kingthorin
commented
4 years ago Re-opening there are still occurrences of Paros.
Also ZAP references should all be updated to www.zaproxy.org.
Closed kingthorin closed 4 years ago
kingthorin
commented
4 years ago Re-opening there are still occurrences of Paros.
Also ZAP references should all be updated to www.zaproxy.org.
kingthorin
commented
4 years ago For the third item on the current list:
$ grep --color=always -r -i -n "zed_" . ./4_Web_Application_Security_Testing/4.11_Business_Logic_Testing/4.11.1_Test_Business_Logic_Data_Validation_OTG-BUSLOGIC-001.md:51:OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. ./4_Web_Application_Security_Testing/4.11_Business_Logic_Testing/4.11.2_Test_Ability_to_Forge_Requests_OTG-BUSLOGIC-002.md:55:OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. ./4_Web_Application_Security_Testing/4.11_Business_Logic_Testing/4.11.3_Test_Integrity_Checks_OTG-BUSLOGIC-003.md:67:- OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. ./4_Web_Application_Security_Testing/4.11_Business_Logic_Testing/README.md:89:- OWASP ZAP Proxy ./4_Web_Application_Security_Testing/4.12_Client_Side_Testing/4.12.10_Testing_WebSockets_OTG-CLIENT-010.md:28: - Use OWASP Zed Attack Proxy (ZAP)'s WebSocket tab. ./4_Web_Application_Security_Testing/4.12_Client_Side_Testing/4.12.10_Testing_WebSockets_OTG-CLIENT-010.md:44: - Use OWASP Zed Attack Proxy (ZAP)'s WebSocket tab to replay and fuzz WebSocket request and responses. Refer to the Testing for Data Validation sections of this guide. ./4_Web_Application_Security_Testing/4.12_Client_Side_Testing/4.12.10_Testing_WebSockets_OTG-CLIENT-010.md:48:Once we have identified that the application is using WebSockets (as described above) we can use the OWASP Zed Attack Proxy (ZAP) to intercept the WebSocket request and responses. ZAP can then be used to replay and fuzz the WebSocket request/responses. ./4_Web_Application_Security_Testing/4.12_Client_Side_Testing/4.12.10_Testing_WebSockets_OTG-CLIENT-010.md:64:- OWASP Zed Attack Proxy (ZAP) ./4_Web_Application_Security_Testing/4.12_Client_Side_Testing/4.12.7_Testing_Cross_Origin_Resource_Sharing_OTG-CLIENT-007.md:41:A tool such as OWASP Zed Attack Proxy Project can enable testers to intercept HTTP headers, which can reveal how CORS is used. Testers should pay particular attention to the origin header to learn which domains are allowed. Also, manual inspection of the JavaScript is needed to determine whether the code is vulnerable to code injection due to improper handling of user supplied input. Below are some examples: ./4_Web_Application_Security_Testing/4.4_Identity_Management_Testing/4.4.4_Testing_for_Account_Enumeration_and_Guessable_User_Account_OTG-IDENT-004.md:163:- OWASP Zed Attack Proxy (ZAP) ./4_Web_Application_Security_Testing/4.5_Authentication_Testing/4.5.4_Testing_for_Bypassing_Authentication_Schema_OTG-AUTHN-004.md:115:- OWASP Zed Attack Proxy (ZAP) ./4_Web_Application_Security_Testing/4.5_Authentication_Testing/4.5.6_Testing_for_Browser_Cache_Weaknesses_OTG-AUTHN-006.md:65:- OWASP Zed Attack Proxy ./4_Web_Application_Security_Testing/4.6_Authorization_Testing/4.6.3_Testing_for_Privilege_Escalation_OTG-AUTHZ-003.md:114:- OWASP Zed Attack Proxy (ZAP) ./4_Web_Application_Security_Testing/4.7_Session_Management_Testing/4.7.1_Testing_for_Session_Management_Schema_OTG-SESS-001.md:189:- OWASP Zed Attack Proxy Project (ZAP) - features a session token analysis mechanism. ./4_Web_Application_Security_Testing/4.7_Session_Management_Testing/4.7.2_Testing_for_Cookies_Attributes_OTG-SESS-002.md:54:- OWASP Zed Attack Proxy Project ./4_Web_Application_Security_Testing/4.7_Session_Management_Testing/4.7.3_Testing_for_Session_Fixation_OTG-SESS-003.md:94:- OWASP ZAP ./4_Web_Application_Security_Testing/4.8_Input_Validation_Testing/4.8.1_Testing_for_Reflected_Cross_Site_Scripting_OTG-INPVAL-001.md:185:- OWASP Zed Attack Proxy (ZAP) ./4_Web_Application_Security_Testing/4.8_Input_Validation_Testing/4.8.2_Testing_for_Stored_Cross_Site_Scripting_OTG-INPVAL-002.md:183:- OWASP Zed Attack Proxy (ZAP) ./4_Web_Application_Security_Testing/4.8_Input_Validation_Testing/4.8.4_Testing_for_HTTP_Parameter_Pollution_OTG-INPVAL-004.md:106:- OWASP ZAP HPP Passive/Active Scanners ./4_Web_Application_Security_Testing/4.9_Testing_for_Error_Handling/4.9.1_Testing_for_Error_Code_OTG-ERR-001.md:241:* ZAP Proxy ./4_Web_Application_Security_Testing/4.9_Testing_for_Error_Handling/4.9.2_Testing_for_Stack_Traces_OTG-ERR-002.md:26:Some tools, such as OWASP ZAP and Burp proxy will automatically detect these exceptions in the response stream as you are doing other penetration and testing work. ./4_Web_Application_Security_Testing/4.9_Testing_for_Error_Handling/4.9.2_Testing_for_Stack_Traces_OTG-ERR-002.md:42:- ZAP Proxy ./Appx.A_Testing_Tools_Resource/Appx.A_Testing_Tools.md:5:- OWASP ZAP ./Appx.C_Fuzz_Vectors/Appx.C_Fuzz_Vectors.md:3:The following are fuzzing vectors which can be used with ZAP, JBroFuzz, WSFuzzer or another fuzzer. Fuzzing is the “kitchen sink” approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing. This is the simple part of the discovery phase. Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.
kingthorin
commented
4 years ago For the first item on the current list:
$ grep --color=always -r -i -n "scarab" . ./4_Web_Application_Security_Testing/4.2_Information_Gathering/4.2.4_Enumerate_Applications_on_Webserver_OTG-INFO-004.md:180:For instance, considering the previous example regarding
www.owasp.org, the tester could query Google and other search engines looking for information (hence, DNS names) related to the newly discovered domains ofwebgoat.org,webscarab.com, andwebscarab.net. ./4_Web_Application_Security_Testing/4.8_Input_Validation_Testing/4.8.13_Testing_for_Command_Injection_OTG-INPVAL-013.md:31:Consider the case of an application that contains a set of documents that you can browse from the Internet. If you fire up WebScarab, you can obtain a POST HTTP like the following:
Edit: Those in 4.2.4_Enumerate_Applications_on_Webserver_OTG-INFO-004.md:180 are likely fine as they're used in an example, not a suggestion of a tool.
During content review references to and examples of using the following tools should be removed. (Because the projects are dead, replaced, or otherwise irrelevant).
Please add comments below with tools you notice in the content which should be removed. I'll add them to this checklist as things progress.