Ummeleli we-OWASP Zed Attack

pablox

Imizuzu ye-4

El Ummeleli we-Zed Attack (ZAP) iyithuluzi lamahhala elibhalwe ku- Java evela Iphrojekthi ye-OWASP ukwenza, okokuqala, ukuhlolwa kokungena kuzinhlelo zokusebenza zewebhu, noma kungasetshenziswa nonjiniyela emsebenzini wabo wansuku zonke. Kusukela namuhla ikuhlobo lwayo 2.1.0 nezidingo I-Java 7 ukugijima, yize ngiyisebenzisa ku- I-Debian GNU / Linux phansi I-OpenJDK 7. Kulabo kithi abaqala emhlabeni wokuphepha kohlelo lokusebenza lwewebhu, kuyithuluzi elihle kakhulu lokucwebezelisa amakhono ethu.

Ezinye izici (ngokwesibonelo Ukuskena okusebenzayo) kwe Ummeleli we-ZAP akufanele isetshenziselwe amasayithi okungewona awethu noma ukuthi asinayo imvume yakuqala yokwenza lokho, njengoba kungathathwa njengezenzo ezingekho emthethweni

Phakathi kwezici eziningi ze- ZAP, Ngizophawula kulokhu okulandelayo:

  • Ummeleli wokungena Okufanelekile kithina abangama-newbies kulo mkhakha wezokuphepha, owenziwe ngendlela efanele, kuvumela ukubona wonke umgwaqo phakathi kwesiphequluli neseva yewebhu okwamanje, kukhombisa ngendlela elula izihloko nomzimba we-HTTP imiyalezo kungakhathalekile indlela esetshenzisiwe (HEAD, GET, POST, njll). Ngaphezu kwalokho singakwazi shintsha ithrafikhi ye-HTTP ngokuthanda kuzo zombili izinkomba zokuxhumana (phakathi kweseva yewebhu nesiphequluli).
  • Isicabucabu: Kuyisici esisiza ukuthola ama-URL amasha kusayithi elihloliwe. Enye yezindlela ekwenza ngayo lokhu ngokuhlaziya ikhodi lekhasi le-HTML ukuthola amathegi. bese ulandela izimfanelo zabo HREF.
  • Ukuphequlula Okuphoqelelwe: Zama ukuthola amafayela nezinkomba ezingekho enkombeni kusayithi njengamakhasi wokungena ngemvume. Ukufeza lokhu, kunenqwaba yezichazamazwi ezizisebenzisela ukwenza izicelo kuseva elindile ikhodi yesimo impendulo 200.
  • Ukuskena okusebenzayo: Ikhiqiza ngokuzenzakalela ukuhlaselwa okuhlukile kwewebhu ngokumelene nesayithi njenge-CSRF, XSS, SQL injection phakathi kwabanye.
  • Nabanye abaningi: Empeleni kunezinye izinto eziningi ezinjengokuthi: Ukusekelwa kwezisekelo zewebhu kusuka kunguqulo 2.0.0, AJAX Spider, Fuzzer, nezinye eziningi.

Ukucushwa ngeFirefox

Singakwazi ukulungisa isokhethi lapho i-ZAP izolalela khona uma sifuna Amathuluzi -> Izinketho -> Ummeleli Wendawo. Endabeni yami ngiyalalela ethekwini 8018:

Ukumiswa kwe- "proxy yendawo"

Ukumisa «ummeleli wasendaweni»

Ngemuva kwalokho sivula okuncamelayo kwe-Firefox futhi sizokwenza kanjalo Kuthuthukile -> Inethiwekhi -> Ukucushwa -> Ukumiswa kommeleli okwenziwa ngesandla Sikhombisa isokhethi ebesililungiselele ngaphambilini ku-ZAP:

Lungiselela ummeleli kuFirefox

Lungiselela ummeleli kuFirefox

Uma konke kuhambe kahle, sizobe sithumela yonke ithrafikhi yethu ye-HTTP ku-ZAP futhi lokhu kuzonakekela ukuyiqondisa kabusha njenganoma yimuphi ummeleli. Njengesibonelo ngifaka le bhulogi kusuka kusiphequluli futhi ake sibone ukuthi kwenzekani ku-ZAP:

