[WEB SECURITY] Tools to Reproduce Vulnerabilities?

Jason Drury druryjason at yahoo.com
Sun Oct 19 07:16:27 EDT 2014


This is perfect, thank you!



________________________________
 From: psiinon <psiinon at gmail.com>
To: Will Jefferies <wjefferies at fncinc.com> 
Cc: Jason Drury <druryjason at yahoo.com>; websecurity <websecurity at lists.webappsec.org> 
Sent: Wednesday, October 15, 2014 3:53 PM
Subject: Re: [WEB SECURITY] Tools to Reproduce Vulnerabilities?
 


Thats one of the use cases for Zest: 
https://blog.mozilla.org/security/2014/01/20/reporting-web-vulnerabilities-to-mozilla-using-zest/
https://developer.mozilla.org/en-US/docs/zest

Zest is a open source graphical scripting language, and essentially the macro language for ZAP (which is also completely free and open source).

You can very quickly record Zest scripts using ZAP, and graphically edit them to include constructs like conditionals and loops.

Since the Mozilla blog post Zest also supports client side scripting (using Selenium).

At AppSec EU I demoed a client side Zest script which automates registration of Mozilla Persona via Mailinator https://www.youtube.com/watch?v=Ofmp-haNI7s
Other tools such as OWTF have also adopted Zest, and we'd love other tools, both open source and commercial, to adopt it.

Simon





On Wed, Oct 15, 2014 at 9:22 PM, Will Jefferies <wjefferies at fncinc.com> wrote:


>
>
>I use an interception proxy when I need to demo vulns for dev.  Fiddler v2 and/or Burpsuite Pro gets the job done nicely. 
> 
> 
>From:websecurity [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Jason Drury
>Sent: Wednesday, October 15, 2014 12:15 PM
>To: websecurity
>Subject: [WEB SECURITY] Tools to Reproduce Vulnerabilities?
> 
>All,
> 
>Do you use any tool(s) easily reproduce vulnerabilities for developers? I am only aware of Selenium (http://www.seleniumhq.org/). I guess you could also use wget or curl, but I think a gui would be best.
> 
>Thanks,
>Jason
> 
>
>Confidentiality Notice: This message is for the sole use of the intended recipient(s).  It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections. If this message was misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any confidentiality, privilege, or trade secrets. If you are not a designated recipient, you may not review, print, copy, retransmit, disseminate, or otherwise use this message. If you have received this message in error, please notify the sender by reply e-mail and delete this message.
>_______________________________________________
>The Web Security Mailing List
>
>WebSecurity RSS Feed
>http://www.webappsec.org/rss/websecurity.rss
>
>Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>WASC on Twitter
>http://twitter.com/wascupdates
>
>websecurity at lists.webappsec.org
>http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>


-- 
OWASP ZAP Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20141019/c538ee8c/attachment-0003.html>


More information about the websecurity mailing list