ZAP 2.10 Released πŸŽ‰ Quick review

ZAP 2.10 Released πŸŽ‰ Quick review

in

2020 λ§ˆμ§€λ§‰μ΄ μ–Όλ§ˆ 남지 μ•Šμ€ 였늘 λ“œλ””μ–΄ ZAP 2.10.0이 릴리즈 λ˜μ—ˆμŠ΅λ‹ˆλ‹€. κ·Έλ™μ•ˆ dark mode 등을 이유둜 weekly 버전을 μ‚¬μš©ν–ˆμ—ˆλŠ”λ°, μ΄μ œλŠ” 곡식 λ²„μ „μœΌλ‘œ λ„˜μ–΄κ°€λ„ 쒋을 것 κ°™λ„€μš”.

μ˜€λŠ˜μ€ κ°€λ³κ²Œ 2.10.0 의 릴리즈 λ…ΈνŠΈλ₯Ό μ‚΄νŽ΄λ³΄κ³ , λͺ‡κ°€μ§€ κΉ¨μ•Œκ°™μ€ κΈ°λŠ₯을 μ†Œκ°œν• κΉŒ ν•©λ‹ˆλ‹€.

TL;DR

  • κΈ°λŠ₯이 많이 μΆ”κ°€λ¬μ–΄μš”. μžμ„Έν•œκ±΄ 릴리즈 λ…ΈνŠΈλ₯Ό λ³΄μ„Έμš”
  • 릴리즈 λ…ΈνŠΈμ— μ—†λŠ” κΈ°λŠ₯이 μžˆμ–΄μš”. 제 글에 λŒ€μΆ© μ ν˜€μžˆμœΌλ‹ˆ μ°Έκ³ ν•˜μ„Έμš”
  • 이번 μ—…λ°μ΄νŠΈλ„ ν˜œμžμ΄λ‹ˆ λΉ λ₯΄κ²Œ μ—…λ°μ΄νŠΈ κ°€μ‹œμ£ .

ZAP 2.10.0 Released Note

Escape Java 8 verison, Go 11!

ZAP은 κ΅¬ν˜• μžλ°” 버전을 μœ μ§€ν•΄μ•Όν•˜λŠ” μ΄μŠˆκ°€ μžˆμ—ˆμŠ΅λ‹ˆλ‹€. μ΄λŠ” ZAPμͺ½μ—μ„œλ„ μ•½ 10λ…„λ§Œμ— μˆ˜μ •λ˜λŠ” 이슈이고 이 문제둜 ZAP은 μ‹œμŠ€ν…œμ˜ μžλ°”λ₯Ό μ‚¬μš©ν•˜λŠ” 것이 μ•„λ‹Œ ZAP 내뢀에 Java SDKλ₯Ό 가지고 μ‹€ν–‰ν•˜λŠ” ν˜•νƒœλ‘œ λ™μž‘ν–ˆμ—ˆμŠ΅λ‹ˆλ‹€. λ¬Όλ‘  μ΄λ‘œμΈν•΄μ„œ μ‹œμŠ€ν…œ μžλ°”κ°€ λ¬Έμ œκ°€ 생긴 κ²½μš°μ—λ„ 지μž₯받지 μ•Šκ³  μ‹€ν–‰ν•  순 μžˆμ—ˆμŠ΅λ‹ˆλ‹€. λ‹€λ§Œ μ΄μ œλŠ” μžλ°” 8 λ²„μ „μ˜ μ˜μ‘΄μ„±μ„ λ²—μ–΄λ‚œ 것이기 λ•Œλ¬Έμ— λ ˆκ±°μ‹œ μžλ°”μ˜ 문제λ₯Ό ν”Όν•΄κ°ˆ 수 μžˆλŠ” κΈ°νšŒκ°€ λ˜μ—ˆλ„€μš” :D

Custom pages

Custom Pages can be defined on a per context basis - these allow ZAP to identify various non-standard error handling conditions such as custom error pages and handle them more effectively.

