Why I Use ZAP

Why I Use ZAP


๐Ÿ—ก Army-Knife for AppSec

Application Security ๋˜๋Š” Pentest, Bugbounty ๋“ฑ ์ „๋ฐ˜์ ์ธ Offensive security ๊ด€๋ จ ์ผ์—์„œ ๊ฐ€์žฅ ํ•ต์‹ฌ์ ์ธ ๋„๊ตฌ๋Š” Burp/ZAP ๊ณผ ๊ฐ™์€ Proxy ๋„๊ตฌ์ž…๋‹ˆ๋‹ค. ์ดˆ๊ธฐ์—๋Š” Proxy ๋„๊ตฌ๋ผ๋Š” ์„ฑํ–ฅ์ด ๊ฐ•ํ–ˆ์ง€๋งŒ, ์ด์ œ๋Š” Proxy ๋„๊ตฌ๋ผ๊ธฐ ๋ณด๋‹จ Army-Knife ๋ผ๊ณ  ๋ณด๋Š”๊ฒŒ ๋” ์ ํ•ฉํ•  ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

(๊ทธ๋ž˜์„œ WHW์—์„œ๋„ Army-Knife ๋กœ ํ‘œ๊ธฐํ–ˆ์ฃ )

์–ด์จŒ๋˜ ์ด๋Ÿฌํ•œ ๋„๊ตฌ๋“ค์€ OWASP ZAP, PortSwigger BurpSuite ๊ทธ๋ฆฌ๊ณ  ๋˜ ํ•˜๋‚˜์˜ hetty ์ •๋„๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. hetty์˜ ๊ฒฝ์šฐ ์‹œ์ž‘๋œ์ง€ ์–ผ๋งˆ ๋˜์ง€ ์•Š์€ ํ”„๋กœ์ ํŠธ๋ผ ์•„์ง์€ ์กฐ๊ธˆ ๋” ์ง€์ผœ๋ด์•ผํ•  ๋‹จ๊ณ„์ด๊ธด ํ•˜๊ตฌ์š”.

์ด๋Ÿฌํ•œ ๋„๊ตฌ๋“ค์€ ์ฃผ๋กœ MITM Proxy๋ฅผ ์ด์šฉํ•˜์—ฌ Socket ์œ„์— ๋™์ž‘ํ•˜๋Š” ๋‹ค์ˆ˜์˜ ํ”„๋กœํ† ์ฝœ(HTTP/HTTPS/WebSocket/Etc..)์„ ๋Œ€์ƒ์œผ๋กœ Request/Response ๊ธฐ๋ฐ˜์˜ ํ…Œ์ŠคํŒ…์„ ํ•  ์ˆ˜ ์žˆ๋‹ค๋Š” ๊ณตํ†ต์ ์„ ๊ฐ€์ง€๊ณ  ์žˆ๊ณ , ๋” ๋‚˜์•„๊ฐ€์„œ Security testing์„ ์œ„ํ•ด En/Decoder, Fuzzing ๋“ฑ ๊ต‰์žฅํžˆ ๋งŽ์€ ๊ธฐ๋Šฅ๋“ค์„ ์ง€์›ํ•ด์ฃผ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

์•„๋ฌดํŠผ ์ด๋Ÿฌ๋‹ค๋ณด๋‹ˆ, AppSec์„ ํ•˜๋Š” ๋ฆฌ์„œ์ฒ˜/ํ•ด์ปค ์ž…์žฅ์—์„  ๋„๊ตฌ๋ฅผ ์–ผ๋งˆ๋‚˜ ๋” ์ž˜ ๋‹ค๋ฃจ๋Š๋ƒ๋„ ๊ฐœ์ธ์ ์ธ ์ŠคํŽ™ ํ–ฅ์ƒ์— ํฐ ์˜ํ–ฅ์„ ๋ฏธ์น˜๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค. (๋””ํ…Œ์ผ์˜ ์ฐจ์ด๊ฐ€ ๊ฒฐ๊ณผ๋ฅผ ๋ฐ”๊พธ์ฃ )

๐Ÿค” ๊ทธ๋ž˜์„œ ๋„Œ?

