Zest (Scripting language for security testing)

๐Ÿ” Introduction

Zest๋Š” Mozilla ๋ณด์•ˆํŒ€์—์„œ ๋งŒ๋“  JSON ๊ธฐ๋ฐ˜์˜ ์Šคํฌ๋ฆฝํŒ… ์–ธ์–ด์ž…๋‹ˆ๋‹ค. ํ˜„์žฌ๋Š” ZAP Core์—์„œ ๊ด€๋ฆฌ๋˜๊ณ  ์žˆ๊ณ  HTTP Request/Response, Headless Browser ๊ทธ๋ฆฌ๊ณ  Test์— ์‚ฌ์šฉ๋˜๋Š” Assertion ๋“ฑ์„ ์ด์šฉํ•ด์„œ ๋™์ž‘์„ ์ •์˜ํ•˜๊ณ , ์ด๋ฅผ ์ˆœ์ฐจ์ ์œผ๋กœ ์‹คํ–‰ํ•˜๋ฉฐ ํ…Œ์ŠคํŠธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
{
  "about": "Zest์— ๋Œ€ํ•œ ์„ค๋ช…",
  "zestVersion": "0.8",
  "title": "์Šคํฌ๋ฆฝํŠธ ์ด๋ฆ„",
  "description": "์Šคํฌ๋ฆฝํŠธ ์„ค๋ช…",
  "prefix": "https://www.hahwul.com",
  "type": "StandAlone",
  "parameters": {
    "tokenStart": "{{",
    "tokenEnd": "}}",
    "tokens": {},
    "elementType": "ZestVariables"
  },
  "statements": [...],
  "authentication": [],
  "index": 0,
  "enabled": true,
  "elementType": "ZestScript"
}

๐Ÿš€ Interfaces

ZAP GUI

Zest๋Š” ZAP ๋‚ด๋ถ€ Scripting engine์œผ๋กœ ์‚ฌ์šฉ๋˜๋ฉฐ ZAP ๋‚ด๋ถ€์—์„œ GUI๋ฅผ ํ†ตํ•ด ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ž‘์„ฑํ•˜๊ณ  ์‚ฌ์šฉํ•  ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค.

Zest CLI

Zest๋Š” ๊ธฐ๋ณธ์ ์œผ๋กœ ZAP์˜ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋กœ ๋™์ž‘ํ•˜์ง€๋งŒ, CLI ์ธํ„ฐํŽ˜์ด์Šค๋„ ๊ฐ€์ง€๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๋ณ„๋„๋กœ ๋นŒ๋“œํ•ด์„œ ์‚ฌ์šฉ์ด ๊ฐ€๋Šฅํ•˜๋ฉฐ zest-env ์ด๋ฏธ์ง€๋ฅผ ์ด์šฉํ•ด์„œ Docker, Github action ๋“ฑ์„ ํ†ตํ•ด ์‚ฌ์šฉํ•˜์‹ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜ โ€œZest in CLIโ€ ๊ธ€์„ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

https://github.com/hahwul/zest-env

1
2
docker pull hahwul/zest-env:v1.0.0
docker run hahwul/zest-env:v1.0.0 zest -script <YOUR-ZEST-SCRIPT>

โŒจ๏ธ How to Write

ZAP Script Console

ZAP ๋‚ด๋ถ€์˜ Scripts tab, Scripts Console tab์„ ํ†ตํ•ด GUI, CLI๋กœ ์ฝ”๋“œ๋ฅผ ์ž‘์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

ZAP Zest Record

ZAP ๋‚ด๋ถ€์—๋Š” Zest Record๋ž€ ๊ธฐ๋Šฅ์ด ์žˆ์Šต๋‹ˆ๋‹ค. Record ์‹œ์  ์ดํ›„๋ถ€ํ„ฐ ๋ฐœ์ƒํ•œ ์›น ์š”์ฒญ์„ ๊ธฐ๋กํ•˜๋ฉด์„œ Zest script๋ฅผ ์ผ๋ถ€ ์ž๋™ ์ž‘์„ฑํ•ด์ฃผ๋Š” ๋„๊ตฌ๋กœ ์ž˜ ํ™œ์šฉํ•œ๋‹ค๋ฉด ๋น ๋ฅด๊ฒŒ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

https://user-images.githubusercontent.com/13212227/148578438-36f6b97d-3ff9-4c15-a4e4-aaa19c92a2a5.jpg

TextEditor & IDE

JSON ๊ธฐ๋ฐ˜์ด๊ธฐ ๋•Œ๋ฌธ์— ์ง์ ‘ Zest script๋ฅผ ์ž‘์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋งŒ JSON ์ž์ฒด๊ฐ€ ์ˆ˜์ •์— ์šฉ์ดํ•˜์ง€ ์•Š์€ ํฌ๋งท์ด๋‹ค ๋ณด๋‹ˆ GUI ์ฝ”๋“œ ์ž‘์„ฑ์ด ๋” ์ข‹๋‹ค๊ณค ์ƒ๊ฐํ•ฉ๋‹ˆ๋‹ค.

