ZAP 2.10 Released ๐ŸŽ‰ Quick review

ZAP 2.10 Released ๐ŸŽ‰ Quick review


2020 ๋งˆ์ง€๋ง‰์ด ์–ผ๋งˆ ๋‚จ์ง€ ์•Š์€ ์˜ค๋Š˜ ๋“œ๋””์–ด ZAP 2.10.0์ด ๋ฆด๋ฆฌ์ฆˆ ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋™์•ˆ dark mode ๋“ฑ์„ ์ด์œ ๋กœ weekly ๋ฒ„์ „์„ ์‚ฌ์šฉํ–ˆ์—ˆ๋Š”๋ฐ, ์ด์ œ๋Š” ๊ณต์‹ ๋ฒ„์ „์œผ๋กœ ๋„˜์–ด๊ฐ€๋„ ์ข‹์„ ๊ฒƒ ๊ฐ™๋„ค์š”.

์˜ค๋Š˜์€ ๊ฐ€๋ณ๊ฒŒ 2.10.0 ์˜ ๋ฆด๋ฆฌ์ฆˆ ๋…ธํŠธ๋ฅผ ์‚ดํŽด๋ณด๊ณ , ๋ช‡๊ฐ€์ง€ ๊นจ์•Œ๊ฐ™์€ ๊ธฐ๋Šฅ์„ ์†Œ๊ฐœํ• ๊นŒ ํ•ฉ๋‹ˆ๋‹ค.

TL;DR

  • ๊ธฐ๋Šฅ์ด ๋งŽ์ด ์ถ”๊ฐ€๋ฌ์–ด์š”. ์ž์„ธํ•œ๊ฑด ๋ฆด๋ฆฌ์ฆˆ ๋…ธํŠธ๋ฅผ ๋ณด์„ธ์š”
  • ๋ฆด๋ฆฌ์ฆˆ ๋…ธํŠธ์— ์—†๋Š” ๊ธฐ๋Šฅ์ด ์žˆ์–ด์š”. ์ œ ๊ธ€์— ๋Œ€์ถฉ ์ ํ˜€์žˆ์œผ๋‹ˆ ์ฐธ๊ณ ํ•˜์„ธ์š”
  • ์ด๋ฒˆ ์—…๋ฐ์ดํŠธ๋„ ํ˜œ์ž์ด๋‹ˆ ๋น ๋ฅด๊ฒŒ ์—…๋ฐ์ดํŠธ ๊ฐ€์‹œ์ฃ .

1416

ZAP 2.10.0 Released Note

Escape Java 8 verison, Go 11!

ZAP์€ ๊ตฌํ˜• ์ž๋ฐ” ๋ฒ„์ „์„ ์œ ์ง€ํ•ด์•ผํ•˜๋Š” ์ด์Šˆ๊ฐ€ ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ZAP์ชฝ์—์„œ๋„ ์•ฝ 10๋…„๋งŒ์— ์ˆ˜์ •๋˜๋Š” ์ด์Šˆ์ด๊ณ  ์ด ๋ฌธ์ œ๋กœ ZAP์€ ์‹œ์Šคํ…œ์˜ ์ž๋ฐ”๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ด ์•„๋‹Œ ZAP ๋‚ด๋ถ€์— Java SDK๋ฅผ ๊ฐ€์ง€๊ณ  ์‹คํ–‰ํ•˜๋Š” ํ˜•ํƒœ๋กœ ๋™์ž‘ํ–ˆ์—ˆ์Šต๋‹ˆ๋‹ค. ๋ฌผ๋ก  ์ด๋กœ์ธํ•ด์„œ ์‹œ์Šคํ…œ ์ž๋ฐ”๊ฐ€ ๋ฌธ์ œ๊ฐ€ ์ƒ๊ธด ๊ฒฝ์šฐ์—๋„ ์ง€์žฅ๋ฐ›์ง€ ์•Š๊ณ  ์‹คํ–‰ํ•  ์ˆœ ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋งŒ ์ด์ œ๋Š” ์ž๋ฐ” 8 ๋ฒ„์ „์˜ ์˜์กด์„ฑ์„ ๋ฒ—์–ด๋‚œ ๊ฒƒ์ด๊ธฐ ๋•Œ๋ฌธ์— ๋ ˆ๊ฑฐ์‹œ ์ž๋ฐ”์˜ ๋ฌธ์ œ๋ฅผ ํ”ผํ•ด๊ฐˆ ์ˆ˜ ์žˆ๋Š” ๊ธฐํšŒ๊ฐ€ ๋˜์—ˆ๋„ค์š” :D

Custom pages

Custom Pages can be defined on a per context basis - these allow ZAP to identify various non-standard error handling conditions such as custom error pages and handle them more effectively.