~ 2018 - BurpSuite ์ค‘๋…์ž

์ „ ๋ณด์•ˆ์ชฝ์„ ์‹œ์ž‘ํ–ˆ์„ ๋‹น์‹œ ์ฆ‰, ์ดˆ๊ธฐ๋ถ€ํ„ฐ BurpSuite๋ฅผ ์‚ฌ์šฉํ–ˆ๋˜ ๊ฒƒ์œผ๋กœ ๊ธฐ์–ต๋‚ฉ๋‹ˆ๋‹ค. ์ง€๊ธˆ์— ๋น„ํ•˜๋ฉด ์˜ฌ๋“œํ•œ UI/UX์ด๊ธด ํ•˜์ง€๋งŒ, ๊ทธ๋ž˜๋„ ๊ด€๋ จ ๋„๊ตฌ์ค‘์—์„  ๊ฐ€์žฅ ๊น”๋”ํ•˜๋‹ค๊ณ  ๋Š๊ผˆ์—ˆ๋˜ ๊ฒƒ ๊ฐ™๋„ค์š”. (ZAP๋„ ๊ฐ„๊ฐ„ํžˆ ์‚ฌ์šฉํ•˜๊ธด ํ–ˆ๋Š”๋ฐ, ์ฃผ๋ ฅ์€ ์•„๋‹ˆ์˜€์–ด์š”.)

~ 2020 - BurpSuite์™€ ZAP ๋™์‹œ์‚ฌ์šฉ

๊ทธ๋Ÿฌ๋˜ ์ค‘ 2018๋…„ ์ดˆ๊ธฐ๋ถ€ํ„ฐ ๋„๊ตฌ์— ๋Œ€ํ•œ ๊ณ ๋ฏผ์„ ๋‹ค์‹œ ์‹œ์ž‘ํ–ˆ์—ˆ์Šต๋‹ˆ๋‹ค. ๊ทธ ๋•Œ ์ €์˜ ์ƒ๊ฐ์œผ๋ก  Burpsuite pro > ZAP > Burpsuite community ์ •๋„๋กœ ์ข‹๋‹ค๊ณ  ์ƒ๊ฐํ–ˆ์—ˆ๊ณ  ๋ถ„์„ ์Šคํƒ€์ผ์˜ ๋ณ€ํ™”๋ฅผ ์ฃผ๊ณ ์ž ํ•œ์ฐธ๋™์•ˆ ๋“€์–ผ๋กœ ์‚ฌ์šฉํ–ˆ์—ˆ์ฃ . (๋ฌผ๋ก  ๋“€์–ผ์€ ์ •๋ง ์‹œ์Šคํ…œ ๋ฆฌ์†Œ์Šค๋ฅผ ๋งŽ์ด ๋จน๊ธฐ ๋•Œ๋ฌธ์— ๊ทธ๋ฆฌ ์ถ”์ฒœํ•˜์ง€๋Š” ์•Š์Šต๋‹ˆ๋‹ค..๐Ÿ˜)

