-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Submitting the Attack Surface Detector plugin to the Marketplace #4670
Comments
A few issues from me:
fyi we tend to use the fugue icons: https://github.com/yusukekamiyamane/fugue-icons - you can see them all here: https://github.com/yusukekamiyamane/fugue-icons/blob/master/all-preview.png :) |
Worth noting that ZAP is already available in Maven Central: |
@psiinon I will be addressing most if not all of your issues today. Some issues such as the icon may require a more collaborative effort here. I will update the plugin and let you know when these changes have been made. |
I am trying to address your concerns but while upgrading to ZAP version 2.7.0 I am receiving this exception while installing the plugin I can not seem to find any documentation on how to address this and was hoping you could lead me in the right direction. |
Is that the whole error, no stack trace? Is the code pushed (to take a look)? EDIT: Yeah, no stack trace for that error. |
There is no stack trace for that error.
in the pom files which was replaced by
|
It's missing the scope in the update? And to elaborate, that would cause problems since it would bundle and use a different |
I was no longer providing the Jar file and was pulling directly from maven. I have never needed a scope before when the jar file is not provided. |
Yes, but you still need to declare it as |
@thc202 thank you for the prompt response. The issue has been rectified and I can now address the rest of the concerns |
commit: 7d1927acb1aac2bf00b1f3e2b1c46ceb614dc290 should address all of @psiinon concerns. |
In the Target spiderTarget = new Target(startNode);
spiderTarget.setRecurse(true);
int id = extSpider.startScan(spiderTarget, null, null);
// Give some time to the spider to finish to setup and start itself.
sleep(1500);
SpiderScan spiderScan = extSpider.getScan(id);
while (!spiderScan.isStopped()) {
// Should sleep some time here too otherwise the thread will be too much active.
if (this.stopAttack) {
spiderScan.stopScan();
break;
}
} this way it avoids conflicts with other running spider scans. I think most if not all (except ZAP) of the provided dependencies could be removed, they seem to be transitive dependencies of ZAP (which are already being included). (Not that it matters for the release to marketplace, just tidy up.) |
Note that the spider will fail to start when the Mode does not allow spider scans. A check before starting the ASD would be better but catching the exception ( |
Another thing worth doing now, is declare that the extension can be unloaded (e.g. override |
@thc202 I am currently rewriting the spider to use the new API and sleeps. I am also overridding canUnload, but can you clarify what is meant by "worth checking if the dependencies (e.g. com.github.secdec.astam-correlator) can also be GC'ed)." So I can properly address that concern. |
I'm referring to the usual features that might lead to memory leaks (e.g. use of |
@thc202 commit b22493616a73434ebb79b70045abec034f4024b9 should have addressed all of your concerns. Thank you for all of your input. |
@matthewD-AVI thanks! Will take a look ASAP. |
The Some comments regarding the add-on manifest (
That's all from me. |
@thc202 The stopAllScans() just slipped through, it has been changed as well ZappAddOn.xml |
@matthewD-AVI So https://github.com/secdec/attack-surface-detector-zap/blob/master/zaproxy/src/org/zaproxy/zap/extension/attacksurfacedetector/ZapAddOn.xml#L3 should probably be 1.2.0 or 1.1.1? |
@matthewD-AVI could you email me? github username at gmail.com Thanks |
@matthewD-AVI, @kingthorin what's the current state? |
@thc202 as of commit: e18f9ba41e43d62e30d909e4b135a330c6f1e1ce all of your concerns should have been addressed. |
I'm just following up to see if there is anything else needed to get ASD into the Marketplace. |
@matthewD-AVI the only thing I see outstanding is the version info. Looking at https://github.com/secdec/attack-surface-detector-zap/releases 1.1.0 was from your original announcement (IIRC). So https://github.com/secdec/attack-surface-detector-zap/blob/master/zaproxy/src/org/zaproxy/zap/extension/attacksurfacedetector/ZapAddOn.xml#L3 should probably be 1.2.0 or 1.1.1? |
@kingthorin I will be doing a version bump soon, for now I will switch it back to 1.1.0. Thank you for the input. |
@kingthorin @psiinon @thc202 There is a new version available 1.1.1 that has addressed every concern that has been raised on this thread. |
I raised an issue regarding the version, secdec/attack-surface-detector-zap#16. |
btw, IMHO the class
when importing. |
As of the latest commit(8b1415266fd30310c79eb86fb8aceca86a78b76e), all issues raised by @thc202 have been addressed. I moved the tag to update release v1.1.1 with updated binaries |
I think this is good to go? |
Yeah, looks good to me. |
Release version 1.1.1 of Attack Surface Detector add-on. For zaproxy/zaproxy#4670.
Closing, the add-on is now available in the marketplace. Thank you! :) |
Yeah, thanks @matthewD-AVI :) |
Thank you all |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Add-on repo
https://github.com/secdec/attack-surface-detector-zap
Your contact details
matthew.deletto@securedecisions.com
Are you one of the authors
Yes
Licence
in repo
Build instructions
Install Maven: https://maven.apache.org/install.html
Clone Attack Surface Detector repository: https://github.com/secdec/attack-surface-detector-zap
Navigate to the source code Directory, open terminal and run the command mvn clean package
The plugin will be located in the target folder named: attacksurfacedetector-release-#.zap.
also in readme
Link to more information
https://github.com/secdec/attack-surface-detector-zap/wiki
Twitter handle for tool or author(s)
https://twitter.com/secdec
Promote to Beta or Release?
Note that all new add-ons start at Alpha status.
Anything else we should know
During web application penetration testing, it is important
to enumerate your application's attack surface. While Dynamic Application Security Testing (DAST) tools (such as Burp Suite and ZAP) are good at spidering to identify application attack surfaces, they will often fail to identify unlinked endpoints and optional parameters. These endpoints and parameters not found often go untested, which can leave your application open to an attacker. This tool is the Attack Surface Detector, a plugin for OWASP ZAP. This tool figures out the endpoints of a web application, the parameters these endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won't find in client-side code, or optional parameters totally unused in client-side code. The plugin then imports this data into ZAP so you view the results, or work with the detected endpoints and parameters from the target site map
The text was updated successfully, but these errors were encountered: