Ummeli wohlaselo lwe-OWASP Zed

pablox

Imizuzu ye4

El Ummeli we-Zed Attack (ZAP) sisixhobo sasimahla esibhalwe Java ivela Iprojekthi ye-OWASP ukwenza, okokuqala, iimvavanyo zokungena kwizicelo zewebhu, nangona zinokusetyenziswa ngabaphuhlisi kwimisebenzi yabo yemihla ngemihla. Ukusukela namhlanje ikwinguqulelo yayo engu-2.1.0 kunye neemfuno Java 7 ukuqhuba, nangona ndiyisebenzisa kwi I-Debian GNU / Linux phantsi OpenJDK 7. Kulabo baqala kwihlabathi lokhuseleko kwisicelo sewebhu, sisixhobo esihle sokucoca izakhono zethu.

Ezinye izinto (umzekelo Iskena esisebenzayo) ye Ummeli we-ZAP Akufuneki zisetyenziswe ngokuchasene neziza ezingezizo ezethu okanye ezingenagunya langaphambili lokwenza oko, kuba zinokuthathwa njengezenzo ezingekho mthethweni

Phakathi kweempawu ezininzi ze ZAPNdiza kuphawula ngoku kulandelayo:

  • Ummeli wokungena Ilungele thina ba-newbies kule ndawo yezokhuseleko, emiswe ngendlela echanekileyo, ivumela ukubona zonke izithuthi phakathi kwesikhangeli kunye neseva yewebhu yomzuzu, ibonisa ngendlela elula izihloko kunye nomzimba we-HTTP imiyalezo nokuba yeyiphi na indlela esetyenzisiweyo (HEAD, GET, POST, njl). Ukongeza sinako lungisa ukugcwala kwe-HTTP ngokuthanda kuzo zombini iindlela zonxibelelwano (phakathi kweseva yewebhu kunye nesikhangeli).
  • Isigcawu: Inqaku elinceda ukufumanisa ii-URLs ezintsha kwindawo ephicothiweyo. Enye yeendlela ekwenza ngayo oku kukudibanisa ikhowudi yekhasi le-HTML ukufumana iithegi. kwaye ulandele iimpawu zabo href.
  • Ukhangelo olwenziwe ngenkani: Izama ukufumana izikhombisi kunye neefayile ezingafakwanga kwisiza njengamaphepha okungena. Ukufezekisa oku, ngokungagqibekanga kuthotho lwesichazi-magama esiya kulusebenzisa ukwenza izicelo kwiseva yokulinda ikhowudi yobume impendulo 200.
  • Ukuskena okusebenzayo: Yenza ngokuzenzekelayo ukuhlaselwa kwewebhu ngokuchasene nesiza esinjenge-CSRF, i-XSS, i-SQL Inaliti phakathi kwabanye.
  • Nezinye ezininzi: Ngokwenyani zininzi ezinye izinto ezinje: Inkxaso yeziseko zewebhu ezivela kuhlobo lwe-2.0.0, AJAX Spider, Fuzzer, kunye nezinye ezimbalwa.

Uqwalaselo ngeFirefox

Sinokumisela isokethi apho i-ZAP iya kube imamele khona ukuba siza kuthi Izixhobo -> Khetha -> Ummeli wasekhaya. Kwimeko yam ndinokumamela kwizibuko 8018:

Uqwalaselo "Lommeli wasekhaya"

Ubumbeko «Ummeli wendawo»

Emva koko sivula ukhetho lweFirefox kwaye siza kuthi Phambili -> Inethiwekhi -> Ukucwangciswa -> Ukucwangciswa kommeli osemthethweni. Sibonisa isokethi ebesikade similungiselele kwiZAP:

Qwalasela ummeleli kwiFirefox

Qwalasela ummeleli kwiFirefox

Ukuba yonke into ihambe kakuhle, siza kuthumela yonke indlela yethu ye-HTTP kwi-ZAP kwaye iya kuyithumela kwakhona njengommeleli. Njengomzekelo, ndingena kule bhlog yam kwisikhangeli kwaye ndibona okwenzekayo kwiZAP:

Ujongo lweZAP

Ujongo lweZAP

Siyabona ukuba ngaphezulu kwemiyalezo eyi-100 ye-HTTP (uninzi lwayo lusebenzisa indlela ye-GET) yenziwe ukugcwalisa ngokupheleleyo iphepha. Njengoko sibona kwithebhu Indawo Ayenziwanga kuphela ukugcwala kule bhlog, kodwa nakwamanye amaphepha. Enye yazo yi-Facebook kwaye iveliswa yiplagi yentlalo emazantsi ephepha «Silandele kuFacebook ". Kwakhona wenze google Analytics ebonisa ubukho besixhobo esichaziweyo sohlalutyo kunye nokubonwa kwamanani ale bhlog ngabaphathi bendawo.

Singajonga ngokweenkcukacha umyalezo ngamnye we-HTTP otshintshisanayo, masibone impendulo eveliswe ngumncedisi wewebhu wale bhlog xa ndingena kwidilesi http://desdelinux.net ukukhetha isicelo sayo se-HTTP GET:

Iinkcukacha zomyalezo we-HTTP

Iinkcukacha zomyalezo we-HTTP

Siphawula ukuba a ikhowudi yobume 301, ebonisa ukuhanjiswa kwakhona okujolise ngqo https://blog.desdelinux.net/.

ZAP iba yeyona ndlela ilunge ngokupheleleyo nesimahla yoku IBurpSuite Kwabo baqala kweli hlabathi linomdla lokhuseleko lwewebhu, ngokuqinisekileyo siya kuchitha iiyure kunye neeyure phambi kwesi sixhobo sifunde iindlela ezahlukeneyo zokugenca kwiwebhu, Ndiphatha ezimbalwa. 😛


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.

  1.   nano sitsho
    yenzayo 11 iminyaka

    Yinto ekufuneka ndiyenzile, ubukhulu becala ukungqina into endiyenzayo.

    Inomdla kakhulu

    Phendula u nano
  2.   Eliotime3000 sitsho
    yenzayo 11 iminyaka

    Esi sixhobo sijongeka njengokugqibeleleyo ngakumbi kuneMicrosoft Network Monitor. Igalelo liyaxatyiswa.

    Phendula kwi-eliotime3000
  3.   UCarper sitsho
    yenzayo 11 iminyaka

    Ukugqwesa, enkosi kakhulu ngolwazi kunye nengcaciso.
    Ukubulisa

    Phendula uCarper
  4.   xavip sitsho
    yenzayo 11 iminyaka

    I-IMHO, ndicinga ukuba ezi zixhobo mazishiyelwe isikhuselo, kwaye zingapapashwa kwibhlog ye-linux. Kukho abantu abanokuyisebenzisa ngokungakhathali okanye ngokungazi.

    Phendula XaviP
    1.    pablox sitsho
      yenzayo 11 iminyaka

      Izixhobo zihlala zisisixhobo esintlangothi-mbini, kuba zisetyenziselwa okuhle nokubi, ngelishwa oko akunakuphetshwa. I-OWASP ZAP sisixhobo esaziwa luluntu lwe-EH kwicandelo lokhuseleko lwewebhu kwaye sisetyenziselwa uphicotho lwewebhu. Khumbula, "Ngamandla amakhulu kuza uxanduva olukhulu."

      Ndilupapasile olu ngeniso kuba ndifundela ukuzifundisa ukubonelela ngeenkonzo ze-HD kwixa elizayo kwaye ndacinga ukuba inokuba nomdla kwabanye abafundi. Isiphelo ayikuko ukuba bayisebenzisa ngokungekho mthethweni, kude nayo, yiyo loo nto isilumkiso ekuqaleni kweposti.

      Nibingelela!

      I-PD1 ->: leyo iyingozi: Kufunyenwe iTroll? Andithandabuzi….
      PD2 -> Jhahaha Nceda ungayiguquki ibe yimfazwe yedangatye ukusuka apha uye ezantsi njengakwezinye izithuba.

      Phendula pablox