Ukubuka konke kwe-ZAP

Ukubuka konke kwe-ZAP

Siyabona ukuthi ngaphezu kwemilayezo eyi-100 ye-HTTP (iningi lisebenzisa indlela ye-GET) ikhiqizelwe ukulayisha ngokugcwele ikhasi. Njengoba sibona kuthebhu Amasayithi Akukhiqizwanga kuphela ithrafikhi kule bhulogi, kodwa nakwamanye amakhasi. Enye yazo yi-Facebook futhi yenziwa yi-plugin yezenhlalo ezansi kwekhasi «Silandele ku-Facebook ". Futhi wenze -Google Analytics okukhombisa ukuba khona kwethuluzi elishiwoyo lokuhlaziywa nokubukwa kwezibalo zale bhulogi ngabaphathi besayithi.

Singabona futhi ngokuningiliziwe ngamunye wemiyalezo ye-HTTP eshintshiwe, ake sibheke impendulo eyenziwe yiseva yewebhu yale bhulogi lapho ngifaka ikheli http://desdelinux.net ukhetha isicelo sayo se-HTTP GET esifanele:

Imininingwane yomlayezo we-HTTP

Imininingwane yomlayezo we-HTTP

Siyabona ukuthi a ikhodi yesimo 301, ekhombisa ukuqondisa kabusha okuqondiswe ngaku https://blog.desdelinux.net/.

ZAP iba enye indawo enhle ngokuphelele ngokuphelele I-BurpSuite Kulabo kithi abaqala kuleli zwe elijabulisayo lokuphepha kwewebhu, ngokuqinisekile sizochitha amahora namahora ngaphambi kwaleli thuluzi sifunda amasu ahlukene wokugenca iwebhu, Ngiphatha ezimbalwa. 😛


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.

  1.   umfowethu omdala kusho
    kwenza iminyaka 11

    Leyo yinto okumele ngiyenze, ikakhulu ukufakazela engikwenzayo.

    Kuyathakazelisa impela

    Phendula ku-nano
  2.   eliotime3000 kusho
    kwenza iminyaka 11

    Leli thuluzi libukeka liphelele kakhulu kuneMicrosoft Network Monitor. Umnikelo uyahlonishwa.

    Phendula ku-eliotime3000
  3.   UCarper kusho
    kwenza iminyaka 11

    Kuhle kakhulu, ngiyabonga kakhulu ngolwazi nencazelo.
    Ukubingelela

    Phendula uCarper
  4.   I-XaviP kusho
    kwenza iminyaka 11

    I-IMHO, ngicabanga ukuthi lawa mathuluzi kufanele ashiyelwe izilinganiso zokuphepha, futhi angawashicileli kubhulogi ye-linux. Kunabantu abangayisebenzisa ngokunganaki noma ngokungazi.

    Phendula ku-XaviP
    1.    pablox kusho
      kwenza iminyaka 11

      Amathuluzi ngaso sonke isikhathi azoba ngamathuluzi acijwe kabili, njengoba esetshenziswa abahle nababi, ngeshwa lokho akunakugwenywa. I-OWASP ZAP iyithuluzi elibonwa umphakathi we-EH emkhakheni wezokuphepha kwewebhu futhi lisetshenziselwa ukuhlolwa kwewebhu. Khumbula, "Ngamandla amakhulu kuza umthwalo omkhulu."

      Ngikushicilele lokhu okuthunyelwe ngoba ngifundela ukuzifundisa ukunikela ngezinsizakalo ze-HD ngokuzayo futhi bengicabanga ukuthi kuzoheha abanye abafundi. Ukuphela akukhona ukuthi bayisebenzisa ngokungemthetho, kungaphansi kakhulu, yingakho isixwayiso ekuqaleni kokuthunyelwe.

      Ukubingelela!

      I-PD1 ->: lokho kuyasabisa: Kutholwe iTroll? Anginakho ukungabaza….
      PD2 -> Jhahaha Sicela ungayenzi le nto ibe yimpi yomlilo kusuka lapha phansi njengakwezinye izikhala.

      Phendula pablox