Welcome to the Patchstack Weekly Security Update, Episode 41! This update is for week 39 of 2022.
This week I will be introducing you to OWASP ZAP – an open-source web application security tool written by developers, for developers. It’s a great tool for those who want to get their hands dirty testing their web applications. Of course, it also works great for security researchers and anyone interested in learning about web application security.
I will then cover three vulnerabilities, of which only two have public patches available at this time.
If you are interested in learning a little more about web development, security research, bug bounty hunting, or are just the type of person who likes learning by getting hands-on with technology. Then OWASP ZAP is a tool you should look into.
Today I will share what you need to know to get up and running with OWASP ZAP, and in future Patchstack weekly episodes I will get more in-depth into ZAP’s features.
Introduction to OWASP ZAP
OWASP ZAP – or ZAP for short – stands for Zed Attack Proxy, and is an open-source web application security tool available for free at [zaproxy.org].
ZAP runs on any system running a modern operating system with a Java Runtime Environment (JRE). This includes WIndows, OS X, and Linux or BSD. You may need to install a JRE, but you can get started by downloading and running the ZAP executable in most cases.
While you’re waiting for ZAP to download. I should mention, there are some knowledge requirements too. ZAP is not a tool that will spit out reports right out of the box. ZAP was written for web application developers looking to get hands-on with testing, debugging, and checking the security of their web applications. It is very helpful if you are already familiar with how HTTP requests and responses look and work.
Here is a quick test to confirm if you have the knowledge needed to make use of OWASP ZAP. If you have used and are able to make sense of your browser’s existing “developer tools” panel. Then you know enough to use ZAP.
Once you have downloaded ZAP and gotten it up and running for the first time. What should you do first?
While ZAP supports automated scans, I do not recommend them for anyone just getting started. Instead, I recommend you use ZAP in a more hands way, by using the Manual Explore option and getting familiar with the HUD (Heads Up Display) feature.
The HUD is an overlay that you will see in your browser when your browser is proxied through ZAP (remember, the P in ZAP stands for Proxy.) OWASP ZAP will sit between your browser and your web application, and display a layer on top of your web application which will allow you to inspect and manipulate the application right in your browser.
You can set up the proxy manually in your browser to run requests through localhost on port 8080 but it is much faster nowadays to just click on “Manual Explore” in the Quick Start window, put in your URL to explore, and make sure the HUD is enabled before clicking “Launch Browser”.
A quick side note, if you receive an SSL mismatch error, this is expected, there are steps to fix this by installing the ZAP CA cert you can follow here.
Once ZAP opens your browser, and your page loads, the HUD welcome screen will pop up and you have two choices: Either take the HUD Tutorial or Continue to Target.
I recommend walking through the HUD tutorial if it is your first time. It will show you everything you need to know to interact with ZAP’s HUD interface.
Take some time in the next week or so to get set up with ZAP and once you have completed the tutorial then you will be prepared for more knowledge shares coming up in future episodes of the Patchstack Weekly where I will go more in-depth with more ZAP features.
Vulnerability roundup
searchwp-live-ajax-search – Unauthenticated Local File Inclusion (LFI)
Users of SearchWP Live Ajax Search should update as soon as possible. A local file inclusion security bug was recently patched, and it required no authentication to exploit. So this vulnerability may be weaponized by attackers sooner than later.
Passster (slug name: content-protector)- Insecure Storage of Password
The Passster plugin released an update to secure their method of storing passwords. Reports are that the old way was relying on base64 to obfuscate the storage of a password, which is not the same as a one-way hash. Users should update their installations of Passster on their websites soon.
memberpress-downloads (premium) – Authenticated Arbitrary File Upload
If you use the premium plugin Memberpress downloads, then you need to know about this issue. The developers have not yet patched a security bug reported in the plugin, which would allow authenticated users to upload arbitrary files. If you trust your users (including subscriber users) then you may be able to wait for the patch, but if your website allows users to register new accounts on a website running this premium plugin then you may want to disable the plugin or look for a service that can apply a vPatch to protect your website(s) ASAP.
Thanks and appreciation
This week’s thanks goes out to the developers of SearchWP Live Ajax Search and Passster plugins. Thank you for supplying the patches needed to secure your user’s websites.
A special thank you goes out to the OWASP (Open Web Application Security Project) foundation and to the developers of OWASP ZAP. Thank you for building a great and open resource for those interested in improving web application security, and thank you for providing security tools for developers for free.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!