where possible.

The analysis and mitigation of issues is a repetitive process that should be done often in development and after each release to make sure issues are not introduced during updates. ZAP is just one tool for use in this process. Be aware that ZAP is not the only approach for finding software vulnerabilities nor will it eliminate or find all of the issues. Other scanners and techniques should be used to help secure your web application.

Attachment:- Lab-Introduction_to_owasp_zap.pdf

Reference no: EM131396121

Questions Cloud

What is the chained dollar gdp : In 2013 the output was: digital cameras(1, price 2 each), chocolate bars(8, price 3 each), watches (1, price 2 each). In 2014 the produce was digital cameras(7, price 7 each), chocolate bars(2, price 9), watches(7, price 6). What is the chained doll..
Write the class definition for a dog : Write the class definition for a Dog. Private data fields include name, breed, and age, and a constant static field for the license fee, which is $12.25. Create public member functions to set and display the data. Write a main()function that demon..
Analyze the data with x2 and write a conclusion : To find the expected frequencies, think about the chance of being correct or incorrect when there are three possible outcomes. Analyze the data with x2 and write a conclusion.
Results of the different surveys : reveal how much they value the extra police, but it says that everyone will pay the same amount if the police are hired, provided that the sum of the personal valuations exceeds $75 million.
Analyze some of the php web applications we created : This exercise will walk you through Launching ZAP and allow you to become comfortable with the GUI for ZAP within your virtual machine. We will use ZAP to begin to analyze some of the PHP Web applications we created in week 4.
What are the common negotiation pitfalls : Using a practical example, what are the benefits and potential problems associated with conflict and What is negotiation? What are the common negotiation pitfalls? What are the strategies to overcome them?
Create a simplified version of the card game poker : Figure 6-41 shows the start of a typical program execution. By the end of the game, 26 hands will have been dealt and a total of 52 cards will have been acquired by the two players.
What happened to the twin decits hypothesis : Do you agree? Why or why not? According to Krugman, how do you explain the fact that since the nancial crisis the US government budget decit has exploded, yet at the same time the US Current Account decit has actually decreased. What happened to t..
Evaluate contemporary applications of psychological theory : Prior to beginning work on this discussion, read the required chapters from the Harré (2006) Key Thinkers in Psychology e-book. Examine one of the schools of thought (psychoanalysis, behaviorism, etc.) presented in the reading that is significant ..

Reviews

Write a Review

Operating System Questions & Answers

  Implementation of algorithms for process management

The Shortest Job Next (SJN) algorithm queues processes in a way that the ones that use the shortest CPU cycle will be selected for running rst.

  Find the common characteristics of the dss system

Assume you are a chief information officer who is hired through a company that generates electricity with three coal burning electric power plants located in various parts of the nation.

  How many errors can this code detect

Find the corresponding code words. - How many errors can this code detect? -  How many errors can this code correct?

  How do operating systems recover from failures

Discuss how the functioning of the OS is affected when synchronization fails. Give examples describing what can go wrong. How do operating systems recover from failures and how is this different from a deadlock?

  Why does concurrency lead to programming errors

Why does concurrency lead to programming errors that are difficult to locate? Give as concrete an example as you possibly can?

  Describe any similar operating-system-related challenges

Describe any similar operating-system-related challenges faced by your organization - Discusses similar challenges faced by organizations with constraints related to the lack of features.

  Provide a diagram illustrating the linux kernel architecture

You will provide a diagram illustrating the Linux kernel architecture and various components and classify it according to what we discussed in class.

  In a powerpoint presentation of 10-15 slides with 200-250

in a powerpoint presentation of 10-15 slides with 200-250 words of speaker notes per slide complete the

  Explain the function of input controls

Explain the function of input controls and identify four types of input control and explain the function of each

  Suggest a product of line architecture

Using the example of the weather station system- suggest a product line architecture for a family of applications that are concerned with remote monitoring and data collection.

  Calculate the average waiting time for all processes

For SRT scheduling, complete the execution diagram, calculate total waiting time for every process, and calculate the average waiting time for all processes.

  Effectiveness of online security

Six months ago a toy corporation started to sell their items on the internet. Over this time period traffic to the website has raised substantially but few consumers have made online purchases.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd