OWASP ZAP Not receiving Alerts for subsequent active scan - javascript

I have been using ZAP to find any final kinks for a website I'm working on. Everything is working great except for I've noticed that there are no alerts being logged in the ZAP gui when I run an active scan following a passive spider.
The initial passive scan for a new session logs alerts just fine but I'd really like to see the alerts from the active scan. Am I missing something? I tried restarting a new session and going straight to attacking but it's still not logging anything. Does it maybe need to finish before it starts logging the alerts? I have checked the generated html report and it doesn't indicate whether the alert was flagged by a passive or active scan so I really can't tell. I doubt there are so few vulrnabilities in my little web app.
If anyone has an idea as to what setting I'm missing or if I'm doing something wrong I'd appreciate the advice.

Ah, I think I may have found what was going on. I checked the real time scan progress and ZAP skipped many attacks because of low rule limits I set to speed up the scan.

How are you exploring your app?
The number of requests are very low, that suggests to me that you are not exploring your app effectively.
You can either explore the app manually (which proxying your browser through ZAP) or using automation via:
The standard spider (fast, but doesnt handle javascript so well)
The ajax spider (slower, but launches browsers so handled JS well)
Your own unit tests (good but only if you have some)
Have a look at you app in the Sites tree - if it doesnt appear to be showing as many pages as you expect then you need to focus on exploring your app more effectively.
The active scanner doesnt do any exploring, it only attacks the urls you've found by other means.

Related

Blank page and anything more juicy showing "Unchecked runtime.lastError: Could not establish connection. Receiving end does not exist"

I'm using dissenter which is chromium->chrome->brave->dissenter. My current assumption is that this a is an error with chrome but maybe not, but none-the-less its a problem with dissenter and maybe the fork hierarchy.
I've looked up the internet for a solution but they all suggest I am writing some chrome extension or doing anything other than writing a plain old javascript/html/css webpage. So it's quite a webpage involving all kinds of stuff going on from the server and when I seen it behaving like this on chrome-alike I was flabberghasted that the web application takes no account of chrome as some kind of special browser thinking I might have to rewrite the whole application and getting nowhere to start debugging from, I set about building the app from scratch, adding chunks of the app as I went along the debug process.
The first thing I did was write "index.html" with 4 characters "test" and the same error appears. Its as if chrome just doesnt work without error even on the most basic of a "web application" (if you get my meaning).
Am I mistaken in thinking chrome is not strictly industry standards compatible and some kind of IE5.5 like thing. What's going on with this error. I cant log in to the application while this error exists on chrome.

Detect and deflect Javascript injected from Inspector

Short version:
Is it possible to detect that someone added code to run inside a page from the browser inspector?
Long version:
Stock broker companies give their users the real time value of stocks, other free tools give you a delayed version of such values, for example 15 minutes old information.
There are other types of financial companies that have real time API to give you access to stock market at a cost.
What some people do is to keep their browsers open in the broker site and inject some JS code to observe the changes and post them elsewhere using XHR or web sockets. Not only network calls but also notification API and the draft Serial API can be exploited to put data out of the site.
This usually can't be done automatically due to the secure nature of logins requiring captcha or other methods. But once logged in and injected the hack will work until the tab is closed.
Usually this is not done by injecting script tags with outer files source, just pasting the whole code inside inspector and running it.
Now back to the question: Can a site know that code rogue code is running in their site?
I thought of some methods like a HASH of every variable used and if anything new is created it reloads the page or warn the user. But I'm not sure it is possible in nowadays JS, I guess document.all could help.
So yes, kinda, and also no kinda... there isn't a great cross browser solution to this as their implementation of the debug tools are all slightly different. This solution is probably the best I've found so far.

