Easy security testing with applications bridge in ZAP(with SQLMap, XSStrike, etc..)

ZAP has one interesting feature. It is a function that can use external applications. This makes it easier and more powerful for security testing to work with external tools.
(글 2개쓰기 귀찮아서 걍 같이 남깁니다. ZAP의 Application 기능을 이용하면 좀 더 쉽게 보안 테스팅을 할 수 있습니다.)

Today’s post is how to use the Apply bridge(?) in ZAP.
(별거 없습니다.. 그냥 외부 어플케이션 연동 기능이에요!)

Warm-up exercise(How to setting?)

Open Application Menu

First, enter the application settings page. There are two ways
(먼저 어플리케이션 설정 메뉴로 진입합니다. 아래 방법으로 접근 가능해요.)

- Options > Applications
- Context Menu(Right Click) > Run Applicationn > Configure Applications

You can easily call it from Context Menu by adding Application to ZAP!
(여기에 등록하면 컨텍스트메뉴(우클릭)에서 바로 앱을 호출할 수 있습니다.)

Set Application Info (with data pattern in zap)

Zap’s application not only runs apps, but it can parse HTTP Request/Response data such as History and Requester and use it as a factor value. If you use it well, you will be able to test faster.
(재미있는건 단순하게 어플리케이션만 실행하는게 아니라 인자값을 전달해줄 수 있습니다. 그래서 ZAP에서 테스트하던 데이터를 그대로 외부 앱에 전달해 줄 수 있죠.)

It’s a special character defined in the ZAP.
(이런 패턴이에요)

%url%
the full url, e.g. 'http://localhost/test?a=b' 

%site% 
the site, e.g. 'http://localhost:8080/' 

%host% 
the hostname, e.g. 'localhost' 

%port% 
the port, e.g. '80' 

%cookie% 
the first cookie field from the request header (if any) 

%postdata% 
the POST data sent, if any, with any newlines replaced with "\n" 

%msgid% 
the HTTP message id to fetch data from the API (/JSON/core/view/message/?id=$msgid), does not alway exist, will return -1 if no message id 

%header-{{ header }}% 
the request header by name (if any), e.g. %header-user-agent% would return the value of the User-Agent header

My sample data.. sqlmap

Full COmmand: /usr/local/bin/sqlmap
Working Dir: /usr/local/bin
Parameter: --dbs --no-cast --random-agent -u %url%

In addition to sqlmap, you can conveniently perform tasks such as XSStrike and dotdotpwn.

Run application on ZAP

Right click > Run Application > Your App!

[/usr/local/bin/sqlmap, --dbs, --no-cast, --random-agent, -u, https://www.hahwul.com]
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.3.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 00:10:29 /2019-07-02/

[00:10:29] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.460.0 Safari/534.3' from file '/usr/local/Cellar/sqlmap/1.3.3/libexec/txt/user-agents.txt'
[00:10:29] [INFO] testing connection to the target URL
[00:10:32] [INFO] heuristics detected web page charset 'ISO-8859-2'
[00:10:33] [INFO] checking if the target is protected by some kind of WAF/IPS
[00:10:37] [INFO] testing if the target URL content is stable
[00:10:37] [INFO] target URL content is stable
[00:10:37] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')

[*] ending @ 00:10:37 /2019-07-02/

---

HAHWUL Security engineer, Gopher and H4cker!