Transcription
1 2 1Arachni & OWASP Zed Attack ProxyCourse:Sicurezza delle reti e deisistemi softwareAA: 2016/2017
Arachni2 2 1 http://www.arachni-scanner.com/Multi-Platform (MS Windows, Mac OS X and Linux)Support highly complicated web applicationsCoded in RubyDifferent approach in scanningKey Point: free simple distribuited intelligent
Arachni DistributedArchitecture3 2 1 Using deployed agents on remote serversDesigned to integrate in existing infrastructureREST API interoperability with non-Ruby systems JSON messages polling for progress RPC API MessagePack GridRPC
4 2 1Arachni Example
5 2 1Arachni Web UI
Arachni GitHub6 2 1 https://github.com/ArachniTasos LaskosWikiArachni Framework Master (stable) Experimental (alpha) Arachni UI Web
Arachni CLI7 2 1 interfaceChecks --checks *,-csrf --checks xss* Default --checks * Audit --audit-{audit name} Disabled by default Template audit type expects a pattern
Arachni CLI Customization8 2 1 GenericScopeOutputHTTPInputSessionReportPlugin
Arachni CLI Plugin9 2 1 arachni--plugins-list Login arachni http://10.10.30.25:90--plugin autologin:url http://10.10.30.25:90,parameters "name user&pass user&form build id formPW9ju5rKh7OXU5uGnk dGrVGw9AHCtDt2TF65yyhHZQ&form id user login block&op Log in",check "My account"
Arachni CLI Messages1 0 2 1 [*] [ ] [ ] [v] [!] [-]are status messagesare informational messagesare success messagesare verbose messagesare debug messagesare error messages
1 1 2 1 Arachni Reportarachni reporter reportName.afr -–reporter type:outfile output.type XML (experimental branch) HTML (zip) Text JSON Stdout arachni reporter --reporters-list
1 2 2 1Arachni Report Example
1 3 2 1Arachni Report Example (2)
1 4 2 1 OWASP Zed Attack Proxywww.owasp.org/index.php/OWASP Zed Attack Proxy ProjectOpen-Source Web Application Security ScannerLinux, Windows, OS XFully translated over 25 languagesRaspberry Pi! supportedGood communityZAP is a fork of Paros Proxy
1 5 2 1 OWASP Zed Attack ProxyFunctionallyIntercepting ProxyTraditional and AJAX spidersAutomated scannerPassive scannerForced browsingFuzzerDynamic SSL certificatesAuthentication and session support
1 6 2 1OWASP Zed Attack ProxyUser Interface
1 7 2 1OWASP Zed Attack ProxyContext
1 8 2 1OWASP Zed Attack ProxyAPI
OWASP Zed Attack ProxyAPI Programming Language1 9 2 1 Java (official)Python (official)Node.js (in progress)PHP (in progress)Ruby (no information)
Paros2 0 2 1 https://sourceforge.net/projects/paros/ Java based HTTP/HTTPS proxy Assessing web application vulnerability Tampering request Spider Intelligent scanning for XSS and SQL injections Client certificate
2 1 2 1Any Questions?
Automated scanner Passive scanner . Assessing web application vulnerability