2020 ~ ZAP์„ ๋ฉ”์ธ ๋ถ„์„ ๋„๊ตฌ๋กœ ๋ฐ”๊ฟˆ

๊ทธ๋Ÿฌ๋˜ ZAP ๊ธฐ๋Šฅ์— ๋Œ€ํ•ด ํ•˜๋‚˜์”ฉ ์•Œ์•„๊ฐ€๋‹ค ๋ณด๋‹ˆ ์ƒ๊ฐ๋ณด๋‹ค ์ข‹์•˜๊ณ , ์ € ํ‰๊ฐ€ ๋˜์–ด์žˆ๋˜ ๋„๊ตฌ๋ž€ ์ƒ๊ฐ์ด ๋งŽ์ด ๋“ค์—ˆ์Šต๋‹ˆ๋‹ค. BurpSuite๊ฐ€ ํ™•์žฅ ๊ธฐ๋Šฅ์ด ๋งŽ์€๊ฒŒ ์žฅ์ ์ด๊ณ  ZAP์€ ์ƒ๋Œ€์ ์œผ๋กœ ์ ์€ ํ™•์žฅ ๊ธฐ๋Šฅ์„ ๊ฐ€์ง€๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋งŒ ์ด๊ฒŒ ์ƒ๋ฐ˜๋˜์–ด ์˜คํžˆ๋ ค ํ•„์š”ํ•œ ํ™•์žฅ ๊ธฐ๋Šฅ๋งŒ ๊น”๋”ํ•˜๊ฒŒ ๋“ค๊ณ  ์žˆ๋Š”๊ฒŒ ๋” ์žฅ์ ์œผ๋กœ ๋Š๊ปด์กŒ์—ˆ๋„ค์š”.

์„ธ์„ธํ•œ ๋ถ€๋ถ„์€ ์•„๋ž˜์„œ ๋” ์ด์•ผ๊ธฐํ• ๊ฒŒ์š”! ์•„๋ฌดํŠผ ์ง€๊ธˆ์€ ZAP์„ ๋ฉ”์ธ์œผ๋กœ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.
(์–ด์ฐจํ”ผ ํšŒ์‚ฌ์—์„œ BurpSuite ๋ผ์ด์„ ์Šค๋ฅผ ๊ณ„์† ์œ ์ง€ํ•˜๊ณ  ์žˆ์œผ๋‹ˆ ๊ณผ๊ฐํ•˜๊ฒŒ ๊ฐœ์ธ ๋ผ์ด์„ ์Šค๋ฅผ ๋ฒ„๋ ธ์Šต๋‹ˆ๋‹ค. / ํ™˜์œจ์— ๋”ฐ๋ผ 1๋…„์— 40~50๋งŒ์› ์‚ฌ์ด์ธ๋ฐ ์ƒ๊ฐ๋ณด๋‹จ ์ปค์š”.. )

๐Ÿ˜Ž ZAP์„ ์„ ํƒํ•œ ์ด์œ 

์‚ฌ์‹ค ๊ฐœ์ธ์ ์œผ๋ก  ๋‹คํฌ๋ชจ๋“œ ์ง€์›์ด ๊ฐ€์žฅ ์ค‘์š”ํ–ˆ์Šต๋‹ˆ๋‹ค๋งŒ, Burp๋Š” 2018๋…„๋„ ํ• ๋กœ์œˆ ๋•Œ, ZAP์€ 2019๋…„ ์ดˆ์— ๊ฐ๊ฐ ๋‹คํฌ๋ชจ๋“œ ์ง€์›์„ ๋ฐœํ‘œํ–ˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ ํฌ๊ฒŒ ์ƒ๊ด€์—†๋Š” ์„ ํƒ์ง€๊ฐ€ ๋˜์—ˆ๋„ค์š”.
(๊ทธ๋ž˜์„œ ์ด์ง“๊ฑฐ๋ฆฌ๋„ ํ–ˆ์ฃ )

REST API

BurpSuite์— ๋น„ํ•ด ZAP์€ ๊ต‰์žฅํžˆ API ์นœํ™”์ ์ž…๋‹ˆ๋‹ค. ์˜คํ”ˆ์†Œ์Šค์ธ ๋ถ€๋ถ„๋„ ํ•œ ๋ชซํ•œ๊ป€๋ฐ์š”, ์–ด์ฐŒ๋˜์—ˆ๋˜ ๋„๊ตฌ ์ „๋ฐ˜์ ์ธ ๊ธฐ๋Šฅ์— ๋Œ€ํ•ด ๊ฑฐ์˜๋‹ค REST API๋กœ ์ œ๊ณตํ•ด์ค€๋‹ค๋Š” ๊ฒƒ์€ ํฐ ๋…ธ๋ ฅ์ด ๋“ค์–ด๊ฐ€๋Š” ๋ถ€๋ถ„์ด๊ณ , ํ™œ์šฉ์„ฑ์— ์žˆ์–ด์„œ๋„ ๊ต‰์žฅํžˆ ์œ ์šฉํ•ฉ๋‹ˆ๋‹ค.

