W 220: Zed Attack Proxy (25 pts extra)

What You Need

Purpose

You will configure the Zed Attack Proxy and learn a few of its basic features.

Installing ZAP

On your Google Cloud Linux server, in an SSH window, execute these commands:
apt-get update

sudo apt-get install wget default-jdk -y

sudo su -

echo 'deb http://download.opensuse.org/repositories/home:/cabelo/Debian_9.0/ /' \
> /etc/apt/sources.list.d/home:cabelo.list

wget -nv https://download.opensuse.org/repositories/home:cabelo/Debian_9.0/Release.key \
-O Release.key

apt-key add - < Release.key

apt-get update

apt-get install owasp-zap -y

exit

Launch ZAP

In Chrome, using the Google Chrome Desktop on your Linux cloud server, open a Terminal and execute this command:
owasp-zap

Get Chrome

If you don't have Chrome, download and install it from www.google.com/chrome

Viewing Hackazon

On any computer, in Firefox, go to http://hackazons.samsclass.info

It's an imitation of Amazon, as shown below:

At the top right, click "Sign Up". Create an account using any username and password. Log out of Hackazon. Make a note of your username and password for later use.

Task A: Scanning the Hackazon App with ZAP

Start ZAP. A box asks "Do you want to persist the ZAP Session?". Click the "No..." button and click Start.

A "Manage Add-ons" page appears. At the top right, click the X to close it.

The main ZAP window appears, as shown below.

Click the "Automated Scan" button.

In the top right pane, enter a "URL to attack" of https://hackazons.samsclass.info, as shown below.

Click the Attack button. A series of messages scrolls by in the lower pane as ZAP attacks the site, searching for vulnerabilities.

You can see the progress of the scan in the bottom center, outlined in red in the image below. It takes about 7 minutes to finish.

Flag W 220.1: XSS Type (10 pts)

When the scan is complete, in the lower pane, click the Alerts tab. You should see five red flags, as shown below.

The flag is covered by a green box in the image below.

Verifying an XSS Vulnerability

You can never trust a scanner. They often report false positives. So you must verify the vulnerability with manual testing.

In the lower left pane of ZIP, expand the "Cross Site Scripting" item, and click the GET line. In the lower right pane, the entire URL is shown. In the lower right pane, highlight the URL. Press Ctrl+C to copy it.

On your Cloud Server's desktop, open Firefox. Click in the Address bar. Press Ctrl+V to paste the URL and press Enter.

Flag W 220.2: Pop-Up Message (5 pts)

The injected script runs, popping up a box, as shown below. The flag is the message in the box, covered by a green box in the image below.

Verifying a Remote File Inclusion Vulnerability

In the lower left pane of ZIP, expand the "Remote File Inclusion" item, and click the URL. In the lower right pane, carefully highlight the entire URL, as shown below.

Copy the URL and paste it into Firefox. You see a login screen, as shown below. Nothing is obviously wrong here.

Flag W 220.3: Redirection (5 pts)

In Firefox, log in with the username and password you created at the start of this project.

When the login is complete, your page redirects to a different site.

The URL of that site is the flag.

Verifying a SQL Injection Vulnerability

In Firefox, click Back to return to Hackazon.

in Hackazon, at the top right, click Logout.

In the lower left pane of ZAP, expand the "SQL Injection - MySQL" item, and click the shorter POST request, as shown below.

In the lower right pane, carefully highlight the entire URL, as shown below.

Copy the URL and paste it into Firefox. Press Enter.

You see a login screen. Look at ZAP again--it specifies that the parameter is username and that the Attack is "ZAP' UNION ALL select NULL --".

To test the attack, enter this text into both the username and password fields, as shown below.

ZAP' AND '1'='1' --

Flag W 220.4: SQL Error (5 pts)

Click the "Sign In" button.

You see a big SQL error message. The flag is covered by a green box in the image below.

Sources

owasp-zap from home:cabelo project

Updated 1-30-2020 to use a Cloud server
Typo fixed 2-2-2020
Java install added, cleaned up, moved to HTTPS target page 6-13-2020