mozilla :: #websectools

18 Apr 2017
09:10Dennis_KHi, @psiinon are you around?
09:47psiinonDennis_K: yep :)
11:00Dennis_KDid you receive my mail? I am interested in contributing to Owasp ZAP (https://twitter.com/psiinon/status/814813027975516160). In my mail I proposed to schedule a meeting for interested developers at the OWASP AppSec in Belfast. Are you there, too?
11:02psiinonDennis_K: I did, and it got buried :(
11:03psiinonUnfortunately I wont be able to go the AppSec EU in Belfast, otherwise that would be ideal
11:03psiinondid you see my post to the ZAP Dev Group?
11:03psiinonand when would you like a chat? :)
11:13Dennis_KDo you mean this one https://groups.google.com/forum/#!msg/zaproxy-develop/NcdNRCYBLn8/6VCBYb1PDAAJ ? It is possible to chat in my spare time. Typically in the evening from 8pm till 11pm. Can you arrange it at this time?
11:16Dennis_KDo you know if any other core developer is at AppSec conference?
11:34thc202Dennis_K, most likely not
11:41psiinonDennis_K: yeah, that post :)
11:42psiinonEvenings are harder for me - my wife does a very good job of keeping me away from the computer :P
11:46psiinonDennis_K: whats your background? Is there anything is particular you're interested in working on?
11:50Dennis_KI am a dot net developer currently web applications =)
11:51Dennis_Kbut I am interested in security and I think java is similar to c#
11:58Dennis_KI added the script https://github.com/zaproxy/community-scripts/blob/master/httpfuzzerprocessor/showDifferences.js and I think it would be nice if you can pass parameters from the fuzzerprocessor dialog to this script. The same way as in the authentication scripts.
12:14psiinonI'm always in favour of making params available everywhere :)
12:16psiinonthc202: think making the params avaialble to fuzzer processor scripts would be straighforward? Is it something someone new to ZAP could take on?
12:25mgm_rain0r_any news on the new formatter psiinon ? :-)
12:33thc202psiinon, that's pretty straightforward to add, but Dennis_K is not new to ZAP, he added a brand new fuzzer processor already (unless I'm confusing handles/nicks?)
12:34thc202mgm_rain0r_, no news (no decisions yet)
12:39psiinonwell, new to the java code ;) Dennis_K - do you fancy looking at implementing the param passing?
12:40psiinonmgm_rain0r_: thc202 er, which formatter is this again??
12:42thc202psiinon, I was referring to the one in Java (there's two, the one above for the differences and another one in Java to tag results)
12:42Dennis_Kthc202: that is correct ;)
12:42thc202psiinon, we were "playing" with Google's formatter
12:42thc202(per zap-api-java pull request)
12:43psiinonoh yeah :)
12:43* psiinon votes for tabs or 4 spaces, def not 2 ;)
12:44thc202Dennis_K, if you have any question regarding what needs to be done in which classes just ping me :)
12:44Dennis_Kpsiinon: yes I am interested.
12:44psiinoncool! would some pointers to get started help?
12:45thc202psiinon, :( that's more work to do, to use 4 spaces or tabs
12:45psiinon:/
12:46mgm_rain0r_psiinon, Googles Formatter but with 4 Spaces (= 1 tab) instead of 2
12:46mgm_rain0r_right?
12:47psiinonthats what I was thinking
12:49mgm_rain0r_Then let's go? :-)
12:49mgm_rain0r_can I do something?
12:49psiinonI think we should post something to the dev group just so its not too big a surprise to everyone
12:50psiinonand we need a defn we can import into Eclipse (and maybe other IDEs?)
12:50psiinonyou can help with any of that :)
12:50Dennis_Kthc202: okay thanks. I will look into the code in the next days.
12:52Dennis_Khow do you build the gui? With eclipse windowmanager? Or without any tools?