1413 ๋Œ€๋‹ค์ˆ˜ ๊ธฐ๋Šฅ์— ๋Œ€ํ•ด REST API๋ฅผ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.

๋ฌผ๋ก  BurpSuite์˜ ๊ฒฝ์šฐ Enterprise(EP) ๋ฒ„์ „์˜ ๊ฒฝ์šฐ GraphQL์„ ์ง€์›ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๋น„์Šทํ•˜๊ธดํ•˜์ง€๋งŒ, EP ๋ฒ„์ „์€ ๊ฐœ์ธ ๋ถ„์„์šฉ ๋„๊ตฌ๋ผ๊ธฐ ๋ณด๋‹จ DevSecOps๋ฅผ ๊ณ ๋ คํ•˜๊ธฐ ์œ„ํ•ด ๋งŒ๋“ค์–ด์ง„ ๋„๊ตฌ๋ผ ๋น„๊ตํ•  ๋Œ€์ƒ์ด ์•„๋‹Œ ๊ฒƒ ๊ฐ™๊ธด ํ•ฉ๋‹ˆ๋‹ค.

HTTP Raw Request์˜ ํ‘œํ˜„๋ฐฉ๋ฒ•

์ด๊ฑด ์กฐ๊ธˆ ์‚ฌ์šฉํ•ด๋ณด์…จ์œผ๋ฉด ๊ฐ€์žฅ ๋จผ์ € ๋ˆˆ์˜๋„๊ณ , BurpSuite ์‚ฌ์šฉ์ž์—๊ฒ ๊ฐ€์žฅ ๋ถˆํŽธํ•œ ๋ถ€๋ถ„์ด๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค. ๋งŒ์•ฝ ์ œ ์‚ฌ์ดํŠธ๋กœ ์—ฐ๊ฒฐํ•˜๋Š” Request๋ฅผ ๋ณธ๋‹ค๋ฉด ์•„๋ž˜์™€ ๊ฐ™์„๊ฒ๋‹ˆ๋‹ค.

BurpSuite

GET / HTTP/1.1
Host: www.hahwul.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://www.hahwul.com/resources/
Cookie: _ga=GA1.2.117181321.1593755240; _gid=GA1.2.669019271.1606812260
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 02 Dec 2020 03:03:57 GMT
If-None-Match: W/"5fc7041d-10f73"


ZAP

GET https://www.hahwul.com/ HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: _ga=GA1.2.117181321.1593755240; _gid=GA1.2.669019271.1606812260
Upgrade-Insecure-Requests: 1
Host: www.hahwul.com


๋„ค ๋ฐ”๋กœ URI Path ๋ถ€๋ถ„์ธ๋ฐ์š”, Burp์˜ ๊ฒฝ์šฐ ํ‘œ์ค€์ธ GET / HTTP/1.1 , ZAP์€ GET https://www.hahwul.com/ HTTP/1.1 ์˜ ํ˜•ํƒœ๋กœ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” Burp๋Š” target์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ๋ณ„๋„๋กœ ์ €์žฅํ•˜๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๊ฐ€๋Šฅํ•œ ๋ถ€๋ถ„์ž…๋‹ˆ๋‹ค.

