Application security testing with ZAP in a Docker container

Dynamic Duo

I Spy

Now that you know a bit more about what SQLi might look like, I'm going to make use of ZAP's automated tests to look for them. To begin, open Firefox inside ZAP's container and browse directly to the Mutillidae IP address and its HTTP port (http://172.17.0.2 ).

To offer ZAP as many of the Mutillidae pages as possible, you need to browse some of the pages beforehand by navigating to any login pages you can find and then registering a new user and logging in. Because the focus is on SQLi, choose the display options from the left sidebar (Figure 11), then register, and log in, moving between other sections of the site once in.

Figure 11: Aim for populating ZAP's knowledge of the SQLi sections of the site in particular.

Having explored for a couple of minutes and proxied the site's pages through ZAP's Firefox, you then select the Mutillidae IP address from the left sidebar under the Sites pane in ZAP (Figure 12). Now that you've filled up ZAP with some SQLi pages and highlighted http://172.17.0.2 in ZAP's Sites pane, you can right-click and choose Attack | Active Scan | Start Scan .

Figure 12: The Mutillidae container appears in the list in the Sites pane.

The scan takes a little while to complete (perhaps a few minutes), because ZAP is busy checking all sorts of attack types. While the scan is running, you can keep an eye on the bottom left of the ZAP window for red, orange, and yellow alerts, which let you know what findings of significance have been captured and are worthy of further inspection.

Once it's completed, you can take a peek at the Alerts tab in the bottom pane (Figure 13). If you had run an Active Scan without first visiting login pages, registering users, and logging in, you would have had fewer than the four SQL injection alerts shown here.

Figure 13: ZAP has found no fewer than four SQLi attacks to explore. In this case, focus on login.php and not user-info.php.

A Little Fuzzy

An interesting methodology called fuzzing generally involves throwing a bunch of intentionally obscure data at an application to see if it panics or lets you break it in some unceremonious way.

From the four SQLi alerts, choose one of the login.php pages displayed in Figure 13 by looking at the Sites pane and choosing the page shown in Figure 14, mentioning the login submit-button . Having highlighted that entry, right-click and select Attack | Fuzz . You can see in Figure 15 that I tried to log in with the username and password max when proxying login pages through ZAP.

Figure 14: Choose the login.php entry with submit-button.

Figure 15: Highlight the username max in the lower pane and click Add at the top right.

The next task is to highlight the username in the lower pane. Once max is selected, you can add some fuzzing tools by clicking Add and then Add again in the Payloads window. On the Type drop-down menu, select File Fuzzers and expand the jbrofuzz list, and then select the Injection and SQL Injection parent checkboxes (Figure 16) from the visible entries (so that all the children are selected automatically underneath; you can check that they are selected, as well, by expanding these lists). You can see in the pane below some of the detail offered by ZAP about individual scans.

Figure 16: ZAP's just showing off, now, mainly about SQLi 101.

After clicking Add in the Add Payload window and OK in the Payloads window, you're ready to hit Start Fuzzer in the Fuzzer window.

While it's running, you can see that some results in the Fuzzer tab have the Reflected status in the State column, which means that the application has returned your original payload back to you in its response – sometimes this can be of interest.

Great, Smashing, Super

A closer look at the bottom pane in ZAP shows how powerful it is. If you move the fields around a little and pull the columns to the left, so you can view the Payloads column with greater clarity. Inspecting the Size Resp. Body column shows scans that returned a notable response, which was maybe a number of bytes obviously larger or smaller than other HTML page sizes being sent back. I will leave you to explore the results yourself and pick a simple example or two to prove that ZAP has done its job properly.

In my hunting, I spotted an HTTP 302 error that reports Found in the Reason column. This caught my eye because the Size Resp. Body column said 0 bytes ; additionally, the Round Trip Time column (RTT ) is larger in milliseconds than most of the other responses. As a result, I'd guess that something happened when the code was injected into the application, and a bigger page or a new page entirely was served to the browser (ZAP in this case) as a result.

The SQLi Payload I'm looking at states this string was used to generate the response:

admin' or '

You can try this yourself, as in Figure 17, with the familiar trailing single quote or apostrophe to cause confusion between text and SQL. Populating the Username field while leaving the Password field empty, click the Login button.

Figure 17: Leave the Password field empty and click Login.

As surmised, a new web page loads and, low and behold, on the top right-hand side of the new page, Mutillidae cheerfully states (Figure 18) you have root user access! Game over.