Tools to Reproduce Vulnerabilities?
All,
Do you use any tool(s) easily reproduce vulnerabilities for developers? I am only aware of Selenium (http://www.seleniumhq.org/). I guess you could also use wget or curl, but I think a gui would be best.
Thanks,
Jason
I use an interception proxy when I need to demo vulns for dev. Fiddler v2 and/or Burpsuite Pro gets the job done nicely.
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Jason Drury
Sent: Wednesday, October 15, 2014 12:15 PM
To: websecurity
Subject: [WEB SECURITY] Tools to Reproduce Vulnerabilities?
All,
Do you use any tool(s) easily reproduce vulnerabilities for developers? I am only aware of Selenium (http://www.seleniumhq.org/). I guess you could also use wget or curl, but I think a gui would be best.
Thanks,
Jason
Confidentiality Notice: This message is for the sole use of the intended recipient(s). It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections. If this message was misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any confidentiality, privilege, or trade secrets. If you are not a designated recipient, you may not review, print, copy, retransmit, disseminate, or otherwise use this message. If you have received this message in error, please notify the sender by reply e-mail and delete this message.
Thats one of the use cases for Zest:
https://blog.mozilla.org/security/2014/01/20/reporting-web-vulnerabilities-to-mozilla-using-zest/
https://developer.mozilla.org/en-US/docs/zest
Zest is a open source graphical scripting language, and essentially the
macro language for ZAP (which is also completely free and open source).
You can very quickly record Zest scripts using ZAP, and graphically edit
them to include constructs like conditionals and loops.
Since the Mozilla blog post Zest also supports client side scripting (using
Selenium).
At AppSec EU I demoed a client side Zest script which automates
registration of Mozilla Persona via Mailinator
https://www.youtube.com/watch?v=Ofmp-haNI7s
Other tools such as OWTF have also adopted Zest, and we'd love other tools,
both open source and commercial, to adopt it.
Simon
On Wed, Oct 15, 2014 at 9:22 PM, Will Jefferies wjefferies@fncinc.com
wrote:
I use an interception proxy when I need to demo vulns for dev. Fiddler
v2 and/or Burpsuite Pro gets the job done nicely.
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] *On
Behalf Of *Jason Drury
Sent: Wednesday, October 15, 2014 12:15 PM
To: websecurity
Subject: [WEB SECURITY] Tools to Reproduce Vulnerabilities?
All,
Do you use any tool(s) easily reproduce vulnerabilities for developers? I
am only aware of Selenium (http://www.seleniumhq.org/). I guess you could
also use wget or curl, but I think a gui would be best.
Thanks,
Jason
Confidentiality Notice: This message is for the sole use of the intended
recipient(s). It may contain confidential or proprietary information and
may be subject to the attorney-client privilege or other confidentiality
protections. If this message was misdirected, neither FNC Holding Company,
Inc. nor any of its subsidiaries waive any confidentiality, privilege, or
trade secrets. If you are not a designated recipient, you may not review,
print, copy, retransmit, disseminate, or otherwise use this message. If you
have received this message in error, please notify the sender by reply
e-mail and delete this message.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
OWASP ZAP https://www.owasp.org/index.php/ZAP Project leader
Ah yes, Zest. I haven’t taken a look at that project in a while. Perhaps it’s time to revisit.
From: psiinon [mailto:psiinon@gmail.com]
Sent: Wednesday, October 15, 2014 3:53 PM
To: Will Jefferies
Cc: Jason Drury; websecurity
Subject: Re: [WEB SECURITY] Tools to Reproduce Vulnerabilities?
Thats one of the use cases for Zest:
https://blog.mozilla.org/security/2014/01/20/reporting-web-vulnerabilities-to-mozilla-using-zest/
https://developer.mozilla.org/en-US/docs/zest
Zest is a open source graphical scripting language, and essentially the macro language for ZAP (which is also completely free and open source).
You can very quickly record Zest scripts using ZAP, and graphically edit them to include constructs like conditionals and loops.
