OWASP Zed Attack wakili

pablox

4 minti

El Wakilin Zed Attack (ZAP) kayan aiki ne kyauta wanda aka rubuta a ciki Java yana zuwa daga Aikin OWASP don aiwatarwa, a matakin farko, gwajin kutsawa cikin aikace-aikacen yanar gizo, kodayake masu haɓakawa na iya amfani da shi a cikin aikin su na yau da kullun. Kamar yadda yake a yau yana cikin sigar 2.1.0 kuma yana buƙata Java 7 don gudu, kodayake na yi amfani da shi a ciki Debian GNU / Linux karkashin BuɗeJDK 7. Ga mu da muke farawa a duniyar tsaro na aikace-aikacen gidan yanar gizo, kayan aiki ne mai kyau don goge ƙwarewarmu.

Wasu fasaloli (misali Siffar aiki) na Wakilin ZAP Kada a yi amfani da su a shafukan da ba namu ba ko kuma ba mu da izinin yin hakan tun da farko, tunda za a iya daukar su a matsayin haramtattun ayyuka

Daga cikin mutane da yawa fasali na ZAP, Zan yi sharhi akan masu zuwa:

  • Karkashin wakili: Mafi dacewa ga waɗanda muke sababbi a cikin wannan fannin tsaro, waɗanda aka saita su a daidai, yana ba da damar ganin duk zirga-zirga tsakanin mai bincike da sabar yanar gizo na wannan lokacin, yana nuna a cikin hanya mai sauƙi kan taken da jikin saƙonnin HTTP ba tare da la'akari da hanyar da akayi amfani da ita (HEAD, GET, POST, da sauransu). Bugu da kari za mu iya gyara zirga-zirgar HTTP yadda ake so a duka hanyoyin sadarwa (tsakanin sabar yanar gizo da mai bincike).
  • Gizo-gizo: Wani fasali ne wanda yake taimakawa gano sabbin URLs akan shafin binciken. Ofaya daga cikin hanyoyin da yake yin hakan shine ta hanyar bincika lambar HTML na shafin don gano alamun. kuma bi halayensu href
  • Tilasta bincike: Yana ƙoƙari don gano fayilolin da ba a lissafin su ba da kundin adireshi a kan shafin kamar shafukan shiga. Don cimma wannan, yana da tsoffin jerin ƙamus ɗin da zai yi amfani da su don yin buƙatun zuwa uwar garken jira lambar matsayi amsa 200.
  • Siffar aiki: Yana ta atomatik yana haifar da hare-haren yanar gizo daban-daban akan shafin kamar CSRF, XSS, SQL Allura da sauransu.
  • Da sauransu da yawa: A zahiri akwai wasu siffofin da yawa kamar su: Tallafawa don kwasan yanar gizo daga sigar 2.0.0, AJAX Spider, Fuzzer, da wasu kalilan.

Kanfigareshan tare da Firefox

Zamu iya saita soket din ta inda ZAP zai saurara idan zamu je Kayan aiki -> Zaɓuɓɓuka -> Wakilin Gida. A halin da nake ciki ina da shi yana sauraron tashar jiragen ruwa ta 8018:

Tsarin "wakili na gida"

Kanfigareshan «wakili na cikin gida»

Sannan zamu bude abubuwan Firefox kuma zamuyi Na ci gaba -> Hanyar sadarwa -> Kanfigareshan -> Tsarin wakili na hannu. Muna nuna soket ɗin da muka saita a baya a cikin ZAP:

Sanya wakili a Firefox

Sanya wakili a Firefox

Idan komai ya tafi daidai, za mu aika da duk hanyoyinmu na HTTP zuwa ZAP kuma zai kasance mai kula da tura shi kamar yadda kowane wakili zai yi. A matsayin misali, Na shiga wannan rukunin yanar gizon daga burauzar kuma in ga abin da ya faru a ZAP:

Siffar ZAP

Siffar ZAP

Muna iya ganin cewa sama da saƙonnin HTTP 100 aka samar (mafi yawan amfani da hanyar GET) don cika shafin gaba ɗaya. Kamar yadda muke gani a shafin Wurare Ba wai kawai an samar da zirga-zirga zuwa wannan rukunin yanar gizon ba, har ma ga wasu shafuka. Ofayan su shine Facebook kuma ana samar dashi ne ta hanyar abubuwan more rayuwa a ƙasan shafin «Ku biyo mu a Facebook ". Hakanan yayi Google Analytics wanda ke nuna kasancewar kayan aikin da aka faɗi don bincike da kuma ganin ƙididdigar wannan rukunin yanar gizon ta masu gudanarwa na shafin.

Hakanan zamu iya lura dalla-dalla kowane saƙonnin HTTP da aka musayar, bari mu ga amsar da aka samar ta sabar yanar gizo ta wannan rukunin yanar gizon lokacin da na shiga adireshin http://desdelinux.net zabar hanyar neman HTTP GET daban-daban:

Bayanin sakon HTTP

Bayanin sakon HTTP

Mun lura cewa a lambar matsayi 301, wanda ke nuna turawa wanda aka doshi https://blog.desdelinux.net/.

ZAP ya zama mai kyau gaba daya free madadin zuwa Babban Suite Ga mu da muke farawa a cikin wannan duniyar mai cike da farin ciki ta tsaron yanar gizo, tabbas zamu dauki awanni da awanni a gaban wannan kayan aikin muna koyon dabarun kutse na yanar gizo, Ina dauke da 'yan. Ƙari


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.

  1.   Nano m
    sa 11 shekaru

    Wannan wani abu ne da ya zama dole in yi, galibi don tabbatar da abin da nake yi.

    Yana da ban sha'awa sosai

    Amsa zuwa Nano
  2.   lokacin3000 m
    sa 11 shekaru

    Wannan kayan aikin yayi kamala sosai fiye da Microsoft Network Monitor. An yaba da gudummawar.

    Amsa zuwa eliotime3000
  3.   Mai kamawa m
    sa 11 shekaru

    Madalla, na gode sosai don bayani da bayani.
    Na gode.

    Amsa wa Carper
  4.   xavip m
    sa 11 shekaru

    IMHO, Ina tsammanin yakamata a bar waɗannan kayan aikin don ikon tsaro, kuma kada a buga shi a kan bulogin Linux. Akwai mutanen da zasu iya amfani da shi ba da gangan ba ko a sume.

    Amsa wa XaviP
    1.    pablox m
      sa 11 shekaru

      Kayan aikin koyaushe zasu zama kayan aiki masu kaifi biyu, kamar yadda masu kyau da marasa kyau ke amfani dasu, abin takaici baza'a iya kaucewa hakan ba. OWASP ZAP kayan aiki ne wanda al'umman EH suka gane a fannin tsaron yanar gizo kuma ana amfani dashi don duba yanar gizo. Ka tuna, "Tare da babban iko akwai babban nauyi."

      Na buga wannan rubutun ne saboda ina karantar da kaina ne don bayar da sabis na HD a gaba kuma ina tsammanin zai zama abin sha'awa ga sauran masu karatu. Arshen ba shine suna amfani da shi ta haramtacciyar hanya ba, saboda haka gargaɗi a farkon post ɗin.

      Gaisuwa!

      PD1 ->: hakan yana da kyau: An gano Troll? Ina da shakku….
      PD2 -> Jhahaha Don Allah kar a juya wannan ya zama harshen wuta daga nan zuwa ƙasa kamar yadda yake a wasu sakonnin.

      Amsa zuwa pablox