12:52psiinonwithout any tools I'm afraid :/
12:53psiinonwe have various helper classes, which some (but dsef not all) of the code uses
12:53psiinondef
13:04mgm_rain0r_psiinon, https://github.com/zaproxy/zap-api-java/pull/32#issuecomment-294833722 ;-)
13:04psiinon:D
13:11mgm_rain0r_psiinon, I don't get this ticket completely: https://github.com/zaproxy/zaproxy/issues/3394
13:12mgm_rain0r_Last week we talked about this and you called it 'http state enabled', but now I'm looking at the menu item and it's called 'session state'
13:12psiinonso that option is only available via the UI, and is lost everytime you restart
13:12mgm_rain0r_is it the same?
13:12mgm_rain0r_just wanna be sure that we're talking the same language
13:13psiinonisnt it not the 'Enable Session Tracking (Cookie)' menu item?
13:13psiinonugh, "is it not" ;)
13:14mgm_rain0r_Yes, we're both talking about Edit => 'Enable Session Tracking (Cookie)'
13:14psiinongood :)
13:16psiinonso .. is that ok then?
13:18mgm_rain0r_Yep, all ok
14:24mgm_rain0r_thc202, I will remove the option "enable session tracking" from the edit menu, ok?
14:28thc202I was asking because it's useful to have that at hand (isn't it?) but I'm ok with removing it too
14:29mgm_rain0r_Might also be confusing ...
14:36thc202it might be, but would not be the first option to be in multiple places :)
14:39thc202what about the reset of the state, would that be kept in the menu or moved to the options dialogue?
14:40mgm_rain0r_thc202, I don't get what you're saying here: https://github.com/zaproxy/zap-api-java/pull/32
14:41mgm_rain0r_How is that not enough to produce the expected output?
14:41thc202yeah, my fault for not explaining better, let me grab an example
14:42mgm_rain0r_Personally, I wouldn't be bothered to use the whole Google Style Format with 2 spaces as 1 tab
14:43thc202me neither
14:45mgm_rain0r_I think it would actually be better to use the format completely instead of copying and changing it to use 4 spaces
14:52thc202example https://pastebin.mozilla.org/9019321
14:55mgm_rain0r_hmmm how is that not the same?
14:56thc202well, the line wrappings are very different
14:56mgm_rain0r_Yeah, but I don't get why
14:57mgm_rain0r_both styles are from google
14:59thc202right, but the first uses Eclipse formatter implementation "Eclipse [built-in]" that's why it ends up being different
15:04stephend|zzzpsiinon: hello! I'm driving in to work now, but it might be ~45 minutes or so. Could you get a chance to help me with those questions I had in my email? need to get my Q2 goal drafted. thanks!
15:10psiinonhey stephend|zzz STOP DRIVING AND TYPING ;)
15:11psiinonI'll be in meetings from 5pm BST but will reply to your email now...
15:12stephend|zzzheh, ty!
16:30stephendpsiinon: thanks for replying, psiinon - I'm a lot closer to sorting out my goal, I think
16:30stephendso, I ran the openapi addon on kinto's swagger-exposed v1 API
16:31psiinoncool :)
16:31stephendhttps://gist.github.com/stephendonner/e750129fd7bb3c4243423f3071939f8d is the list of generated URLs
16:31stephendhttps://irccloud.mozilla.com/file/w83u7xNe/Screen%20Shot%202017-04-18%20at%209.29.29%20AM.png
16:31psiinon:D
16:31stephendwhat from the above screenshot, though, do I actually want the scanner to start from, in the site tree?
16:32stephendeverything? having a tough time figuring the scope to give to zap in this case
16:32stephendhttps://zaproxy.blogspot.com/2017/04/exploring-apis-with-zap.html doesn't go into that part, AFAICT
16:32psiinonScan everything :)
16:33stephendis it just, as long as those are showing up in the tree, they have/can be spidered, and then attacked/fuzzed?