์ด์ œ๋ถ€ํ„ฐ Custom page๋ฅผ Context(Burp์—์„  Scope) ๋ณ„๋กœ ์ •์˜ํ•˜์—ฌ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1422

์ด๊ฒƒ๋„ ํ™œ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๋ถ€๋ถ„์ด ๋งŽ์€ ๊ธฐ๋Šฅ์ธ๋ฐ์š”, ์„œ๋น„์Šค ๋ณ„๋กœ 200 OK ๋‚˜์˜ค๋Š” Custom Error ํŽ˜์ด์ง€๊ฐ€ ์กด์žฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ํŽ˜์ด์ง€๋“ค์„ ๋ฏธ๋ฆฌ ์ •์˜ํ•ด์„œ Fuzzing์ด๋‚˜ ํ…Œ์ŠคํŒ… ๋‹จ๊ณ„์—์„œ ๊ฑธ๋Ÿฌ๋‚ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Authentication Polling

The concept of Authentication Verification Strategies has been introduced which allows ZAP to handle a wider range of authentication mechanisms including the option to poll a specified page for the authentication status of a user.

Authentication Verification Strategies ๊ฐœ๋…์„ ๋„์ž…ํ–ˆ๋‹ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค. ์ง€์ •๋œ ํŽ˜์ด์ง€๋ฅผ Polling ํ•˜๋Š” ๋ฐฉ์‹์œผ๋กœ ์ธ์ฆ ์ƒํƒœ๋ฅผ ์ฒดํฌํ•˜๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

1421

Site Tree Control

Scripts and add-ons now have full access to how nodes are represented in the Sites Tree. Both Input Vector Scripts and add-ons which include implementations of the Variant class can change both the tree structure and names used for new nodes.

์ค‘์š”ํ•œ ์—…๋ฐ์ดํŠธ ๋ถ€๋ถ„ ์ค‘ ํ•˜๋‚˜ ์ธ๋ฐ์š”, 2.10 ๋ถ€ํ„ฐ Add-On ๊ณผ Scripts์—์„œ Site tree๋ฅผ ์ œ์–ดํ•  ์ˆ˜ ์žˆ์–ด์ง‘๋‹ˆ๋‹ค. ์ด๋Š” ํ™•์žฅ ๊ธฐ๋Šฅ๋“ค์ด ์กฐ๊ธˆ ๋” ์œ ์—ฐํ•˜๊ฒŒ ๊ฐœ๋ฐœ๋  ์ˆ˜ ์žˆ๋„๋ก ์œ ๋„๋œ ๊ฒƒ ๊ฐ™๋„ค์š”. ์–ด์ฉ„๋˜ Sites tree๋ฅผ ์ œ์–ดํ•˜๋ฉด ์ด๋ฏธ ์ˆ˜์ง‘๋œ Endpoint URL์„ ์–ป๊ฑฐ๋‚˜ ์ถ”๊ฐ€/์ˆ˜์ • ํ•˜๋Š” ๋ฐฉ์‹์œผ๋กœ๋„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์–ด์„œ ๊ฐœ์ธ์ ์œผ๋กœ ๋ง˜์—๋“œ๋Š” ๋ถ€๋ถ„์ž…๋‹ˆ๋‹ค.

Dynamic Look and Feel (Dark mode)

The Desktop UI includes a new set of open source Look and Feelโ€™s c/o FlatLaf including 2 Dark Mode options. You can also dynamically switch the Look and Feel via a button on the Top Level Toolbar.

์ œ๊ฐ€ ZAP์„ ๊ฐ•์ œ๋กœ Weekly ๋ฒ„์ „์„ ์‚ฌ์šฉํ•˜๊ฒŒ ๋งŒ๋“  ๊ธฐ๋Šฅ์ž…๋‹ˆ๋‹ค. ์ดˆ๊ธฐ์—๋Š” ๋‹คํฌ๋ชจ๋“œ ์ง€์›๋งŒ ์žˆ์—ˆ์ง€๋งŒ ์ดํ›„์— ๋™์ ์œผ๋กœ LaF๋ฅผ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ๋„๋ก ์ถ”๊ฐ€๋˜์—ˆ์Šต๋‹ˆ๋‹ค.

1418

Authentication headers via env vars

A new set of environmental variables are available which allow you to easily add an authentication header to all of the requests that are proxied through ZAP or initiated by the ZAP tools, including the spiders and active scanner. These are documented on the Authentication page.

