OWASP Zed Kurwisa Proxy

pablox

4 maminitsi

El Zed Kurwisa Proxy (ZAP) chishandiso chemahara chakanyorwa mu Java kuuya kubva OWASP chirongwa kuita, mune yekutanga chiitiko, bvunzo dzekupinda muwebhu webhu, kunyangwe ichigona zvakare kushandiswa nevanogadzira mune yavo yezuva nezuva basa. Kubva nhasi iri mune yayo vhezheni 2.1.0 uye zvido Java 7 kumhanya, kunyange ini ndichiishandisa mu Debian GNU / Linux pasi OpenJDK 7. Kune avo vedu vari kutanga munyika yewebhu application chengetedzo, chishandiso chakanakisa kupurinda hunyanzvi hwedu.

Zvimwe zvinhu (semuenzaniso Anoshanda Scan) wepa ZAP proxy Haifanire kushandiswa kupesana nenzvimbo dzisiri dzedu kana kuti isu tisina mvumo yekutanga kuzviita, nekuti zvinogona kutorwa semabasa asiri pamutemo

Pakati pezvinhu zvakawanda zve ZAP, Ini ndichataura pane zvinotevera:

  • Kubatira proxy: Yakanakira isu vedu vari newbies mundima ino yekuchengetedza, yakagadzirirwa nenzira kwayo, inobvumidza kuona traffic yese pakati pebrowser newebhu webhu yenguva, ichiratidza nenzira yakapusa misoro nemuviri weHTTP mameseji zvisinei nemaitiro ashandiswa (HEAD, GET, POST, nezvimwewo). Mukuwedzera tinokwanisa chinja traffic yeHTTP paunoda munzira mbiri dzekutaurirana (pakati pewebhu dura uye bhurawuza).
  • Dandemutande: Icho chinhu chinobatsira kutsvaga ma URL matsva pane saiti yakaongororwa. Imwe yenzira dzainoita izvi ndeyokuparadzanisa kodhi yeiyo peji reHTML kuti uwane ma tag. uye tevera hunhu hwavo href.
  • Kumanikidzwa Kutsvaga: Inoedza kutsvaga isina-indexed mafaera uye madhairekitori pane ino saiti semapeji ekupinda. Kuti zvibudirire izvi, ine nekukanganisa nhevedzano yeduramazwi iyo yaizoshandisa kuita zvikumbiro kuseva yakamirira kodhi yemamiriro mhinduro 200.
  • Anoshanda Scan: Inogadzira otomatiki akasiyana ekurwiswa kwewebhu kurwisa saiti senge CSRF, XSS, SQL Jekiseni pakati pevamwe.
  • Uye vamwe vazhinji: Chaizvoizvo kune zvimwe zvakawanda zvinhu zvakaita se: Tsigiro yewebhu zvigadziko kubva mushanduro 2.0.0, AJAX Spider, Fuzzer, uye nevamwe vashoma.

Kugadziriswa neFirefox

Isu tinokwanisa kumisikidza iyo socket iyo iyo ZAP ichave ichiteerera kana tichizoenda Zvishandiso -> Sarudzo -> Yemunharaunda Proxy. Mune yangu nyaya ndinayo inoteerera pachiteshi 8018:

Kugadziriswa "kwemunharaunda."

Kugadziridza «Proxy yemunharaunda»

Ipapo tinovhura zvido zveFirefox uye ticha Yepamberi -> Network -> Kugadziridza -> Chinyorwa proxy kumisikidza. Isu tinoratidzira masokisi atakambogadzira muZAP.

Gadzira proxy muFirefox

Gadzira proxy muFirefox

Kana zvese zvikafamba mushe, tinenge tichitumira yedu yese yeHTTP traffic kuZAP uye ichave iri mutariri wekuidzorera sezvinoita chero proxy yaizoita. Semuenzaniso, ini ndinopinda iyi blog kubva kubhurawuza uye ndoona zvinoitika muZAP:

ZAP kuongorora

ZAP kuongorora

Tinogona kuona kuti anopfuura zana zana maHTTP akagadzirwa (mazhinji achishandisa nzira yeGET) kurodha zvizere peji. Sezvatinoona mune iyo tebhu Nzvimbo Kwete chete traffic yakaunzwa kune ino blog, asiwo kune mamwe mapeji. Imwe yadzo ndeye Facebook uye inogadzirwa neyekudyidzana plugin pazasi peji «Titevere paFacebook ". Zvakare akaita Google Analytics iyo inoratidza kuvepo kwechataurwa chishandiso chekuongorora uye kuona kwehuwandu hweiyi blog nevakuru vesaiti.

Tinogona zvakare kucherechedza zvakadzama yega yega yeHTTP meseji yakatsinhaniswa, ngatione mhinduro yakaitwa newebhu server yeiyi blog pandakapinda kero http://desdelinux.net kusarudza chikumbiro chayo cheHTTP GET:

Tsanangudzo yemashoko eHTTP

Tsanangudzo yemashoko eHTTP

Isu tinoona kuti a kodhi yemamiriro 301, inoratidza chinongedzo chakanangiswa https://blog.desdelinux.net/.

ZAP inova yakanaka kwazvo yemahara imwe nzira kune Burp Suite Kune avo vedu vari kutanga munyika ino inonakidza yekuchengetedzwa kwewebhu, isu zvirokwazvo tichapedza maawa nemaawa pamberi pechishandiso ichi tichidzidza matekiniki ekubira ewebhu, Ini ndinotakura mashoma. 😛


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako

  1.   nano akadaro
    inoita 11 makore

    Ndicho chinhu chandinofanira kuita, kunyanya kuratidza zvandinoita.

    Zvinonakidza kwazvo

    Pindura kuna nano
  2.   eliotime3000 akadaro
    inoita 11 makore

    Ichi chishandiso chinotaridzika kuzere kupfuura Microsoft Network Monitor. Mupiro unokosheswa.

    Pindura kune eliotime3000
  3.   muvezi akadaro
    inoita 11 makore

    Zvakanaka, ndinokutendai zvikuru neruzivo uye tsananguro.
    Thanks.

    Pindura Carper
  4.   xavip akadaro
    inoita 11 makore

    IMHO, ndinofunga maturusi aya anofanirwa kusiirwa zviyero zvekuchengetedza, uye kwete kutsikiswa pane linux blog. Kune vanhu vanogona kuishandisa zvisina basa kana nekusaziva.

    Pindura kuna XaviP
    1.    pablox akadaro
      inoita 11 makore

      Iwo maturusi anogara achizove mativi-maviri-akasimba maturusi, sezvo achishandiswa neakanaka neakaipa, zvinosuwisa izvo hazvigone kudzivirirwa. OWASP ZAP chishandiso chinozivikanwa nenharaunda yeEH mumunda wechengetedzo yewebhu uye inoshandiswa pakuongorora kwewebhu. Rangarira, "Nesimba guru kunouya basa guru."

      Ini ndakaburitsa ichi chinyorwa nekuti ndiri kudzidza kuzvidzidzisa-kudzidzisa kupa HD masevhisi mune ramangwana uye ndakafunga kuti zvingafadze kune vamwe vaverengi. Kuguma hakusi kuti vanoishandisa zvisiri pamutemo, zvakanyanya, ndosaka nyevero pakutanga kwenyaya.

      Kwaziso!

      PD1 ->: izvo zvinofungidzira: Troll yaonekwa? Ndine kusahadzika….
      PD2 -> Jhahaha Ndokumbirawo usashandure iyi kuita irimi remoto kubva pano uchienda pasi sezvazvakaita mune zvimwe zvinyorwa.

      Pindura pablox