Downloading excel files from MS Planner trough a script

So I have to automate a process that downloads an excel file from Microsofts Planner website.
I have tried doing this 3 Different ways and have always hit a dead end. The only solution that seems to work is a script that imitates keypresses but is considered "bad practice" at my workplace.
First was obviously to use Microsoft Graph. It doesn't work because it would have to request for permissions from our companys MS ADMIN every time it makes an request. So thats a no go.
Edit: As #Crowcoder tried to anwser the post, his solution does not work. For it to work we would have to register into Azure Active Directory and we currently don't use it. (We use the MS local AD).
Then I have tried using GnuWin32 (Wget for windows). Doesn't work as it requires you to login 2 times and you can only put in creditentials once (Or maybe you can ? -> Couldn't figure out how).
After that I have tried to use the command for powershell. That comes close but also requires me to login with a popup.
Edit: Here we see the anwser from #lit which does not fit either. I have tried the solution and it promts a Google chrome alert login, and then also the MS Planner login (but you can put your creditentials only once as shown in the code below this).
Export-PlannerUserContent -UserAadIdOrPrincipalName -username -ExportDirectory "C:\pathToExport"
And for the end part the only solution that seems to work is the last one where I imitate keyboard presses to download the file. How the program runs:
Open up chrome(With a shortcut to MS planner website)
imitate keyboard presses to open DEV Console (ctrl+shift+J)
Imitate keyboard so that imputs text(Javascript) to click the login into planner (if it exists, if not the function returns an error and skips this part)
Imitate keyboard so that it inputs JS function that finds the necesary button and opens/presses the download button.
after that it selects the 2nd pland and downloads it aswell (Same imitation of a keyboard textinput).
While this solution is the only one that "Works" I have been told that I should find a different solution as the keyboard simulator is not a viable solution for our company because of strict policies we have. Another reason why it cannot be used is because im trying to make this script run on our server with a service account that has no GUI. So I hit some sort of a dead end there as well.
EDIT: So What i'm trying to do here is implement a "headless" chrome that would do what it does now but can't seem to find a break trough.
So my question is does anybody have any tips, pointers or suggestions for improving the existing solutions or creating alternative ones that would be more appropriate.
Would love to hear your opinions on what I should research or do.
I would also like to note that most API Calls don't work without heavy proxy configuration which I would like to avoid if possible.

Testcafe works when it should not

First thanks to anyone who can help with this it's greatly appreciated.
As you can see by the title this is a very weird occurrence. I do a lot of work with testcafe and can't really explain this.
The scenario is at my company we raise instances in AWS put our product on the instance then run the automation. These instances are automatically torn down in around 3 hours so I can't really post an instance example as it will tear down. When I try to go to the instance I get stuck with a spinner at the login page. I tried firefox, chrome, chromium, safari, incognito, tor, etc... They all get stuck at this spinner, in fact, this happens to everyone in the company.
For some reason when I run some tests via testcafe on my computer using chrome on this instance it gets past this spinner, logs in, then just resumes tests like nothing is wrong. I have tried using localhost as the host, different ports, skip js errors, and other flags. I am updated to the latest version of testcafe. My theory is that it has something to do with the proxy server that testcafe launches (just a guess). I tried online proxy servers and even made a local proxy server but still, none can get past this spinner.
I'm pretty sure more info would be needed to help out on this I'm just not sure what to add. If any tips or logs to add please let me know.
UPDATE:
I tried a few more online proxy site and found one that worked (performed in the same behavior as testcafe). I believe at this point i can prove that its related to the proxy server. Now with that proved, im assuming there is no way to get around this issue right (meaning have testcafe fail)?
I have opened with testcafe and they have reported its a bug: https://github.com/DevExpress/testcafe/issues/6055

Sitecore doing random things

I have a feeling that our Sitecore install is messed up with the configuration but I can't point out where. Things happen at random in the Sitecore client. For example -
Clicks in the Sitecore client do nothing.
If I log out say after opening up Log Viewer and then log back in, I only see the log viewer and no other options.
Clicking on a link would log me out.
If I am logged in and another admin tries to log in with his/her credentials, sometimes they see my credentials.
IE 8 continuously throws 'scWin' related javascript errors.
The first 4 are consistent across firefox, chrome and IE. The last one is totally an IE occurrence.
An IIS reset fixes these issues but then these occurrences start happening again pretty quickly.
I've looked at log files but I don't see anything there. What else can I do here?
This sounds really strange. Are you sure you are not infected with some kind of malware or some virus?
Does it occur on every pc that is working with this solution?
You could try to remove the Sitecore files and copy fresh files from the install zip to see if that resolves the issue.
This does sound rather strange... First thing I would do is make sure you followed the IE setup guide exactly, to make sure it's not your browser causing problem. Javascript is definitely enabled, yes? The fact that it happens in Firefox also though means this probably isn't the real issue. Martijn might be on to something... have you tried using another machine entirely to access the site?
It turned out to be .NET caching - section - was turned on and was causing all sorts of issues. We removed this and it all worked.

Categories