๋‹น์—ฐํžˆ ๊ฐ€๋…์„ฑ์ ์ธ ์ธก๋ฉด์—์„  ๋‚ด์šฉ ์ž์ฒด๊ฐ€ ์งง์€ BurpSuite์ชฝ์˜ ํ‘œํ˜„๋ฐฉ์‹์ด ์ข‹์„ ์ˆ˜ ์žˆ์œผ๋‚˜, ๋‹ค๋ฅธ ๋„๊ตฌ๋กœ์˜ Pipeline, ๋ถ„์„ํ•œ ์ด๋ ฅ์„ ๊ธฐ๋กํ•˜๋Š” ๋ถ€๋ถ„์—์„  ZAP์˜ ๋ฐฉ์‹์ด ๋Œ€์ƒ์„ ๋ช…ํ™•ํ•˜๊ฒŒ ์•Œ ์ˆ˜ ์žˆ์–ด์„œ ํ›จ์”ฌ ์ข‹๋‹ค๊ณ  ์ƒ๊ฐ์ด ๋“ค์—ˆ์Šต๋‹ˆ๋‹ค.

Custom ํ™˜๊ฒฝ

Burp/ZAP ๋ชจ๋‘ ๋ถ„์„์„ ์œ„ํ•œ ๋„๊ตฌ์ด๋‹ค ๋ณด๋‹ˆ ์„ธ์„ธํ•œ ์„ค์ •๊ณผ ์ปค์Šคํ…€ ํ™˜๊ฒฝ์„ ํ†ตํ•ด ์—„์ฒญ๋‚˜๊ฒŒ ๋งŽ์€ ๋ถ€๋ถ„์„ ๊ฐœ์„ ํ•˜๊ณ  ํŽธ๋ฆฌํ•˜๊ฒŒ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ๋””์ž์ธ์ชฝ ์žฅ์ธ๋ถ„๋“ค์ด ์ผ๋Ÿฌ์ŠคํŠธ, ๊ฐ์ข… ํŽธ์ง‘ ํ”„๋กœ๊ทธ๋žจ ๋“ฑ๋“ฑ์„ ์‚ฌ์šฉํ•  ๋–„ ๊ต‰์žฅํžˆ ๋น ๋ฅด๊ฒŒ ์ž‘์—…ํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒƒ๊ณผ ๋น„์Šทํ•œ ์ด์น˜์ธ๋ฐ์š”, ์–ด์ฐจํ”ผ ํšŒ์‚ฌ์—์„œ ์ผ์„ํ•˜๋˜, ๋ฒ„๊ทธ๋ฐ”์šดํ‹ฐ๋ฅผ ํ•˜๋˜ ํ”„๋ฆฌ๋žœ์„œ๋กœ ์ง€๋‚ด๋˜ ์–ด์ฐจํ”ผ ๋ณธ์ธ์—๊ฒŒ ์ฃผ์–ด์ง„ ์‹œ๊ฐ„์€ ํ•œ์ •์ ์ด๊ณ , ์‹œ๊ฐ„ ์•ˆ์— ๋น ๋ฅด๊ฒŒ ๋ถ„์„ํ•  ์ˆ˜ ์žˆ์–ด์•ผ ๊ฒฐ๊ณผ์™€ ๊ฐœ์ธ์˜ ์‚ถ ๋ชจ๋‘๋ฅผ ์ฐพ์„ ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์ด๋ผ๊ณ  ์ƒ๊ฐํ•ฉ๋‹ˆ๋‹ค.

