Back
Featured image of post If you need test Out-of-band on ZAP? Use OAST!

If you need test Out-of-band on ZAP? Use OAST!

Hi hackers and geeks! Today, ZAP OAST was released as Alpha version. (As I told you on https://twitter.com/hahwul/status/1415710990608461827, OAST is a tool for identifying out-of-band, similar to callback, which is very useful for SSRF, RCE, etc.)

1413

As I expected, there is a pre-configured BOAST in the ‘odiss.eu’ domain. and building and using a custom BOAST server seems to be the good way to use it.

ZAP OAST

ZAP OAST is a tool that notified users what requests have occurred when DNS queries, HTTP requests, etc. occur for out-of-bound testing, such as the collaborator on BurpSuite and interactsh on project-discovery.

By default, it supports custom domain-based callback servers, such as Burp Collaborator, and you can also configure your own callback server by deploying the open source tool BOAST separately.

It can handle most of the protocols required for OOB testing, such as DNS, HTTP, HTTPS.

Setup OAST

Install Support OAST from the ZAP AddOn market place. and you can find OAST menu in Options

1414 (12)

From here, you can get ID and Canary values from odiss.eu by pressing the Register button.

1415 (4)

Use Interaction

You can take the ID value that you obtained from the Register from ZAP OAST earlier and assign odiss.eu an individual address that can be used for personal use. So, if a request such as HTTP, SMTP, etc.. occurs at this address, you can check it through the OAST Callback tab in ZAP, such as the Burp Collaborator.

URI-Path case

curl -i -k https://odiss.eu/c7uahecqkjjzee5gymjq6rhuui

Subdomain case

curl -i -k https://c7uahecqkjjzee5gymjq6rhuui.odiss.eu

1416 (2)

Personally, it’s much better to check the DNS record, so I recommend using it as a Subdomain case.

4-34bea71f6ebe https://www.youtube.com/watch?v=GK46fsCL7kk

For Custom BOAST

Using odiss.eu is good, but some of the requests go to odiss.eu anyway.

So sometimes you have to build these callback servers yourself, which can be configured through an open source project called BOAST.

https://github.com/marcoagner/boast

BOAST is a go-based application that can be used as a callback to identify out-of-band, such as odiss.eu, by simply placing one on the server and passing on the domain.

Build BOAST

clone

$ git clone https://github.com/marcoagner/boast
$ cd boast

make

$ make

1417 (1)

When make is complete, the binary file builded.

$ ./boast -h   
BOAST v0.1.0 (by Marco Pereira 'AGNER')

Usage:
./boast [OPTION...]

  -config string
    	TOML configuration file (default "boast.toml")
  -dns_only
    	Run only the DNS receiver and its dependencies
  -dns_txt string
    	DNS receiver's TXT record
  -log_file string
    	Path to log file
  -log_level int
    	Set the logging level (0=DEBUG|1=INFO) (default 1)
  -v	Print program version and quit

DNS Configration

It is best to have your own DNS server to use all of the features of BOAST properly. When running, BOAST runs an embedded DNS server, collects/stores domain queries, and provides them to users, which requires that they set up a glue-record for the NS domain.

TLS Certificate

BOAST sets certificates for https support in API(1337 port) and ssl support in Callback. Of these, removing https from config will not be a big deal for monitor to only http, but the API requires certificate settings because it requires https usage unconditionally.

Make Certificate Using Let’s Encrypt

Create a certificate with Let’s Encrypt and move it in the ~/go/src/agner.io/boast/tls path.

Make Certificate Using OpenSSL (for Testing)

Make cakey.

$ openssl genrsa -out servercakey.pem
$ openssl req -new -x509 -key servercakey.pem -out serverca.crt

Make private key and public key.

$ openssl genrsa -out server.key
$ openssl req -new -key server.key -out server_reqout.txt
$ openssl x509 -req -in server_reqout.txt -days 3650 -sha256 -CAcreateserial -CA serverca.crt -CAkey servercakey.pem -out server.crt

And change format to PEM.

$ openssl rsa -in server.key -text > private.pem
$ openssl x509 -inform PEM -in server.crt > public.pem

Set config file

BOAST uses the toml format as config. Each section means the information below.

Section Subsection
storage max_events
max_event_by_test
max_dump_size
hmac_key
storage.expire ttl
check_interval
max_restarts
dns_receiver domain
public_ip

For more information, go to https://github.com/marcoagner/boast/blob/master/docs/boast-configuration.md. And the config I write for the test is as follows.

[storage]
  max_events = 1_000_000
  max_events_by_test = 100
  max_dump_size = "80KB"
  hmac_key = "TJkhXnMqSqOaYDiTw7HsfQ=="

  [storage.expire]
    ttl = "24h"
    check_interval = "1h"
    max_restarts = 100

[api]
  domain = "frozen.hahwul.com"
  host = "0.0.0.0"
  tls_port = 1337
  tls_cert = "./public.pem"
  tls_key = "./private.pem"

  [api.status]
    url_path = "rzaedgmqloivvw7v3lamu3tzvi"

[http_receiver]
  host = "0.0.0.0"
  ports = [8090]

I set up only http logging. FYI, ‘storage.hmac_key’ and ‘api.Please change status.url_path’ to a value other than the one in the example. (That’s important information for access)

Run

run!, You can also specify the config file directly with the -config flag.

$ ./boast
2021-08-07T00:07:08.288Z 3922139 main.go:65: [INFO] Starting BOAST v0.1.0
2021-08-07T00:07:08.288Z 3922139 httprcv.go:56: [INFO] HTTP receiver: Listening on http://0.0.0.0:8099
2021-08-07T00:07:08.288Z 3922143 server.go:65: [INFO] Web API Server: status URL is https://0.0.0.0:1337/rzaedgmqloivvw7v3lamu3tzvi
2021-08-07T00:07:08.288Z 3922143 server.go:67: [INFO] Web API Server: Listening on https://0.0.0.0:1337

Conclusion

OOB itself helps to identify many vulnerabilities and is also a very important part of testing, so there was a strong need for OOB tools that can be built into ZAP. It’s great that they were developed and added quickly this time 😍

References