Climbing Mount WebAppSec – ZAP Directory Traversal

Whilst reading OWASP Testing Guide v4 I came across the section on testing for directory travseral and noted the “tools” at the bottom.

Wfuzz and Dirbuster (the latter now incorporated into ZAP) I know about and will be dealing with in an upcoming “Discovering directories/files”.

This left DotDotPwn and ZAP (Zed Attack Proxy) itself.

Interestingly, DotDotPwn is incorporated into TrustedSec’s Penetrations Testers Toolkit (blogged about here) under “vulnerability-analysis“.

So, quick and easy for me to fire up the tool and unleash it – however – I immediately hit a brick wall with URL’s not responding? It transpires this tool cannot easily handle HTTPS without a fair amount of hassle.

And of course the good news is that vast swathes of the Internet are moving over to HTTPS.

So, ZAP left to try. Can it do directory traversal and if so, am I able to use this function alone?

I know the HTTPS element will be no problem as I configured an ZAP SSL certificate to handle this in setup. There’s plenty of tutorials out there.

After some digging I found some encouraging signs when I met with an ZAP-extension on Github called TestPathTraversal.java. This file had only been modified 16 hours previously.

The clue to the puzzle was further back in the Github path; namely, /ascanrules/.

Inside zaproxy/zap-core-help on Github is a VERY useful guide page on setting Active Scan Rules. And fourth from the bottom is “Path Traversal”.

So, without further meandering, here is how I set an Active Scan Rule in the Scan Policy Manager for Path Traversal alone.

Hit this icon in the toolbar:

Click “add” in the Scan Policy Manager.

Name your policy – mine is “Traversal”.

Click for dropdown in the “Threshold” box and select “OFF” for: “Information Gathering”, “Injection” and “Miscellaneous” as I have below:

In the left side pane click “Server Security” and again in the “Threshold” box select “Off” for “Remote Files Inclusion”:

Click “OK and “Close”.

Back in the main ZAP GUI find the website you want to target (you would have previously surfed there in your browser whilst proxying through ZAP) right click and select “Attack” and then “Active Scan”:

“Active Scan” will pop up. Select the furthest right tab “Policy”

Double-check your policy is selected:

And “Start Scan”.

Only the Path Traversal function is unleashed upon the target.

Wonderful, granular control, I’m sure you’ll agree!