์ž ๊ทธ๋Ÿฌ๋ฉด ๋„๊ตฌ์— ๋Œ€ํ•œ ์„ธ๋ฐ€ํ•œ ์ปจํŠธ๋กค์ด ํ•„์š”ํ•œ๋ฐ, ๋‹น์—ฐํžˆ ์˜คํ”ˆ์†Œ์Šค์— ๊ธฐ๋Šฅ/REST ๋“ฑ์˜ ์ง€์› ํญ์ด ๋„“์€ ZAP์ด ํ›จ์”ฌ ์œ ๋ฆฌํ•ฉ๋‹ˆ๋‹ค. (์˜ต์…˜ ๋ฉ”๋‰ด๋“ค ์ž˜ ์ฐพ์•„๋ณด์‹œ๋ฉด ์•„์‹œ๊ฒ ์ง€๋งŒ, ZAP์˜ ์„ค์ •์€ ์ •๋ง ๋””ํ…Œ์ผํ•ฉ๋‹ˆ๋‹ค. ์‚ฌ์ด๋จผ ๋งŒ์„ธ!)

HUD and WebSwing

์ด๊ฑด ZAP์˜ ๋ฐฉํ–ฅ์„ฑ๊ณผ๋„ ๊ฐ™์€ ์ค‘์š”ํ•œ ๋ถ€๋ถ„์ž…๋‹ˆ๋‹ค. ์ œ๊ฐ€ ์ œ์ž‘๋…„ ๋ง์—๋„ ๊ฐ„๋‹จํ•˜๊ฒŒ ํฌ์ŠคํŒ…ํ•˜๊ธด ํ–ˆ์—ˆ๋Š”๋ฐ, HUD์˜ ๋ชฉ์ ์€ ๊ฒฐ๊ตญ ๋ธŒ๋ผ์šฐ์ €์ƒ์—์„œ ZAP์„ ์ปจํŠธ๋กคํ•˜๊ณ  ๋ถ„์„ํ•  ์ˆ˜ ์žˆ๋Š” ํ™˜๊ฒฝ์„ ๊ตฌ์„ฑํ•˜๋Š” ๊ฒƒ ์ž…๋‹ˆ๋‹ค. (์ฐจ๋Ÿ‰์šฉ HUD๋ณด๋‹ค ์ƒ์œ„ํ˜ธํ™˜์ด์—์š”. ๊ทธ๊ฑด ์ปจํŠธ๋กค ๊ธฐ๋Šฅ์ด ๋ฏธํกํ•˜์ž–์•„์š”..)

1416 ์ด๊ฒŒ ์ฒ˜์Œ์—” ์ข€ ์–ด์ƒ‰ํ•œ๋ฐ, ์‚ฌ์šฉํ•˜๋‹ค๋ณด๋ฉด ์ƒ๊ฐ๋ณด๋‹ค ๊ธ์ •์ ์ธ ๋ฉด์ด ์žˆ์Šต๋‹ˆ๋‹ค.

๋‹น์žฅ ํ™œ์šฉ์„ ๋งŽ์ดํ•˜๋Š”๊ฑด ์•„๋‹ˆ์ง€๋งŒ, ๊ณ ์„ฑ๋Šฅ์˜ ํ”ผ์”จ ๋˜๋Š” ์„œ๋ฒ„๋ฅผ ZAP Deamon ๋ชจ๋“œ๋กœ ๋™์ง์‹œํ‚ค๊ณ , HUD๋ฅผ ์ด์šฉํ•ด์„œ ์ง„๋‹จํ•˜๋Š” ๋ฐฉ๋ฒ•๋„ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ์ด๋Š” ๋ถ„์„์„ ์ง„ํ–‰ํ•˜๋Š” ํ”ผ์”จ์˜ ๋ฆฌ์†Œ์Šค๋ฅผ ๋งŽ์ด ์ค„์ผ ์ˆ˜ ์žˆ๋Š” ๋ถ€๋ถ„์ด๋ผ ํ•„์š”ํ•œ ๋ถ€๋ถ„์ด๊ตฌ์š”. (์ €์˜ ๊ฒฝ์šฐ๋Š” ๋งฅ๋ถ์— ZAP์„ ๋„์šฐ๊ณ , ์„œ๋ฒ„์— HUD์šฉ ZAP์„ ๋ณ„๋„๋กœ ๋„์–ด๋†“์Šต๋‹ˆ๋‹ค ๐Ÿ˜Ž)

๋˜ํ•œ WebSwing์„ ์ง€์›ํ•˜๊ธฐ๋„ ํ•ด์„œ, ์•„๋ž˜์™€ ๊ฐ™์ด ๋ธŒ๋ผ์šฐ์ €๋กœ ZAP์„ ์“ฐ๋Š” ๊ฒƒ ์ฒ˜๋Ÿผ ์ปจํŠธ๋กค ํ• ์ˆ˜๋„ ์žˆ๊ตฌ์š”.

