Skip to content

FAQvulnapppixi

Jump to bottom Edit New page
Simon Bennetts edited this page Jan 14, 2020 · 6 revisions

Setting up ZAP to Test OWASP Pixi

Note: This FAQ is a work in progress as of 2018-June-11.

The following the steps are based on spider/scan of Pixi at http://localhost:8000/ using ZAP 2.7.0.

Note: This FAQ contains spoilers: <details> tags have been used to make them expandable and not immediately visible (which should work in most modern browsers).
Note: These instructions assume you've created a user: [email protected] with password: testExample (via http://localhost:8000/register).

  1. Access Pixi (http://localhost:8000/) while proxying through ZAP.
  2. Register a user (then logout if you're automatically logged in). Login with that user. Logout.
  3. Create "pixi" context (or edit the "Default Context"):
    3a) "Include in Context": http://localhost:8000.*
    3b) "Exclude from Context": http://localhost:8000/logout
    3c) "Flag as Context" > "pixi: Form-based Auth Login Request" POST:login(pass,user).
    3d) Set "Username Parameter" as user and "Password Parameter" as pass.
  1. Navigate to http://localhost:8000/about (while proxying through ZAP).
    4a) Find GET:about in the Sites tree, in the response find "My Profile". While "My Profile" is highlighted right click and "Flag as Context" > "pixi : Authentication Logged-in Indicator".
  2. Open the "pixi" context and goto the "Users" panel.
    5a) Click "Add..."
    5b) Create a user as follows:
  3. Back in the Sites tree, right click "http://localhost:8000" select "Attack" then "Spider...".
    6a) In the Spider dialog select test from the "User" dropdown menu.
    6b) Click "Start Scan".
  4. In your browser access "My Profile" and note the URL. (It should be something like http://localhost:8000/profile/45.) Find the URL in the Sites tree (ex: GET:45 in the "profile" folder) right click and exclude it from the Context (or just the Scanner). [This is done to prevent the scanner from changing the password of the user account being used to scan.]
  5. Optionally run the Ajax spider (using the context and configured user).
  6. At this point you should login as the admin user. Hopefully you've already figured out the vulnerability to get those details.
Spoiler: Getting the Admin user details Access "http://localhost:8000/service.conf".

  1. As was done earlier make a new 'admin' user, based on the details obtained in the previous step.
Add a custom footer
Clone this wiki locally