Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement: Passive scan rule for anonymous requests #4602

Closed
omerlh opened this issue Apr 17, 2018 · 29 comments
Closed

Enhancement: Passive scan rule for anonymous requests #4602

omerlh opened this issue Apr 17, 2018 · 29 comments

Comments

@omerlh
Copy link
Contributor

omerlh commented Apr 17, 2018

As all anonymous requests might be a security issue, I would like to have a rule to detect such requests and report them.
Later this rule could also check for insecure authentication (basic, OAuth 1 etc) and alert also on those.
What do you think?

@kingthorin
Copy link
Member

You're going to need to be more specific.

@kingthorin
Copy link
Member

Also there's already a weak auth passive scanner for basic and digest.

@omerlh
Copy link
Contributor Author

omerlh commented Apr 17, 2018

I want to alert on request that does not have any authentication (missing Authorization header). Those request might indicate potential security issue, and ideally, people will have to white-list specific URLs that can be anonymous. My main hesitation is that this requirement might be only ours, and not globally.

@kingthorin
Copy link
Member

Doable, however there's a huge percentage of the web that uses form based authentication with no auth header.

I'll knock together a passive script in a few hours. (Its 4am, I'm gonna try to get back to sleep for a bit ☺)

@omerlh
Copy link
Contributor Author

omerlh commented Apr 17, 2018

Sleep sounds like a good idea :) I can also write the scanner, maybe we can ignore form post somehow (or alert them only when the threshold is low).
Have a good sleep!

@kingthorin
Copy link
Member

kingthorin commented Apr 17, 2018

This is un-tested, but I said I'd knock something together today so here it is:

anon-pasv-scanner.js

/**
 * This script checks whether resources (URLs) are successfully accessed (Status 200 - Ok)
 * on a request which did not have an authorization header.
 *
 * Note: This is a passive script not an active script: As such the Authorization header 
 * is not forcefully removed prior to making the request. This script will only alert if a 
 * request is proxied (or initiated via the spider(s), etc) which does not have an Authorization
 * header, and subsequently passively scanned.
 */

function scan(ps, msg, src) 
{
    alertRisk = 1
    alertReliability = 2
    alertTitle = "Resource Allows Anonymous Access"
    alertDesc = "The web/application server allowed access without any Authorization header on the request."
    alertSolution = "Ensure that the application appropriately requires authentication and authorization."

    cweId = 0
    wascId = 0

    url = msg.getRequestHeader().getURI().toString();
    headers = msg.getRequestHeader().getHeaders("Authorization");
    
    // Might want to check here to see if the URL is in scope: msg.isInScope()
    if (headers == null && msg.getResponseHeader().getStatusCode() == 200)
    {
        ps.raiseAlert(alertRisk, alertReliability, alertTitle, alertDesc, url, '', '', '', alertSolution, headers, cweId, wascId, msg);
    }
    
}

@omerlh
Copy link
Contributor Author

omerlh commented Apr 17, 2018

That looks promising :) This is not a rule, right? I need to add this script to Zap?

Also, why not create a regular rule?

@kingthorin
Copy link
Member

I was just putting something together to get you going. You could make a normal java based passive scanner and add it to the alpha branch.

Yes it’s a script you’d have to add it via the script tree and ensure it’s enabled. Then make sure Script Passive Scanner are enabled on options.

@thc202
Copy link
Member

thc202 commented Apr 17, 2018

Any reason not to use the Access Control Testing add-on? [1] (It also allows to raise alerts.) Seems more appropriate than a passive scanner (which will pretty much raise an alert on every page/site).

[1] https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts

@kingthorin
Copy link
Member

Another reason I implemented this as a script is because it seemed more like a minority case than the norm. I do not have stats to back me up, however, I feel that there are more use of form/cookie based authentication than authorization header.

@thc202 is right though, may as well use the Access Control Testing extension.

@psiinon
Copy link
Member

psiinon commented Apr 18, 2018

yeah, agree that this specific test is best as a script, and that hopefully the access control add-on is actually more useful :)

@omerlh
Copy link
Contributor Author

omerlh commented Apr 22, 2018

I'll try to play a bit with that add-on, I need to dig in and look how I can use it from code and if I can use it from a passive scan. If that will not work, I'll try the scrip. I agree this is could be a minor use case, but worth asking. The security requirement (all endpoint must be authenticated) make sense to me, guess I'm not the only one.
I'll update once I'll find which method works on this issue for documentation.
Thanks for the help!