1417

๐Ÿ’ญ ZAP๊ณผ Burp์˜ ๋น„๊ตํ•˜๊ธฐ

ํ˜น์‹œ๋‚˜ ๊ณ ๋ฏผํ•˜์‹œ๋Š” ๋ถ„๋“ค์„ ์œ„ํ•ด์„œ ์ฃผ๋กœ ์ฒดํฌํ•ด์•ผํ•  ๋ถ€๋ถ„์— ๋Œ€ํ•ด ๊ฐ„๋‹จํ•˜๊ฒŒ ์ •๋ฆฌํ•ด๋ด…๋‹ˆ๋‹ค.

ย  OWASP ZAP BurpSuite Comments
Proxy O O ย 
Passive Scan O O ย 
Active Scan O O ๐ŸŽ– Only Pro/EP version
Scope ๊ด€๋ฆฌ O (Context) O (Scope) ย 
Project ๊ด€๋ฆฌ O O ย 
OOB Testing O (Callback) O (Collaborator) ๐ŸŽ– ๋‹ค๋งŒ ZAP์ด ์ข€ ๋ถ€์กฑํ•จ
Extensions O O ๐ŸŽ– ย 
Scripting O ๐ŸŽ– O (์ผ๋ถ€๋งŒ ์ง€์›) ย 
API O ๐ŸŽ– O Only Pro/EP version
Dark Mode O O ย 
Manual testing O (Requester) O (Repeater) ย 
Datail Manual testing O O ๐ŸŽ– ย 
Fuzzing O (Fuzzing) O (Intruder / Turbo intruder) ย 
Dirsearch O (Forced Browse) ๐ŸŽ– O (Intruder / Turbo intruder) ย 
Dashboard X O ย 
State manage O (Statd) X ย 
WebSocket O O ย 
Hotkeys O O ย 
Embedded Browser O O ย 
New tech O O ๐ŸŽ– Burp๊ฐ€ ์ง€์›์ด ๋น ๋ฆ„
์™ธ๋ถ€๋„๊ตฌ ์—ฐ๋™ O ๐ŸŽ– O ย 
Customize O ๐ŸŽ– O ย 
Price OpenSource Free/$399/$3999 ย 

๐Ÿš€ ๋˜ ๋‹ค๋ฅธ ์„ ํƒ์ง€? Hetty!

์˜ฌ ์ค‘์ˆœ๋ถ€ํ„ฐ ์‹œ์ž‘๋œ ์˜คํ”ˆ์†Œ์Šค ํ”„๋กœ์ ํŠธ์ž…๋‹ˆ๋‹ค. go + nextjs ๊ธฐ๋ฐ˜์˜ ๋„๊ตฌ๋กœ ์•„์ง์€ Army-Knife๋กœ ๋ถ€๋ฅด๊ธด ์ข€ ๊ทธ๋ ‡๊ณ , Proxy ๋„๊ตฌ ์ˆ˜์ค€์œผ๋กœ ์ƒ๊ฐํ•˜์‹œ๋ฉด ๋  ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

