OWASP
Zed Attack Proxy
Hackathon

Simon Bennetts

OWASP ZAP Project LeadMozilla Security Teampsiinon@gmail.com

The Plan

Overview of how to extend ZAP

Describe the topics I could talk about

Find out what you really want to know ;)

Agree topics to cover

For each topic: Talk for a bit, hack for a bit

But its all up for grabs, so we can change anything

And feel free to do your own thing!

I'll help out during the hacking sections

How you can extend ZAP

Without a dev environment: 3rd party tools

Scripts

Translations

Documentation

With a development environment Active & passive scan rules

'Full' extensions

What can you plug in?

Scripts

Script types

Active and Passive rules

UI elements tabs, popups, toolbar buttons, menus, right click options...

API calls

Request / Response views

Breaking, Fuzzing, Searching

Topics I could talk about

The ZAP project structure

Setting up a ZAP development environment

ZAP documentation and internationalization

Implementing 'standard' scripts

Implementing Zest scripts

Implementing active and passive scan rules

Implementing Add-ons and extensions

Features and fixes to work on

More topics I could talk about

Key classes

Accessing core functionality and extensions

Internal events

The user interface

The API

The database

Request / Response views

Breaking, fuzzing, searching

Project Structure

zaproxy http://code.google.com/p/zaproxy/

The 'core' plus a lot more

zap-test http://code.google.com/p/zaproxy-test/

Unit tests

zap-extensions http://code.google.com/p/zap-extensions/

The add-ons

Trunk, alpha and beta branches!

Project Structure

zaproxysrcAll the 'core' source codeorg/parosprozyThe 'old' Paros code

org/zaproxyThe 'new' ZAP code

helpHelp files

langProperty files (UI)

buildBuild directory

libJar files

scriptsDefault script templates

Development Environment

Java 7

Eclipse (or your favorite Java IDE)

Subversive SVN (or equivalent)

Import ZAP projects via SVNhttps://zaproxy.googlecode.com/svn/trunk/

https://zaproxy-test.googlecode.com/svn/trunk/

https://zap-extensions.googlecode.com/svn/trunk/

https://zap-extensions.googlecode.com/svn/branches/alpha/

https://zap-extensions.googlecode.com/svn/branches/beta/

Add 'lib' jars to build path

Run org.zaproxy.zap.ZAP.java

Creating the Projects

File / New / Other...

SVN / Project from SVN

Create a new repository location

URL, e.g. https://zaproxy.googlecode.com/svn/

Select Resource, e.g. trunk

Check out .. using the New Project Wizard

Select a wizard: Java / Java Project

Add all lib/*.jar files to the build path

Dev Rules and Guidelines

http://code.google.com/p/zaproxy/wiki/DevGuidelines

Ease of use and consistency are key

All UI string must in internationalized

Comment all changes to orp.parosproxy.paros

All functionality should have help pages

Keep a clean split between functionality and UI

Check in code cleaner that you checked out

Write unit tests

Extensions should expose functionality, not UI elements (older ones still do)

Documentation and i18n

ZAP Help filesrc/help

{addon}/resource/help

http://code.google.com/p/zaproxy/wiki/HelpIntro

Home pageshttps://www.owasp.org/index.php/ZAP'Official' home page, 'outward' facing?

http://code.google.com/p/zaproxy/More details, 'internal' facing?

http://crowdin.net/project/owasp-zap

Scripting

Passive RulesPassive scanner

Active RulesActive Scanner

ProxyInline

Stand AloneUser controlled

TargetedRight click invoke

LibraryWork in progress ;)

PlugableRegister at runtime

'Standard' Scripts

No IDE required :)

JavaScript (and Zest) built in

Python and Ruby download from Marketplace

All other JSR 223 scripts supported with no templates

Templates give basic structure

But you still need some idea of ZAP internalshttp://code.google.com/p/zaproxy/wiki/InternalDetails

http://code.google.com/p/zaproxy/wiki/JavaDocs

Zest Scripts

Built in, same script types

But they are graphical

Implement JSR 223

And very new

Effectively ZAP's macro language

Right click everywhere!