๊ธฐ์กด์—๋Š” Custom ํ—ค๋” ๋“ฑ์„ ์ถ”๊ฐ€ํ•˜๊ธฐ ์œ„ํ•ด์„  replacer์™€ ๊ฐ™์€ ํ™•์žฅ์„ ์ด์šฉํ•ด์„œ ๋ณ€๊ฒฝํ–ˆ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๊ณผ์ •์ด Env Vars๋ผ๋Š” ํŒŒ๋ผ๋ฏธํ„ฐ์— ์ •์˜ํ•˜์—ฌ ๋ชจ๋“  ์š”์ฒญ์— ์˜๋„ํ•œ ํ—ค๋”๋ฅผ ๋ถ™์—ฌ์ฃผ๋Š” ๋“ฑ์˜ ์•ก์…˜์ด ๊ฐ€๋Šฅํ•ด์ง‘๋‹ˆ๋‹ค.

SOCKS Proxy Config

It is now possible to dynamically configure the outgoing SOCKS proxy in the Optionsโ€™ Connection screen. By default the SOCKS proxy configuration applies to all connections made by ZAP.

SOCKS Proxy๋ฅผ ZAP์—์„œ ์ œ์–ดํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

1417

Cached scripts

The following script types are now cached between invocations reducing the time it takes to reuse them:

๋ช‡๋ช‡ ์œ ํ˜•์˜ ์Šคํฌ๋ฆฝํŠธ๋“ค์ด ํ˜ธ์ถœ๊ฐ„์— ์บ์‹œ๋˜์–ด์„œ ์žฌ์‚ฌ์šฉ์— ๊ฑธ๋ฆฌ๋Š” ์‹œ๊ฐ„์„ ๋‹จ์ถ•ํ•œ๋‹ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค. ์šฐ๋ฆฌ๊ฐ€ ๋ญ”๊ฐ€ ๋” ์†๋Œˆ ๋ถ€๋ถ„์€ ์—†๊ณ  ์ฒด๊ฐ์ ์œผ๋กœ ์†๋„๊ฐ€ ์กฐ๊ธˆ ๋” ๋นจ๋ผ์ง€๊ฒ ๋„ค์š”.

and New/Updated Add-Ons, APIs

์ผ๋ถ€ alpha/beta์— ์žˆ๋˜ Add-On๋“ค์ด Release๋กœ ๋„˜์–ด์™”์Šต๋‹ˆ๋‹ค. API๋„ ์ถ”๊ฐ€๋œ๊ฒŒ ์žˆ๋Š” ๊ฒƒ ๊ฐ™๊ตฌ์š”. ์ž์„ธํ•œ๊ฑด Release ๋…ธํŠธ๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

์•Œ๋ ค์ง€์ง€ ์•Š์€ ์—…๋ฐ์ดํŠธ ๋‚ด์šฉ

Content-Length ๊ฐ•์ œ ์ˆ˜์ • ๊ฐ€๋Šฅ(for HTTP Request Smuggling)

์ด์ œ Manual request์—์„œ Content-Length๋ฅผ ์ œ์–ดํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๊ธฐ์กด์—๋Š” ZAP์ด ์ด ๊ธฐ๋Šฅ์„ ์ง€์›ํ•˜์ง€ ์•Š์•„์„œ HTTP Request Smuggling์„ ํ…Œ์ŠคํŒ…ํ•  ๋•Œ ์กฐ๊ธˆ ๋ถˆํŽธํ•œ ๋ถ€๋ถ„์ด ์žˆ์—ˆ์ง€์š”. (TL:CE์˜ ๊ฒฝ์šฐ๋Š” ๋ฌด์กฐ๊ฑด Burp์—์„œ๋งŒ ํ…Œ์ŠคํŒ…ํ•  ์ˆ˜ ๋ฐ–์— ์—†์—ˆ์Šต๋‹ˆ๋‹ค)

1419

๋‹ค๋งŒ Requester ๊ฐ™์€ ํ™•์žฅ ๊ธฐ๋Šฅ์ชฝ์—์„œ๋Š” ํ•ด๋‹น ๋ฒ„ํŠผ์ด ๋…ธ์ถœ๋˜์ง€ ์•Š๋Š” ๊ฒƒ์œผ๋กœ ๋ณด์•„ ํ•ด๋‹น ํ™•์žฅ ๊ธฐ๋Šฅ์—์„œ ์—…๋ฐ์ดํŠธ๋ฅผ ํ•ด์ค˜์•ผ ํ•  ๊ฒƒ ๊ฐ™๋„ค์š”.

Mac์—์„œ ์ „์ฒดํ™”๋ฉด์„ ์ง€์›ํ•จ

์ด์ œ ๋ฉ๋‹ˆ๋‹ค. (2.9๋•Œ๋Š” ์•ˆ๋˜์„œ ๊ณ ์ƒ..)

1420

References