Week 2 assignment: Using ZAP and demonstrating very simple web vulnerabilities
Warning: If you plan on using the tools on live targets, ensure that you know what web site you are targeting. The tools generate traffic that, even if it shouldn’t do much to a well-tested web site, may be flagged as an intrusion attempt. You need authorisation before using the tools against any third party site. If you plan to do security testing for someone, get the authorisation in writing and in advance.
The target of this week’s exercise is to take an intercepting web proxy into use, as it is one of the major tools of web security assessment trade. As the target, we are using OWASP Juice Shop, which is a very vulnerable training system for web application security assessment.
The tools we use have a lot of functionality and we can only scratch the very surface.
Intercepting proxies are HTTP proxies that sit between your browser and the target site. They allow you to view and modify the HTTP requests and responses, and with a suitable configuration, can also used as Man-in-the-Middle attack points in a TLS connection.
Intercepting proxies are the bread-and-butter of web security tools, so it is important to have a feel of what they are capable of. In this weekly exercise, we will set up one of them, and have a look at traffic.
We are using OWASP Zed Attack Proxy, because it is free and open source. In the commercial web application testing domain, Burp Suite Professionalis the de facto tool, but OWASP ZAP has recently approached feature parity; also, some people feel ZAP gives them better extensibility. If you happen to have a Burp Suite licence already, you can use Burp Suite for this assignment.
ZAP is an open source project, and available at https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.
Both ZAP and Burp are implemented in Java, so they are run out of JAR files.
On Linux, run Zaproxy with:
./zap.sh (from the directory where you uncompressed the Linux version)
Ensure that your intercepting proxy listens on localhost (127.0.0.1) interface only; in ZAP, this is Tools | Options | Local proxies. Otherwise, you will open up an open proxy server that anyone in your network could use. You will need to run the browser on the same machine as you run the proxy.
You then need to configure your browser to send all your requests through the proxy. See: https://github.com/zaproxy/zap-core-help/wiki/HelpStartProxies (for Zap)
In order to do HTTPS (TLS) Man-in-the-Middle attacks, you will also have to configure the proxy’s certificate in your browser. We do not require this for this exercise, but you are free to do so if you wish; instructions are available on the tools’ pages. Essentially you need to export the tool’s CA certificate and import it into your browser.
To verify that you have a correct set-up, surf around with your web browser and have a look at how the requests and responses look like in the tool.
Obtaining the target application: OWASP Juice Shop
OWASP Juice Shop can be obtained from https://www.owasp.org/index.php/OWASP_Juice_Shop_Project.
OWASP Juice Shop is a very broken web application, which is actually a pretty nice training ground. We will be demoing a couple of the easy issues there, but if you are interested in web security, it is not a bad option - it uses a fairly modern design so it won’t look like trying to hack my 1990s home page.
The recommended way to install it is to use a Docker image. This way, you do not have to build anything or deal with dependencies. You need to have Docker available; install Docker Community Edition (
docker-ce) using instructions from Docker. It is not recommended to use the Docker that comes with your Linux distribution.
Note: Installing Docker on your system has historically shown to make it easier to conduct privilege elevation attacks on your host.
To obtain and run Juice Shop as a Docker container, you can:
$ docker pull bkimminich/juice-shop $ docker run --rm -p 3000:3000 bkimminich/juice-shop
You can then connect to the Juice Shop with the browser by surfing to
Verify that everything works
In the set-up that you need for this exercise, you should have ZAP as a proxy for your web browser. The browser will connect to the proxy, and the proxy will connect to the Juice Shop.
When you surf around the Juice Shop, you should see the requests being listed in the History window. If you don’t, check that
localhost is not on the proxy exclusion list - even the
localhost requests need to be sent to the proxy.
Click on a request on the History window. You can then see the contents of the request and response in the Request and Response windows.
Task 1: Demonstrate reflected Cross-Site Scripting (XSS)
There is a prominent place in the user interface that has an XSS vulnerability. It takes a piece of HTML and renders it without filtering in your browser. Your task is to demonstrate XSS. One way to do this is to open a pop-up window using the alert() function.
ZAP is not required for this task.
What to return for task 1
- A screenshot of your payload having been executed.
- The URL that triggers the XSS.
Task 2: Buy a negative amount of goods
This type of bug is a business logic bug. Obviously, it should not be possible to buy a negative amount of goods from a store, because the price of such a purchase would be negative - and this means that the store gives you money.
So, we’re going to do just that. Log in into the store, and purchase one item of something (finalise the checkout procedure). You will get a PDF receipt.
Find the POST request in ZAP’s History tab that puts an item into the basket. Open that request in the Request Editor, and submit an edited request to create a basket with a negative amount of goods.
Reload the basket view and checkout, showing a negative price.
What to return for task 2
- The PDF receipt showing that shows a negative sum of money.
To get full points for this exercise, it needs to be completed in its entirety. If you have insurmountable problems with the exercise, there’s an online reference Pwning OWASP Juice Shop that explains how to perform both of these attacks - and all of the others, so it’s a great companion book for learning web security with OWASP Juice Shop.