16:33stephendcool
16:33psiinonyep
16:33stephendok, last hopefully question for now, then
16:33psiinon:)
16:33stephendonce that PR for hooking this up to the command line (thanks for the swift action on that, too!) is in
16:34stephendwould we be able to get a decent amount of coverage without invoking the API, via that commandline?
16:35stephendI'd like to start with a more self-contained, CI-ready set of commands, before perhaps branching out into deeper auth/scans, etc (which might involve the API in Python, etc.)
16:35stephendmy time for this quarter is limited
16:35stephendif I can do most/all of what's in https://github.com/stephendonner/docker-zap/blob/master/run-docker.sh
16:36stephendbut also including the now-exposed APIs, via Swagger, that'd be a win
16:36psiinonyou mean just via passive scanning?
16:37psiinonI suspect that wont provide us a lot of info for APIs apart from missing security headers
16:37stephendno, I'd like to fuzz/active scan, as a goal
16:37psiinonok so can def invove via the API
16:38psiinonand I have a plan for more thorough scanning :)
16:38stephend1) download openapi addon 2) import URL for Swagger definition (once PR is merged) 3) spider 4) active scan
16:38stephendcan all of that be reasonably done via the commandline, or am I going ot have to go the API route?
16:38psiinonAPI for now I'm afraid
16:38psiinonbut I have plans for an out-of-the-box API scanning option
16:39stephendahhh, k - that might limit me. I'd love to learn, but that's a lot more ramping up, I think, than what I've got current time + skills for
16:39stephendI mean https://github.com/zaproxy/zaproxy/blob/develop/build/docker/zap-baseline.py is baseline, and it's meaty :-)
16:40psiinonmy API scanning plans might come to fruition this 1/4 but that depends on my priorities...
16:40* stephend nods
16:40psiinonbah, the baseline is easy :P
16:40stephendwhom else in the community is doing Python work, besides Grunny?
16:40stephendheh
16:41stephendwell, re: baseline, you're right
16:41stephendI /am/ looking at just the raw code
16:41stephendit's really the callers/usage that's the part I need to learn
16:41stephendhrm
16:42psiinonI can def help with the calls etc
16:42stephendcan that be used with the openapi addon?
16:42psiinonyep, openapi addon includes API support
16:42stephendget stuff in the site tree via the steps I mentioned above with the command line + your soon-to-be-merged PR
16:42stephendand then in Python, key off that?
16:42stephendah
16:44psiinonI'd recommend going down the API route :)
16:44psiinononce you get used to it then its v powerful
16:46stephendyeah; I love the flexibility and raw power of client + API together
16:47psiinonwould a 121 session on the api help sometime?
16:48stephendabsolutely; if I could do something like https://github.com/zaproxy/zap-api-python/blob/master/src/examples/basic-spider-scan.py but get help integrating the openapi spidering, that'd be fantastic
16:48psiinon:)
16:48stephendsomewhat limiting, though, is that for this to be effective, it'd be best in our Jenkins CI
16:48stephendand the Docker examples and work was/is great for that
16:49stephendbut I can't use the zap-cli for this, I don't think -- too limiting; hopefully I'm wrong
16:49stephendpsiinon: any chance you are more free early (PDT) tomorrow?
16:50stephendI might be able to stall with goal setting until a little later, if I can get a chance to go over some more stuff in a high-bandwidth chat
16:50stephendI could also set something somewhat vague and flesh it out as I understand more
16:50psiinon5:30 bst tomorrow? ie equiv 20 mins ago?
16:51stephendthat's 9:30am my time, and works perfectly for me - I'll set it up on our calendars?
16:51stephendand thanks!
16:51psiinonnp :)
16:51stephendoh wow, yeah, almost 6pm there
16:52* psiinon is in meetings for another hour ;)
16:54stephendgodspeed; I know what it's like, so am gonna stop distracting you :-)
16:54stephendcheers!
19 Apr 2017
No messages
   
Last message: 36 days and 50 minutes ago