@omerlh
Copy link
Contributor Author

omerlh commented Apr 25, 2018

Ok, I was trying to play with both options. The access control plugin is a lot more complex that what I need, and the script approach is also complicated (see issue #4626). Can I create an addon for rules relevant only to Soluto? How can we distribute it?

@psiinon
Copy link
Member

psiinon commented Apr 25, 2018

Yes, you can definitely create an add-on :)
If it could be of interest to other people (and is free open source) then we're happy to add it to the marketplace, or you can distribute it yourselves in any way you see fit. Either fine with us.

@kingthorin
Copy link
Member

You can create a Active Scan policy and re-use it, via the API. You can also choose which passive scanners you want enabled or disabled and set that via the API. Which would include enabled Active or Passive scan scripts.

@psiinon
Copy link
Member

psiinon commented Apr 25, 2018

The problem is the enabled part - by default they wont be enabled.
I actually hit this problem with the API scanner and ended up adding them via the API: https://github.com/zaproxy/zaproxy/blob/develop/docker/zap-api-scan.py#L308-L345
Thats a bit nasty, so I think we should try to make this much easier...

@kingthorin
Copy link
Member

zap.script.enable isn't too bad, if you know the directory of the scripts you can just programmatically list it's contents and enable them in a loop. A one step solution would be great, but in the mean time a loop doesn't seem bad.

@omerlh
Copy link
Contributor Author

omerlh commented Apr 25, 2018

My problem is that I want to have Zap running on any micro-services at Soluto. That is where I want to get to, and because of that - I want to do most of the customization on the Docker image, because there I have more control. All of them will use the same Docker image (which is this one) - and then, if I add a role all the services will get it and start using it. This is why I'm trying so hard doing it without the API.
Is there a guide on how to create an add-on?

1 similar comment
@omerlh
Copy link
Contributor Author

omerlh commented Apr 25, 2018

My problem is that I want to have Zap running on any micro-services at Soluto. That is where I want to get to, and because of that - I want to do most of the customization on the Docker image, because there I have more control. All of them will use the same Docker image (which is this one) - and then, if I add a role all the services will get it and start using it. This is why I'm trying so hard doing it without the API.
Is there a guide on how to create an add-on?

@thc202
Copy link
Member

thc202 commented Apr 25, 2018

If you are using a custom docker image you could configure ZAP to your needs as well (e.g. bundle the scripts and tweak ZAP config.xml file to include/enable it)? Or that's not flexible enough?

@omerlh
Copy link
Contributor Author

omerlh commented Apr 25, 2018

That what I tried (see the discussion on #4626), but it wasn't that simple. Basically, I need to choice what I prefer to implement - addon, or cmd option to load a script :)

@thc202
Copy link
Member

thc202 commented Apr 25, 2018

I meant when building the image include the scripts and the custom config.xml to add/enable the script.

@omerlh
Copy link
Contributor Author

omerlh commented Apr 25, 2018

oh, I didn't know about that option - can you post on the other issue how to do that? Or a link to the wiki?

@thc202
Copy link
Member

thc202 commented Apr 25, 2018

This is more a Docker change than ZAP, once you have the scripts and the config.xml file (e.g. created with the GUI) you can copy them when building the image to override the ones of the base image.

@omerlh
Copy link
Contributor Author

omerlh commented Apr 25, 2018

That was a good hint, looking on the file generating by the GUI, look like I need something like that:

  <dirs><></dirs>
  <script>
    <scripts>
      <name>Copy as curl command menu.js</name>
      <description/>
      <engine>Oracle Nashorn</engine>
      <type>extender</type>
      <enabled>true</enabled>
      <file>/Users/omerl/Library/Application Support/ZAP/scripts/templates/extender/Copy as curl command menu.js</file>
    </scripts>
  </script>

@psiinon
Copy link
Member

psiinon commented Apr 26, 2018

I should have mentioned this option as well :)
At Mozilla we extend the ZAP Live docker image and add additional configs.
Let us know if you have any problems doing this and we should be able to sort them out.

@omerlh
Copy link
Contributor Author

omerlh commented Apr 26, 2018

I was able to figure out how to do this and document it on this post. I think this issue can be close, and maybe also #4626

@psiinon
Copy link
Member

psiinon commented Apr 26, 2018

Thanks for letting us know :)

@psiinon psiinon closed this as completed Apr 26, 2018
@lock
Copy link

lock bot commented Feb 3, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Feb 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

No branches or pull requests

4 participants