https://developer.mozilla.org/en-US/docs/zest

Add-ons

Available from the ZAP Marketplace

Name format: id-status-version.zap

Status: alpha, beta, release

Standard ZIP file, containing: ZapAddOn.xml

Active scan rules

Passive scan rules

Extensions

Files

ZapAddOn.xml

Short text name (no HTML) Longer description Author (no HTML)

ZapAddOn.xml

Add-on file structure

Package: org.zaproxy.zap.extension.namefilesWill be included as files
resource
helpHelp files
iconsImages
libJars (will be expanded)

Classes and sub packages

Message.properties

Message_locale.properties

ZapAddOn.xml

Building Add-ons

zap-entensions/build/build.xml

zap-extensions/branches/alpha/build/build.xml

zap-extensions/branches/beta/build/build.xml

Typically just need to add your add-on to targets: build-all

deploy-addon-id

deploy-all

Everything will be handled if you stick to the standard file structure

Passive Scan Rules

Extend org.zaproxy.zap.extension.pscan.
PluginPassiveScanner

Called for every request and response

Run in background thread

Cant change anything look but dont touch ;)

Receive HttpMessage and DOM Source

Use PassiveScanThread.raiseAlert(..)

Lots of examples (trunk, beta, alpha?)

Active Scan Rules

Extend org.parosproxy.paros.core.scanner.
AbstractPlugin AbstractAppPluginEvery nodeAbstractAppParamPlugin Every param

AbstractHostPluginHosts/1st node

Can change anything make new request etc

AbstractPlugin lots of utility methods

Lots of examples (trunk, beta, alpha?)

Extensions

Extend org.parosproxy.paros.extension.Extension

Can do anything much of the 'core' is really extensions

Should have their own language files

Lots of examples pick one that does something vaguely similar?

Features and Fixes

Scripts, in Javascript, Python, Ruby, Zest

New script templates Groovy, Scala ...

Active and passive scan rules

http://code.google.com/p/zaproxy/wiki/Projects

http://code.google.com/p/zaproxy/issues/list

'IdealFirstBug' tag

Wrap / port another tool (retire.js, ..)

Whatever you want to do!

Extension Hooks

OptionsChangedListener

ProxyListener

SessionChangedListener

SiteMapListener

PersistentConnectionListener

AddonFilesChangedListener

CommandLineListener

Key Classes

ZAPmain class

Modelsingleton

Viewsingleton

Controlsingleton

Sessionaccess via Model

SiteMapaccess via Session

SiteNodea SiteMap node

HttpMessagefull request/response

HistoryReferencesubset of HttpMessage

Alerta vulnerability

Accessing Extensions

Core Extensions (ie included by default)

ExtensionXXX extXXX =
Control.getSingleton().
GetExtensionLoader().getExtension(
ExtensionXXX.NAME);
if (extXXX != null) {
// Now you can use it...
extXXX.someFunction();
}For Extensions not included by default you must use a String name and access functions via reflection

API

org.zaproxy.zap.extension.api.API - singleton

api.registerApiImplementor (ApiImplementor impl)

ApiElement ApiView- return structured info - ApiResponse

ApiAction - make changes (return structured info)

ApiOther - return raw data

API generators JavaAPIGenerator

PythonAPIGenerator

WikiAPIGenerator

Database

http://code.google.com/p/zaproxy/wiki/InternalDatabase

HSQLDB can access directly via SQL tools

Package: org.parosproxy.paros.db

Shouldnt typically access the db directly use the extension that 'owns' the data

Add-ons can create new tables see websockets

The schema must be backwards compatible between releases

Pluggable HttpPanels

org.zaproxy.zap.extension.httppanel

Request and Response display options

Good examples websockets & plugnhack (?)

httppanel
component
XxxComponent
models
extend Abstract*HttpPanelViewModel
views
extend HttpPanelTextArea...

Feedback?

The OWASP Foundationhttp://www.owasp.org

Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.