Alessandro's blog

Web application vulnerabilities assessment with Zap and W3af

Alessandro's photo
Alessandro
·

6 min read

OWASP Community

Open Web Application Security Program (OWASP) is a non-profit online organization focused on spreading information and awareness about enterprise application security problems and creating guidelines and tools for enterprise application security assessment.

In the past several years, it has become one of the reference community for IT security, sharing best practices and free documents on the topic.

One of its most popular document is the "Top 10 Web Application Vulnerabilities", which lists and describes the most critical security risks to web applications and I based on that document my analysis.

Scope of the assessment

With this in mind, I wanted to analyze websites vulnerabilities, with both passive and active attacks.

Passive attacks are used to gather information about websites by checking their page source code, by searching for useful keywords, by analyzing the traffic and the website location. They only generate fake requests with the target website without compromising its functionalities.

Although the passive scan is not intrinsically dangerous, it is recommended to be used with parsimonia since it can result into an extra amount of requests to handle for the target website and into a temporary/permanent block for the attacker. For my studying purpose, the passive attacks I implemented is eligible for none of these two case.

On the other side, active attacks towards websites may do compromise their functionalities. Thus, I builded a my own target website to test it, trying to replicate each of the OWASP 10 vulnerabilities, in order to analyze them and to understand where they usually come from and how to mitigate them.

To do that, among the free/open source tools available on the market, I chose two of the most widespread and complete tools for security assessment: ZAP and W3af.

ZAP

ZAP (Zed Attack Proxy - zaproxy.org ) is one of many OWASP products pertaining to software security.

It works as a proxy between the user browser and the network, so it can both intercept packet traffic exchanged during request/response messages, and make direct attacks towards target application. Other than proxy, it also offers a good amount of functionalities, such as fuzzer, brute force, spider, and so on. Thus, it is a useful tool for my purpose because it can be used to perform penetration test and vulnerabilities assessment of web applications, introducing a powerful and easy to use tool. It is open source and has received various awards by users in the last years.

More details about the usage of ZAP can be found here.

W3af

W3af (Web Application Attach and Audit Framework - w3af.org ), similarly to ZAP, is an open source tool with a rich set of features and an active community behind.

It is based on three main modules:

  • core, the central part of the tool which coordinates the plugins and the processes
  • user interface, that allow users to interact and configure the tool
  • plugins, grouped into lists (discovery, audit, grep, attack, output, mangle, evasion, brute force) that can be enabled and are used to discover vulnerabilities.

W3af is also extensible by the users with the creation of new custom plugins.

More details about W3af can be found here.

Assessment and Findings

Passive Scan

The passive analysis is useful to protect your website by understanding which vulnerabilities are present and which information can be sniffed from your website. Apart from security point of view, it can also be used in troubleshooting performance issues by sending a number of requests to the target website.

In this assessment, the passive analysis has been performed by sending few requests against popular and robust websites with the only purpose to check the tools potentiality and which information they can gather.

The vulnerabilities raised by the tools are all minor or informative.

Just to name a few of those raised:

  • X-Frame-Options header not set. The X-Frame-Options can be used in the HTTP header of the response to indicate whether or not a browser should be allowed to render a page in a frame. This vulnerability can be used for clickjacking attacks, where a user is stimulated to click on buttons that are different from what he perceives from the websites and be forced to do unintended actions.

  • Cookie set without HttpOnly flag. HttpOnly is an additional flag included in a Set-Cookie HTTP response header that prevent cookies to be accessed through client-side scripts and, in case of cross-site scripting (XSS), the browser will hide them to a third party.

  • Password Autocomplete in browser. An attacker with local access could obtain the text password from the browser cache, so the password autocomplete should be disabled, for example, through the option Autocomplete of the Html input tag.

  • X-Content-Type-Options header missing. The HTTP 'X-Content-Type-Options' response header prevents the browser from MIME-sniffing a response away from the declared content-type and if the server does not return it correctly the website could be at risk of a XSS attack.

Active Attacks

The active attacks analysis, on the other side, may be very useful as test cases to understand if your website is robust enough to prevent at least the main vulnerabilities highlighted from OWASP or the vulnerabilities the tools support.

This type of attacks may compromise permanently the website, so it is needed to create a separate clone of the application we want to evaluate as target and use it for security analysis.

For the active analysis, given an initial root URL of a website, the tools internally constructs the graph with links and nodes and send requests to every node found. Nodes of the graph are the list of URL to use as target attack. Every URL receives multiple attacks to check different vulnerabilities. zap_image.png

Finally, the tool returns the list of vulnerabilities found, the details for each vulnerability, the explanation, and the links where to find a possible solution.

Final Thoughts

There are many powerful tools on the market to perform penetration tests, both open-source or with commercial licenses. Some tools are more complete than others but, in general, they cover a finite amount of vulnerabilities and they may approach them in a different way.

Using multiple tools it increases the accuracy and completeness of the assessment. For instance, in the present assessment, ZAP and W3af have similar capabilities but: ZAP is generally more complete and easy to use, while W3af is more accurate to discover XSS vulnerabilities (reflected and stored). Using together they can perform a much stronger analysis.