El Ummeleli we-Zed Attack (ZAP) iyithuluzi lamahhala elibhalwe ku- Java evela Iphrojekthi ye-OWASP ukwenza, okokuqala, ukuhlolwa kokungena kuzinhlelo zokusebenza zewebhu, noma kungasetshenziswa nonjiniyela emsebenzini wabo wansuku zonke. Kusukela namuhla ikuhlobo lwayo 2.1.0 nezidingo I-Java 7 ukugijima, yize ngiyisebenzisa ku- I-Debian GNU / Linux phansi I-OpenJDK 7. Kulabo kithi abaqala emhlabeni wokuphepha kohlelo lokusebenza lwewebhu, kuyithuluzi elihle kakhulu lokucwebezelisa amakhono ethu.
Phakathi kwezici eziningi ze- ZAP, Ngizophawula kulokhu okulandelayo:
- Ummeleli wokungena Okufanelekile kithina abangama-newbies kulo mkhakha wezokuphepha, owenziwe ngendlela efanele, kuvumela ukubona wonke umgwaqo phakathi kwesiphequluli neseva yewebhu okwamanje, kukhombisa ngendlela elula izihloko nomzimba we-HTTP imiyalezo kungakhathalekile indlela esetshenzisiwe (HEAD, GET, POST, njll). Ngaphezu kwalokho singakwazi shintsha ithrafikhi ye-HTTP ngokuthanda kuzo zombili izinkomba zokuxhumana (phakathi kweseva yewebhu nesiphequluli).
- Isicabucabu: Kuyisici esisiza ukuthola ama-URL amasha kusayithi elihloliwe. Enye yezindlela ekwenza ngayo lokhu ngokuhlaziya ikhodi lekhasi le-HTML ukuthola amathegi. bese ulandela izimfanelo zabo HREF.
- Ukuphequlula Okuphoqelelwe: Zama ukuthola amafayela nezinkomba ezingekho enkombeni kusayithi njengamakhasi wokungena ngemvume. Ukufeza lokhu, kunenqwaba yezichazamazwi ezizisebenzisela ukwenza izicelo kuseva elindile ikhodi yesimo impendulo 200.
- Ukuskena okusebenzayo: Ikhiqiza ngokuzenzakalela ukuhlaselwa okuhlukile kwewebhu ngokumelene nesayithi njenge-CSRF, XSS, SQL injection phakathi kwabanye.
- Nabanye abaningi: Empeleni kunezinye izinto eziningi ezinjengokuthi: Ukusekelwa kwezisekelo zewebhu kusuka kunguqulo 2.0.0, AJAX Spider, Fuzzer, nezinye eziningi.
Ukucushwa ngeFirefox
Singakwazi ukulungisa isokhethi lapho i-ZAP izolalela khona uma sifuna Amathuluzi -> Izinketho -> Ummeleli Wendawo. Endabeni yami ngiyalalela ethekwini 8018:
Ngemuva kwalokho sivula okuncamelayo kwe-Firefox futhi sizokwenza kanjalo Kuthuthukile -> Inethiwekhi -> Ukucushwa -> Ukumiswa kommeleli okwenziwa ngesandla Sikhombisa isokhethi ebesililungiselele ngaphambilini ku-ZAP:
Uma konke kuhambe kahle, sizobe sithumela yonke ithrafikhi yethu ye-HTTP ku-ZAP futhi lokhu kuzonakekela ukuyiqondisa kabusha njenganoma yimuphi ummeleli. Njengesibonelo ngifaka le bhulogi kusuka kusiphequluli futhi ake sibone ukuthi kwenzekani ku-ZAP:
Siyabona ukuthi ngaphezu kwemilayezo eyi-100 ye-HTTP (iningi lisebenzisa indlela ye-GET) ikhiqizelwe ukulayisha ngokugcwele ikhasi. Njengoba sibona kuthebhu Amasayithi Akukhiqizwanga kuphela ithrafikhi kule bhulogi, kodwa nakwamanye amakhasi. Enye yazo yi-Facebook futhi yenziwa yi-plugin yezenhlalo ezansi kwekhasi «Silandele ku-Facebook ". Futhi wenze -Google Analytics okukhombisa ukuba khona kwethuluzi elishiwoyo lokuhlaziywa nokubukwa kwezibalo zale bhulogi ngabaphathi besayithi.
Singabona futhi ngokuningiliziwe ngamunye wemiyalezo ye-HTTP eshintshiwe, ake sibheke impendulo eyenziwe yiseva yewebhu yale bhulogi lapho ngifaka ikheli http://desdelinux.net ukhetha isicelo sayo se-HTTP GET esifanele:
Siyabona ukuthi a ikhodi yesimo 301, ekhombisa ukuqondisa kabusha okuqondiswe ngaku https://blog.desdelinux.net/.
ZAP iba enye indawo enhle ngokuphelele ngokuphelele I-BurpSuite Kulabo kithi abaqala kuleli zwe elijabulisayo lokuphepha kwewebhu, ngokuqinisekile sizochitha amahora namahora ngaphambi kwaleli thuluzi sifunda amasu ahlukene wokugenca iwebhu, Ngiphatha ezimbalwa. 😛
Leyo yinto okumele ngiyenze, ikakhulu ukufakazela engikwenzayo.
Kuyathakazelisa impela
Leli thuluzi libukeka liphelele kakhulu kuneMicrosoft Network Monitor. Umnikelo uyahlonishwa.
Kuhle kakhulu, ngiyabonga kakhulu ngolwazi nencazelo.
Ukubingelela
I-IMHO, ngicabanga ukuthi lawa mathuluzi kufanele ashiyelwe izilinganiso zokuphepha, futhi angawashicileli kubhulogi ye-linux. Kunabantu abangayisebenzisa ngokunganaki noma ngokungazi.
Amathuluzi ngaso sonke isikhathi azoba ngamathuluzi acijwe kabili, njengoba esetshenziswa abahle nababi, ngeshwa lokho akunakugwenywa. I-OWASP ZAP iyithuluzi elibonwa umphakathi we-EH emkhakheni wezokuphepha kwewebhu futhi lisetshenziselwa ukuhlolwa kwewebhu. Khumbula, "Ngamandla amakhulu kuza umthwalo omkhulu."
Ngikushicilele lokhu okuthunyelwe ngoba ngifundela ukuzifundisa ukunikela ngezinsizakalo ze-HD ngokuzayo futhi bengicabanga ukuthi kuzoheha abanye abafundi. Ukuphela akukhona ukuthi bayisebenzisa ngokungemthetho, kungaphansi kakhulu, yingakho isixwayiso ekuqaleni kokuthunyelwe.
Ukubingelela!
I-PD1 ->: lokho kuyasabisa: Kutholwe iTroll? Anginakho ukungabaza….
PD2 -> Jhahaha Sicela ungayenzi le nto ibe yimpi yomlilo kusuka lapha phansi njengakwezinye izikhala.