[WEB SECURITY] Tools to Reproduce Vulnerabilities?

Will Jefferies wjefferies at fncinc.com
Wed Oct 15 17:01:55 EDT 2014


Ah yes, Zest.  I haven’t taken a look at that project in a while.  Perhaps it’s time to revisit.

From: psiinon [mailto:psiinon at gmail.com]
Sent: Wednesday, October 15, 2014 3:53 PM
To: Will Jefferies
Cc: Jason Drury; websecurity
Subject: Re: [WEB SECURITY] Tools to Reproduce Vulnerabilities?

Thats one of the use cases for Zest:
https://blog.mozilla.org/security/2014/01/20/reporting-web-vulnerabilities-to-mozilla-using-zest/
https://developer.mozilla.org/en-US/docs/zest

Zest is a open source graphical scripting language, and essentially the macro language for ZAP (which is also completely free and open source).
You can very quickly record Zest scripts using ZAP, and graphically edit them to include constructs like conditionals and loops.
Since the Mozilla blog post Zest also supports client side scripting (using Selenium).
At AppSec EU I demoed a client side Zest script which automates registration of Mozilla Persona via Mailinator https://www.youtube.com/watch?v=Ofmp-haNI7s
Other tools such as OWTF have also adopted Zest, and we'd love other tools, both open source and commercial, to adopt it.
Simon


On Wed, Oct 15, 2014 at 9:22 PM, Will Jefferies <wjefferies at fncinc.com<mailto:wjefferies at fncinc.com>> wrote:
I use an interception proxy when I need to demo vulns for dev.  Fiddler v2 and/or Burpsuite Pro gets the job done nicely.


From: websecurity [mailto:websecurity-bounces at lists.webappsec.org<mailto:websecurity-bounces at lists.webappsec.org>] On Behalf Of Jason Drury
Sent: Wednesday, October 15, 2014 12:15 PM
To: websecurity
Subject: [WEB SECURITY] Tools to Reproduce Vulnerabilities?

All,

Do you use any tool(s) easily reproduce vulnerabilities for developers? I am only aware of Selenium (http://www.seleniumhq.org/). I guess you could also use wget or curl, but I think a gui would be best.

Thanks,
Jason


Confidentiality Notice: This message is for the sole use of the intended recipient(s).  It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections. If this message was misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any confidentiality, privilege, or trade secrets. If you are not a designated recipient, you may not review, print, copy, retransmit, disseminate, or otherwise use this message. If you have received this message in error, please notify the sender by reply e-mail and delete this message.

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org<mailto:websecurity at lists.webappsec.org>
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



--
OWASP ZAP<https://www.owasp.org/index.php/ZAP> Project leader

Confidentiality Notice: This message is for the sole use of the intended recipient(s).  It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections. If this message was misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any confidentiality, privilege, or trade secrets. If you are not a designated recipient, you may not review, print, copy, retransmit, disseminate, or otherwise use this message. If you have received this message in error, please notify the sender by reply e-mail and delete this message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20141015/6e6c37eb/attachment-0003.html>


More information about the websecurity mailing list