1418

์–ด์จŒ๋˜ go ์ž์ฒด๊ฐ€ ์†๋„๋„ ์†๋„์ง€๋งŒ, ํ˜„์žฌ ๋Œ€๋‹ค์ˆ˜์˜ ํ…Œ์ŠคํŒ… ๋„๊ตฌ๋“ค์ด go ๊ธฐ๋ฐ˜์œผ๋กœ ๋งŒ๋“ค์–ด์ง€๊ธฐ ๋•Œ๋ฌธ์— ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋กœ includeํ•˜๊ณ , ์—ฐ๋™๋˜์–ด ์‚ฌ์šฉ๋œ๋‹ค๋ฉด ์–ด์ฉŒ๋ฉด ZAP / Burp / Hetty ์ด๋ ‡๊ฒŒ 3๊ฐœ๊ฐ€ ๋ฉ”์ธ ๋„๊ตฌ๋กœ ์˜ฌ๋ผ๊ฐ€๋Š” ์ผ์ด ๋‚˜ํƒ€๋‚˜์ง€ ์•Š์„๊นŒ ์‹ถ์Šต๋‹ˆ๋‹ค.

์•„์ง์€ ๋ถ€์กฑํ•œ ๋ถ€๋ถ„์ด ๋งŽ์ง€๋งŒ, ์•„์ง ํ”„๋กœ์ ํŠธ ์ดˆ๊ธฐ์ธ๋งŒํผ ์ง์ ‘ contribute ํ•˜์‹œ๋Š” ๊ฒƒ๋„ ๋ฐฐ์šธ ๊ฒƒ๋„ ๋งŽ๊ณ  ์žฌ๋ฏธ๋„ ์žˆ์„ ๊ฒƒ ๊ฐ™์œผ๋‹ˆ ์ถ”์ฒœ๋“œ๋ ค๋ด…๋‹ˆ๋‹ค. ZAP์˜ HUD์™€ ์›น์Šค์œ™๊ณผ ๋น„์Šทํ•œ ๋Š๋‚Œ์ด ์žˆ์ง€๋งŒ, ๊ฒฐ๊ตญ ์›น ๊ธฐ๋ฐ˜์œผ๋กœ ๋™์ž‘์‹œํ‚ค๊ธฐ ๋•Œ๋ฌธ์— ๊ณ ์„ฑ๋Šฅ ๋˜๋Š” scale ๊ด€๋ฆฌ๊ฐ€ ๋˜๋Š” ํด๋Ÿฌ์Šคํ„ฐ ๋“ฑ์— ์˜ฌ๋ ค๋†“๊ณ  ๋‹ค๋ฅธ ์‚ฌ๋žŒ๊ณผ ๊ฐ™์ด์“ฐ๊ธฐ์—๋„ ๊ดœ์ฐฎ์€ ๋„๊ตฌ์ž…๋‹ˆ๋‹ค.

๐Ÿ™๐Ÿผ Conclusion

์–ด์จŒ๋˜ ์ฃผ๋ ฅ๋„๊ตฌ์˜ ์„ ํƒ์€ ๊ต‰์žฅํžˆ ์ค‘์š”ํ•˜๊ณ , ์—ฌ๋Ÿฌ ๋„๊ตฌ๋ฅผ ๊ฒฝํ—˜ํ•˜๊ณ  ์ž๊ธฐ ์Šคํƒ€์ผ์„ ๋งŒ๋“œ๋Š”๊ฒŒ ํ˜„์žฌ๊นŒ์ง€ ๋Š๋ผ๊ธฐ๋ก  ์ด ์ผ์„ ํ•จ์— ์žˆ์–ด ์ค‘์š”ํ•œ ๋ถ€๋ถ„์ด๋ผ๊ณ  ์ƒ๊ฐ๋ฉ๋‹ˆ๋‹ค. ZAP / Burp / Hetty ์ด 3๊ฐœ๋Š” ๊ผญ ํ•œ๋ฒˆ ์จ๋ณด์‹œ๊ณ , ๊ฒฐ์ •ํ•ด๋ณด์‹œ๊ธธ ๋ฐ”๋ž˜์š” ๐Ÿ˜Ž