1 of 30

Out-of-band Application Security Testing

(OAST) with ZAP

Akshath Kothari

Presented By

2 of 30

What does “Out-of-band” mean, anyway?

Presented By

3 of 30

Traditional Security Testing

Presented By

4 of 30

Where This Model Falls Short

It misses

vulnerabilities involving stored data (e.g. Stored XSS)
vulnerabilities involving interaction with external systems (e.g. SSRF, Log4Shell, etc.)
“super-blind” vulnerabilities

Reference: https://portswigger.net/blog/introducing-burp-collaborator

Presented By

5 of 30

Out-of-band Security Testing

Presented By

6 of 30

The ZAP OAST Add-on

Presented By

7 of 30

Getting the Add-on

Install it from the marketplace.

Presented By

8 of 30

The OAST Tab (1/2)

Presented By

9 of 30

The OAST Tab (2/2)

Reference: https://www.zaproxy.org/docs/desktop/addons/oast-support/tab/

Presented By

10 of 30

Configuring OAST

Go to Tools ➡ Options OR Click on the Gear Icon in the toolbar OR Use the Shortcut cmd/ctrl+alt+O.

Presented By

11 of 30

OAST Services

The OAST add-on currently supports interacting with the following services:

ZAP Callbacks
BOAST
Interactsh

Presented By

12 of 30

Callback Service

A service hosted locally by ZAP on a port different than the proxy port.

Presented By

13 of 30

Callback Service Options

Reference: https://www.zaproxy.org/docs/desktop/addons/oast-support/services/callbacks/options/

Presented By

14 of 30

Interactsh

Open-source, self-hosted OAST service.
GitHub: https://github.com/projectdiscovery/interactsh
Free Public instances available at https://interact.sh and https://interactsh.com.

Presented By

15 of 30

Interactsh Options

Reference: https://www.zaproxy.org/docs/desktop/addons/oast-support/services/interactsh/options/

Presented By

16 of 30

BOAST

Open-source, self-hosted OAST Service.
GitHub: https://github.com/marcoagner/boast

Presented By

17 of 30

BOAST Options

Reference: https://www.zaproxy.org/docs/desktop/addons/oast-support/services/boast/options/

Presented By

18 of 30

Demo: Finding Discordbot’s address

Presented By

19 of 30

OAST + Active Scan Rules

Currently used by:

Log4Shell (docs, code)
XML External Entity Attack (docs, code)
Out-of-band XSS Scan Rule (docs, code)

Presented By

20 of 30

“Active Scan Service”

Presented By

21 of 30

Using OAST Payloads in Active Scan Rules

XML External Entity Scan Rule Code Walkthrough

Presented By

22 of 30

Reference: org/zaproxy/zap/extension/ascanrulesBeta/XxeScanRule.java#L184

Presented By

23 of 30

Reference: org/zaproxy/zap/extension/ascanrulesBeta/XxeScanRule.java#L228

24 of 30

Reference: org/zaproxy/zap/extension/ascanrulesBeta/XxeScanRule.java#L253

Presented By

25 of 30

Demo: Attacking ZAP with ZAP - Log4Shell in ZAP 2.11.0

Presented By

26 of 30

Scripting with OAST (1/2)

Some standalone scripts and script templates are bundled with the add-on.
Active Scan Scripts are very similar to the active scan rules in Java.

var Control = Java.type("org.parosproxy.paros.control.Control") var extOast = Control.getSingleton().getExtensionLoader().getExtension("ExtensionOast") var interactsh = extOast.getInteractshService() if (!interactsh.isRegistered()) { interactsh.getParam().setServerUrl("https://interact.sh") // interactsh.getParam().setAuthToken("auth token value") interactsh.register() } print(interactsh.getNewPayload())
Getting an Interactsh payload in a ZAP Script

Presented By

27 of 30

Scripting with OAST (2/2)

var Control = Java.type("org.parosproxy.paros.control.Control") var extOast = Control.getSingleton().getExtensionLoader().getExtension("ExtensionOast") var interactsh = extOast.getInteractshService() function requestHandler(request) { print("Source: ", request.getSource()) print("Referer: ", request.getReferer()) print("Handler: ", request.getHandler()) var msg = request.getHistoryReference().getHttpMessage() print("Request Header:\n", msg.getRequestHeader()) print("Request Body:\n", msg.getRequestBody()) print() } interactsh.addOastRequestHandler(requestHandler) print("OAST Request handler registered.")
Registering an OAST Request Handler

Presented By

28 of 30

Demo: Sending messages to Discord on OOB Interaction

Presented By

29 of 30

Future OAST Add-on Plans

More Scan Rules
API / Automation Framework Configuration Support
Permanent Database

Presented By

30 of 30

Thank you!

You should now be able to:

Understand the ZAP GUI elements added by the OAST add-on.
Configure OAST services in ZAP.
Write active scan rules that use OAST payloads.
Write scripts that make use of OAST features.

Find these slides, demo code, and additional resources at:

https://ricekot.com/zapcon2022

Presented By