Since the Mozilla blog post Zest also supports client side scripting (using Selenium).
At AppSec EU I demoed a client side Zest script which automates registration of Mozilla Persona via Mailinator https://www.youtube.com/watch?v=Ofmp-haNI7s
Other tools such as OWTF have also adopted Zest, and we'd love other tools, both open source and commercial, to adopt it.
Simon
On Wed, Oct 15, 2014 at 9:22 PM, Will Jefferies <wjefferies@fncinc.commailto:wjefferies@fncinc.com> wrote:
I use an interception proxy when I need to demo vulns for dev. Fiddler v2 and/or Burpsuite Pro gets the job done nicely.
From: websecurity [mailto:websecurity-bounces@lists.webappsec.orgmailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Jason Drury
Sent: Wednesday, October 15, 2014 12:15 PM
To: websecurity
Subject: [WEB SECURITY] Tools to Reproduce Vulnerabilities?
All,
Do you use any tool(s) easily reproduce vulnerabilities for developers? I am only aware of Selenium (http://www.seleniumhq.org/). I guess you could also use wget or curl, but I think a gui would be best.
Thanks,
Jason
Confidentiality Notice: This message is for the sole use of the intended recipient(s). It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections. If this message was misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any confidentiality, privilege, or trade secrets. If you are not a designated recipient, you may not review, print, copy, retransmit, disseminate, or otherwise use this message. If you have received this message in error, please notify the sender by reply e-mail and delete this message.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
OWASP ZAPhttps://www.owasp.org/index.php/ZAP Project leader
Confidentiality Notice: This message is for the sole use of the intended recipient(s). It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections. If this message was misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any confidentiality, privilege, or trade secrets. If you are not a designated recipient, you may not review, print, copy, retransmit, disseminate, or otherwise use this message. If you have received this message in error, please notify the sender by reply e-mail and delete this message.
This is perfect, thank you!
From: psiinon psiinon@gmail.com
To: Will Jefferies wjefferies@fncinc.com
Cc: Jason Drury druryjason@yahoo.com; websecurity websecurity@lists.webappsec.org
Sent: Wednesday, October 15, 2014 3:53 PM
Subject: Re: [WEB SECURITY] Tools to Reproduce Vulnerabilities?
Thats one of the use cases for Zest:
https://blog.mozilla.org/security/2014/01/20/reporting-web-vulnerabilities-to-mozilla-using-zest/
https://developer.mozilla.org/en-US/docs/zest
Zest is a open source graphical scripting language, and essentially the macro language for ZAP (which is also completely free and open source).
You can very quickly record Zest scripts using ZAP, and graphically edit them to include constructs like conditionals and loops.
Since the Mozilla blog post Zest also supports client side scripting (using Selenium).
At AppSec EU I demoed a client side Zest script which automates registration of Mozilla Persona via Mailinator https://www.youtube.com/watch?v=Ofmp-haNI7s
Other tools such as OWTF have also adopted Zest, and we'd love other tools, both open source and commercial, to adopt it.
Simon
On Wed, Oct 15, 2014 at 9:22 PM, Will Jefferies wjefferies@fncinc.com wrote:
I use an interception proxy when I need to demo vulns for dev. Fiddler v2 and/or Burpsuite Pro gets the job done nicely.
From:websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Jason Drury
Sent: Wednesday, October 15, 2014 12:15 PM
To: websecurity
Subject: [WEB SECURITY] Tools to Reproduce Vulnerabilities?
All,
Do you use any tool(s) easily reproduce vulnerabilities for developers? I am only aware of Selenium (http://www.seleniumhq.org/). I guess you could also use wget or curl, but I think a gui would be best.
Thanks,
Jason
Confidentiality Notice: This message is for the sole use of the intended recipient(s). It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections. If this message was misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any confidentiality, privilege, or trade secrets. If you are not a designated recipient, you may not review, print, copy, retransmit, disseminate, or otherwise use this message. If you have received this message in error, please notify the sender by reply e-mail and delete this message.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
OWASP ZAP Project leader