๐Ÿงฌ Structure

Statements

Zest๋Š” statements๋ž€ ๊ฐ’์„ ๊ธฐ๋ฐ˜์œผ๋กœ ๋™์ž‘ํ•ฉ๋‹ˆ๋‹ค. ์ด ๊ฐ’์€ ์‹ค์ œ ์ฒ˜๋ฆฌํ•  ์•ก์…˜์ด ๋‹ด๊ธฐ๋Š” ๊ฐ’์œผ๋กœ Array ํ˜•ํƒœ๋ฅผ ๋•๋‹ˆ๋‹ค. Zest๋ฅผ ์‹คํ–‰ํ•˜๋ฉด ์ด Array๋ฅผ ์ˆœ์ฐจ์ ์œผ๋กœ ์‹คํ–‰ํ•˜๋ฉฐ ์›น ์š”์ฒญ์„ ๋ฐœ์ƒํ•˜๊ณ  Action, Assertions, Contidion, Assignment์— ๋”ฐ๋ผ์„œ ๋กœ์ง์„ ์ฒ˜๋ฆฌํ•˜๊ณ  ๊ฒฐ๊ณผ๋ฅผ ๋ณด์—ฌ์ค๋‹ˆ๋‹ค.

Condition (ifStatements)

Zest ๋‚ด๋ถ€์—์„œ ๋ถ„๊ธฐ(If)๋ฅผ ์œ„ํ•ด์„  Condition์„ ์‚ฌ์šฉํ•˜์—ฌ ๋ถ„๊ธฐ ์ฒ˜๋ฆฌ๋ฅผ ๊ตฌํ˜„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Assertions

Assertion์€ ๊ฒ€์ฆ์„ ์œ„ํ•œ ๊ธฐ๋Šฅ์ž…๋‹ˆ๋‹ค. ์œ ๋‹› ํ…Œ์Šค์™€ ๊ฐ™์€ ํ…Œ์ŠคํŠธ ์ฝ”๋“œ๋“ค์—์„œ Assertion ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒƒ๊ณผ ๋™์ผํ•œ ๊ฐœ๋…์ž…๋‹ˆ๋‹ค. ์šฐ๋ฆฌ๊ฐ€ ์ง€์ •ํ•œ ๋ฃฐ ์ด์™ธ์˜ ๊ฒฐ๊ณผ๊ฐ€ ์žˆ๋‹ค๋ฉด ์ด๋ฅผ ํ‘œํ˜„ํ•ด์ค˜์„œ ์‰ฝ๊ฒŒ ์•Œ ์ˆ˜ ์žˆ๋„๋ก ์ œ๊ณตํ•ด์ค๋‹ˆ๋‹ค.

Action

Action์€ ์‹คํ–‰ํ•  ๋™์ž‘์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค. ํ•ด๋‹น ๋ถ€๋ถ„์—๋Š” Sleep, ๋ณ€์ˆ˜ ๊ฐ’ ์„ธํŒ… ๋“ฑ์ด ์žˆ๊ณ  Scan ๊ด€๋ จ ๋ถ€๋ถ„์€ ZAP๊ณผ์˜ ์˜์กด์„ฑ์ด ์žˆ์Šต๋‹ˆ๋‹ค.

Assignment

Assignment์€ ๋ณ€์ˆ˜๋ฅผ ์ปจํŠธ๋กคํ•˜๋Š” ๊ธฐ๋Šฅ์ž…๋‹ˆ๋‹ค. ์ด๋ฅผ ์ด์šฉํ•˜์—ฌ ๋‚œ์ˆ˜๋ฅผ ์ƒ์„ฑ, ํŠน์ • ๊ฐ’์„ ๊ณ„์‚ฐ ๋“ฑ ์ž‘์—…์„ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๊ณ  ์ด๋ฅผ form์ด๋‚˜ attribute ๋“ฑ Zest ๋‚ด๋ถ€์—์„œ ๊ฐ’์„ ๋ถˆ๋Ÿฌ์™€ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๋ณ€์ˆ˜๋Š” ๋‚ด๋ถ€์—์„œ {{ ๋ณ€์ˆ˜๋ช… }}์œผ๋กœ ๋ถˆ๋Ÿฌ์™€์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Loop

Zest๊ฐ€ ํ…Œ์ŠคํŠธ๋ฅผ ๋ชฉ์ ์œผ๋กœ ์ˆœ์ฐจ ์‹คํ–‰์„ ํ•˜๋Š” ์–ธ์–ด์ด๊ธฐ ๋•Œ๋ฌธ์— ๋ฐ˜๋ณต๋ฌธ ๊ตฌ์„ฑ์ด ์–ด๋ ค์šธ ๊ฒƒ ๊ฐ™์ง€๋งŒ Loop๋ฅผ ํ†ตํ•ด ๋ฐ˜๋ณต๋ฌธ์„ ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋งŒ ์‹ค์ œ๋กœ ๋ณต์žกํ•œ ํ˜•ํƒœ์˜ ๋ฐ˜๋ณต๋ฌธ ๊ตฌ์„ฑ์„ ์œ„ํ•ด์„  ์œ„ Assignment์™€ ๊ฐ™์ด ์‚ฌ์šฉํ•ด์•ผํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ด๋Ÿฌํ•œ ๋ถ€๋ถ„์€ Ruby๋‚˜ Python ๋“ฑ ์ผ๋ฐ˜์ ์ธ ์Šคํฌ๋ฆฝํŠธ ์–ธ์–ด๊ฐ€ ์ข‹์„ ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“š Articles

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0