μ΄μ œλΆ€ν„° Custom pageλ₯Ό Context(Burp에선 Scope) λ³„λ‘œ μ •μ˜ν•˜μ—¬ μ‚¬μš©ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

이것도 ν™œμš©ν•  수 μžˆλŠ” 뢀뢄이 λ§Žμ€ κΈ°λŠ₯μΈλ°μš”, μ„œλΉ„μŠ€ λ³„λ‘œ 200 OK λ‚˜μ˜€λŠ” Custom Error νŽ˜μ΄μ§€κ°€ μ‘΄μž¬ν•  수 μžˆμŠ΅λ‹ˆλ‹€. μ΄λŸ¬ν•œ νŽ˜μ΄μ§€λ“€μ„ 미리 μ •μ˜ν•΄μ„œ Fuzzingμ΄λ‚˜ ν…ŒμŠ€νŒ… λ‹¨κ³„μ—μ„œ κ±ΈλŸ¬λ‚Ό 수 μžˆμŠ΅λ‹ˆλ‹€.

Authentication Polling

The concept of Authentication Verification Strategies has been introduced which allows ZAP to handle a wider range of authentication mechanisms including the option to poll a specified page for the authentication status of a user.

Authentication Verification Strategies κ°œλ…μ„ λ„μž…ν–ˆλ‹€κ³  ν•©λ‹ˆλ‹€. μ§€μ •λœ νŽ˜μ΄μ§€λ₯Ό Polling ν•˜λŠ” λ°©μ‹μœΌλ‘œ 인증 μƒνƒœλ₯Ό μ²΄ν¬ν•˜λŠ” λ°©λ²•μž…λ‹ˆλ‹€.

Site Tree Control

Scripts and add-ons now have full access to how nodes are represented in the Sites Tree. Both Input Vector Scripts and add-ons which include implementations of the Variant class can change both the tree structure and names used for new nodes.

μ€‘μš”ν•œ μ—…λ°μ΄νŠΈ λΆ€λΆ„ 쀑 ν•˜λ‚˜ μΈλ°μš”, 2.10 λΆ€ν„° Add-On κ³Ό Scriptsμ—μ„œ Site treeλ₯Ό μ œμ–΄ν•  수 μžˆμ–΄μ§‘λ‹ˆλ‹€. μ΄λŠ” ν™•μž₯ κΈ°λŠ₯듀이 쑰금 더 μœ μ—°ν•˜κ²Œ 개발될 수 μžˆλ„λ‘ μœ λ„λœ 것 κ°™λ„€μš”. μ–΄μ©„λ˜ Sites treeλ₯Ό μ œμ–΄ν•˜λ©΄ 이미 μˆ˜μ§‘λœ Endpoint URL을 μ–»κ±°λ‚˜ μΆ”κ°€/μˆ˜μ • ν•˜λŠ” λ°©μ‹μœΌλ‘œλ„ μ‚¬μš©ν•  수 μžˆμ–΄μ„œ 개인적으둜 λ§˜μ—λ“œλŠ” λΆ€λΆ„μž…λ‹ˆλ‹€.

Dynamic Look and Feel (Dark mode)

The Desktop UI includes a new set of open source Look and Feel’s c/o FlatLaf including 2 Dark Mode options. You can also dynamically switch the Look and Feel via a button on the Top Level Toolbar.

μ œκ°€ ZAP을 κ°•μ œλ‘œ Weekly 버전을 μ‚¬μš©ν•˜κ²Œ λ§Œλ“  κΈ°λŠ₯μž…λ‹ˆλ‹€. μ΄ˆκΈ°μ—λŠ” 닀크λͺ¨λ“œ μ§€μ›λ§Œ μžˆμ—ˆμ§€λ§Œ 이후에 λ™μ μœΌλ‘œ LaFλ₯Ό λ³€κ²½ν•  수 μžˆλ„λ‘ μΆ”κ°€λ˜μ—ˆμŠ΅λ‹ˆλ‹€.

Authentication headers via env vars

A new set of environmental variables are available which allow you to easily add an authentication header to all of the requests that are proxied through ZAP or initiated by the ZAP tools, including the spiders and active scanner. These are documented on the Authentication page.

