[WEB SECURITY] Tools to Reproduce Vulnerabilities?

psiinon psiinon at gmail.com
Wed Oct 15 16:53:14 EDT 2014


Thats one of the use cases for Zest:
https://blog.mozilla.org/security/2014/01/20/reporting-web-vulnerabilities-to-mozilla-using-zest/
https://developer.mozilla.org/en-US/docs/zest

Zest is a open source graphical scripting language, and essentially the
macro language for ZAP (which is also completely free and open source).
You can very quickly record Zest scripts using ZAP, and graphically edit
them to include constructs like conditionals and loops.
Since the Mozilla blog post Zest also supports client side scripting (using
Selenium).
At AppSec EU I demoed a client side Zest script which automates
registration of Mozilla Persona via Mailinator
https://www.youtube.com/watch?v=Ofmp-haNI7s
Other tools such as OWTF have also adopted Zest, and we'd love other tools,
both open source and commercial, to adopt it.

Simon


On Wed, Oct 15, 2014 at 9:22 PM, Will Jefferies <wjefferies at fncinc.com>
wrote:

>  I use an interception proxy when I need to demo vulns for dev.  Fiddler
> v2 and/or Burpsuite Pro gets the job done nicely.
>
>
>
>
>
> *From:* websecurity [mailto:websecurity-bounces at lists.webappsec.org] *On
> Behalf Of *Jason Drury
> *Sent:* Wednesday, October 15, 2014 12:15 PM
> *To:* websecurity
> *Subject:* [WEB SECURITY] Tools to Reproduce Vulnerabilities?
>
>
>
> All,
>
>
>
> Do you use any tool(s) easily reproduce vulnerabilities for developers? I
> am only aware of Selenium (http://www.seleniumhq.org/). I guess you could
> also use wget or curl, but I think a gui would be best.
>
>
>
> Thanks,
>
> Jason
>
>
>
>
> Confidentiality Notice: This message is for the sole use of the intended
> recipient(s).  It may contain confidential or proprietary information and
> may be subject to the attorney-client privilege or other confidentiality
> protections. If this message was misdirected, neither FNC Holding Company,
> Inc. nor any of its subsidiaries waive any confidentiality, privilege, or
> trade secrets. If you are not a designated recipient, you may not review,
> print, copy, retransmit, disseminate, or otherwise use this message. If you
> have received this message in error, please notify the sender by reply
> e-mail and delete this message.
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20141015/88489819/attachment-0003.html>


More information about the websecurity mailing list