Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/gdgd009xcd/AutoMacroBuilderForZAP

A ZAPROXY Add-on that allows testing of web application vulnerabilities by recording complex multi-step sequences. You can test applications that need to access pages in a specific order, such as shopping carts or registration of member information.
https://github.com/gdgd009xcd/AutoMacroBuilderForZAP

activescan addon authentication csrf multistep multistep-form security security-testing security-tools vulnerability-scanners web-security webcrawler websecurity zap-extension zaproxy

Last synced: 21 days ago
JSON representation

A ZAPROXY Add-on that allows testing of web application vulnerabilities by recording complex multi-step sequences. You can test applications that need to access pages in a specific order, such as shopping carts or registration of member information.

Awesome Lists containing this project

README 

        
## AutoMacrobuilder for ZAPROXY. 



AutoMacro Builder is an extension of ZAPROXY. You can test applications that need to access pages in a specific order, such as shopping carts or registration of member information. This Extension records the http request sequence of the web application, tracks the anti-CSRF token and session cookies, and can tests it by ZAPROXY tools(ActiveScan).  

To summarize the above, this addon can build multistep request sequence without scripting,

and can use them with tool such as scanners or manual request on ZAPROXY.



![LANG](https://img.shields.io/github/languages/top/gdgd009xcd/AutoMacroBuilderForZAP)

![LICENSE](https://img.shields.io/github/license/gdgd009xcd/AutoMacroBuilderForZAP)



![typical usage](assets/images/typical.gif)



## Prerequisite



* ZAPROXY ver 2.13.0 or later

* java ver 11 or later



## how to use   



Click here below: 


  English manuals


  Japanese manuals 



##  a member registration sample web test results.

I tested member registration my sample page which has CSRF token. below is result:  



Test Environment: WEBSAMPSQLINJ Docker image(docker-compose)  

Scantarget: [Modify User] 3.2.moduser.php (See Sitemap)  

ZAPROXY Version: 2.10.0-SNAPSHOT  

Addon: AutoMacroBuilderForZAP ver0.9.6, ActiveScan rule addons(See below).  

ZAPROXY Mode: Standard mode  



 urlparameterAdvanced SQLInjection Scanner 
Ver13 betaCustomActiveScan 
ver0.0.1 alpha

 http://localhost:8110/moduser.phppasswordDETECTED
(time based
pg_sleep(5))DETECTED(boolean based)

  http://localhost:8110/moduser.phpageDETECTED
(time based
pg_sleep(5))DETECTED(boolean based)

 



## Download & Building



The add-on is built with [Gradle]: https://gradle.org/  



To download & build this addon, simply run:  



$ git clone https://github.com/gdgd009xcd/AutoMacroBuilderForZAP.git  

$ cd AutoMacroBuilderForZAP/  

$ ./gradlew addOns:automacrobuilder:jarZapAddOn  



The add-on will be placed in the directory `AutoMacroBuilderForZAP/addOns/automacrobuilder/build/zapAddOn/bin`



$ cd addOns/automacrobuilder/build/zapAddOn/bin  

$ ls  

automacrobuilder-alpha-0.9.7.zap  

$   



* Gradle builds may fail due to network connection timeouts for downloading dependencies. If you have such problems, please retry the gradlew command each time. or you can download addon file from [release page](https://github.com/gdgd009xcd/AutoMacroBuilderForZAP/releases)



## FAQ

### FAQ is [here](https://github.com/gdgd009xcd/AutoMacroBuilderForZAP/wiki/9.1.-FAQ)



## Author 

### [gdgd009xcd](https://gdgd009xcd.github.io/)