κΈ°μ‘΄μ—λŠ” Custom 헀더 등을 μΆ”κ°€ν•˜κΈ° μœ„ν•΄μ„  replacer와 같은 ν™•μž₯을 μ΄μš©ν•΄μ„œ λ³€κ²½ν–ˆμ–΄μ•Ό ν•©λ‹ˆλ‹€. μ΄λŸ¬ν•œ 과정이 Env VarsλΌλŠ” νŒŒλΌλ―Έν„°μ— μ •μ˜ν•˜μ—¬ λͺ¨λ“  μš”μ²­μ— μ˜λ„ν•œ 헀더λ₯Ό λΆ™μ—¬μ£ΌλŠ” λ“±μ˜ μ•‘μ…˜μ΄ κ°€λŠ₯ν•΄μ§‘λ‹ˆλ‹€.

SOCKS Proxy Config

It is now possible to dynamically configure the outgoing SOCKS proxy in the Options’ Connection screen. By default the SOCKS proxy configuration applies to all connections made by ZAP.

SOCKS Proxyλ₯Ό ZAPμ—μ„œ μ œμ–΄ν•  수 있게 λ©λ‹ˆλ‹€.

Cached scripts

The following script types are now cached between invocations reducing the time it takes to reuse them:

λͺ‡λͺ‡ μœ ν˜•μ˜ μŠ€ν¬λ¦½νŠΈλ“€μ΄ ν˜ΈμΆœκ°„μ— μΊμ‹œλ˜μ–΄μ„œ μž¬μ‚¬μš©μ— κ±Έλ¦¬λŠ” μ‹œκ°„μ„ λ‹¨μΆ•ν•œλ‹€κ³  ν•©λ‹ˆλ‹€. μš°λ¦¬κ°€ λ­”κ°€ 더 μ†λŒˆ 뢀뢄은 μ—†κ³  체감적으둜 속도가 쑰금 더 λΉ¨λΌμ§€κ² λ„€μš”.

and New/Updated Add-Ons, APIs

일뢀 alpha/beta에 있던 Add-On듀이 Release둜 λ„˜μ–΄μ™”μŠ΅λ‹ˆλ‹€. API도 μΆ”κ°€λœκ²Œ μžˆλŠ” 것 κ°™κ΅¬μš”. μžμ„Έν•œκ±΄ Release λ…ΈνŠΈλ₯Ό μ°Έκ³ ν•΄μ£Όμ„Έμš”.

μ•Œλ €μ§€μ§€ μ•Šμ€ μ—…λ°μ΄νŠΈ λ‚΄μš©

Content-Length κ°•μ œ μˆ˜μ • κ°€λŠ₯(for HTTP Request Smuggling)

이제 Manual requestμ—μ„œ Content-Lengthλ₯Ό μ œμ–΄ν•  수 μžˆμŠ΅λ‹ˆλ‹€. κΈ°μ‘΄μ—λŠ” ZAP이 이 κΈ°λŠ₯을 μ§€μ›ν•˜μ§€ μ•Šμ•„μ„œ HTTP Request Smuggling을 ν…ŒμŠ€νŒ…ν•  λ•Œ 쑰금 λΆˆνŽΈν•œ 뢀뢄이 μžˆμ—ˆμ§€μš”. (TL:CE의 κ²½μš°λŠ” 무쑰건 Burpμ—μ„œλ§Œ ν…ŒμŠ€νŒ…ν•  수 밖에 μ—†μ—ˆμŠ΅λ‹ˆλ‹€)

λ‹€λ§Œ Requester 같은 ν™•μž₯ κΈ°λŠ₯μͺ½μ—μ„œλŠ” ν•΄λ‹Ή λ²„νŠΌμ΄ λ…ΈμΆœλ˜μ§€ μ•ŠλŠ” κ²ƒμœΌλ‘œ 보아 ν•΄λ‹Ή ν™•μž₯ κΈ°λŠ₯μ—μ„œ μ—…λ°μ΄νŠΈλ₯Ό ν•΄μ€˜μ•Ό ν•  것 κ°™λ„€μš”.

Macμ—μ„œ 전체화면을 지원함

이제 λ©λ‹ˆλ‹€. (2.9λ•ŒλŠ” μ•ˆλ˜μ„œ 고생..)

References