Usable Security Tooling - Creating Accessible Security Testing with ZAP

David Scrobonia, Security Engineer, Segment twitter, linkedin
abstract slides video

The Hero Security UX Needs

Security tools aren’t exactly known for having clean UIs or being intuitive to use. David took this as a personal challenge and ended building a heads-up display (HUD) for OWASP ZAP, an intercepting proxy security testing tool.

The HUD allows you to view info from ZAP and use ZAP functionality from on the page you’re testing itself, without having to switch to a separate window or tool.

What’s an Intercepting Proxy?

An intercepting proxy is a tool commonly used by pen testers or security engineers to test web or mobile applications. The proxy sits between your browser and the web server you’re testing, allowing you to inspect, edit, and replay any HTTP request sent between your browser or device and the server.

ZAP is an OWASP flagship project, is free and open source, and has been downloaded directly ~625,000 times and has had ~1M Docker image pulls.

ZAP User Stats

David presented some ZAP user stats I found interesting: ~40% of users have been security for under 1 year and ~68% have been in security under 3 years, and 45% of users are QA or developers.

The Heads-up Display (HUD)

Taking inspiration from fighter jets, David decided to build a way for ZAP users to view the most relevant ZAP info in a concise way on the page that they’re testing.

At 7:52 David starts to do a live demo, but apparently there were insufficient sacrifices to the demo gods, so he falls back to several recorded demos at 10:44.

Features: The ZAP HUD allows you to easily view ZAP findings from within the browser (alert notifications pop up as issues are discovered and there are icons you can click to view all findings of a given severity), and you can perform actions like spidering the site, adding or removing the current page from scope, and starting an active scan by similarly clicking on an icon within your browser.

Other cool features include:

• You can enable an option to auto-show and enable all hidden fields for every form, making it immediately evident what info the website is expecting and making it easy to supply arbitrary values.

• If you don’t want to active scan an entire site, you can enable “attack mode” and ZAP will scan just the pages and endpoints you’re currently manually testing.

The ZAP HUD is also highly extensible, which is probably one of the most exciting and powerful parts of this. At 16:17 David shows a demo video of how you can customize the HUD to display whatever info you want, and add buttons to perform arbitrary actions.

Implementation Details

Rather than implementing the HUD via a browser extension, which may not be portable across browsers, the HUD instead works by having ZAP injecting an additional JavaScript flie include into loaded pages, which references a script hosted by ZAP that implements the HUD.

The HUD logic is encapsulated in a JavaScript closure so the page can’t modify it, and then the script modifies the page to add several iframes, corresponding to each of the Actions in the HUD on the right and left hand side of your browser window. Service workers are used to keep the HUD responsive when you’re intercepting requests and otherwise performing actions that would cause normal JavaScript on the page from dying or reloading.

Who Can Use the HUD and Why

Developers can use the HUD to get early feedback on if their code has security bugs as they develop. It can enable them to see their app as an attacker would and provides hassle free browser integration.

Bug Bounty Hunters can use it to simplify their process, for example, by adding in new HUD tools for recon (e.g. BuiltWith, Wappalyzer, amass) and displaying notifications there are changes to cookies, parameters, local storage (giving visibility into what the app is doing). ZAP let’s you configure how to log in as different users, so you could add a HUD tool to quickly switch between test users, making testing for access control issues much easier.

QA engineers can benefit from how it highlights attack surface (hidden fields, forms), enables easy fuzzing and attacking forms within the browser, without having to use external tools, and in the future there could even by a Jira plugin for quick reporting, that with the click of a button would create a Jira ticket with all of the relevant testing info autopopulated.

The Security Team could similarly benefit from a Jira plugin, and they could also define custom rules for an app (set various policy configs that all testers automatically pull in during testing) and configure global scan rules for your organization (e.g. perhaps there are certain issues you don’t care about, or there are org-specific issues you want to ensure are always tested).

References

David wrote an excellent, detailed blog post about the HUD (Hacking with a Heads Up Display) which includes links to a number of demo videos. He also presented about the ZAP Hud at AppSec USA 2018 (video).

David also referenced segmentio/netsec, a library that Segment open sourced that provides a decorator for the typical dial functions used to establish network connections, which can be configured to whitelist or blacklist certain IP network ranges. For example:

t (
    "net/http"
    "github.com/segmentio/netsec"
)

func init() {
    t := http.DefaultTransport.(*http.Transport)
    // Modifies the dial function used by the default http transport to deny
    // requests that would reach private IP addresses.
    t.DialContext = netsec.RestrictedDial(t.DialContext,
        netsec.Blacklist(netsec.PrivateIPNetworks),
    )
}