How to prevent OWASP ZAP scanner hitting external URLs in Standard Mode? - owasp

I am new to OWASP ZAP. I ran a automated scan in Standard Mode on my own website hosted on localhost (http://127.0.0.1:8000) with both traditional and AJAX spiders.
There are some external public URLs in the localhost website which are not under http://127.0.0.1:8000 like CDN's etc. Yet ZAP's Information Window shows them:
The Spider tab shows the external URLs Flagged as Out of Scope.
The AJAX Spider tab shows some external URLs returned 403 Forbidden.
The Active Scan tab shows content-signature-2.cdn.mozilla.net at the bottom.
Did ZAP actually "scanned" those external URLs? If yes, then how to prevent this from happening? Can this cause some kind of legal issue?
Thanks.

The AJAX Spider is not hitting those URLs - the requests are made from the browsers which ZAP launches and ZAP is returning the 403s.
ZAP will permit requests for JavaScript files (and I think CSS ones too from memory) as blocking these breaks many apps. However these are just standard requests that any browser would make - ZAP does NOT attack URLs that are out of scope.

Related

How to apply affiliation cookies through browser extension without redirect?

I'm currently working on a browser extension project for an affiliate marketing business. Affiliate marketing usually works by setting tracking cookies on click to identify the referrer in case an article is bought on the partner's website and rewards the referrer afterwards.
How can some browser extensions "activate cashback" or "activate affiliation" without having the user to go through a redirect page? How can they apply all the tracking cookies with no apparent redirection?
Options I considered:
Creating an API endpoint that would store an array of cookies set during the chain of redirection then applying them directly on the browser. Problem: some platforms use client script with URL matching to set cookies on landing on the partner's website.
Maybe it has something to do with form posting hack: https://stackoverflow.com/a/4702110/7576507
Furthermore, how can one know that the tracking cookies have been well set?
It seems that these browser extensions create a tab using a standard affiliate link without focusing it.
Once it is completely loaded (DOM, external scripts etc...), they close it and display on the main tab that tracking has been activated.

Content hosted by github pages doesn't show up perfectly

I was experimenting with github after building a little webapp as a project for free code camp. After hosting it on github pages it shows up broken. Most of its content is blocked. This is the link https://mojojojo77.github.io/
On mozila it says that the connection is secure but "firefox has blocked parts of this page which are not secure." I looked into the console for the problem and the API's I used seem to be cause. Is there a way to bypass this ? Like asking the user for permissions.
Load your resources using a // protocol instead of http:// or https://. That will cause the browser to request resources using a protocol that matches the page (using SSL if the page does, and not if it doesn't).

Facebook canvas iframe and security

I want to open my small platform to developers, so they can build applications that could be inserted in our site as iframe. Similar as facebook is doing, but no, I am not trying to build another Facebook:). From what I understand developers can build facebook application using iframe.
Question: I am wondering how is about security from facebook user perspective. How Facebook prevent that application developer doesn't put malware javascript code inside iframe. I haven't noticed any automatically mechanism that prevent including something like that in iframe.
tnx
No, this is not a problem at all, I think you are worrying for nothing.
There are no security issues that you need to worry about yourself, the loaded page in the iframe is sandboxed, and is "guarded" by the browser.
The two iframes can't even communicate with one another since they are not sharing the same domain, and modern browsers will block any attempt to execute javascript code in another frame if the two frames have different domain.
The thing that facebook did was to workaround that problem, each iframe app in facebook loads the facebook javascript sdk which then enables the nested iframe to make requests to facebook and be notified (by callbacks) when the data returns.
As for "malware javascript code inside iframe to attack user computer via browser", the iframe has the same exact security policies enforced by the browser as any other browser page, if someone manages to somehow bypass those policies then it has little difference where it's loaded, and facebook are not enforcing any other security measures.
The only thing you need to worry about is that scripts inside the iframe will be able to access your scripts and/or dom, which should not happen unless you create a machnism which will let them (somehow bypass the cross-domain policy).

Secure Page Tab URL question - running the original version in a iframe inside a secure html file

I noticed a site that offers a free secure adaptor for page tab apps.
Looking at the source code, I saw that the adaptor was basically an iframe running my old insecure url inside a html file hosted on a secure server.
Is such a solution going to last for Facebook?
From what I read about SSL, this doesn't seem entirely legit and I wouldn't want to start using such a service and then discover that in a month or two Facebook will block these practices or that this sort of "secure" page will generate all sort of browser warnings
I don't really deal with Facebook data (except for signed_request and app_data), my app requires no permissions and no data from the user, so I won't need to interact with Facebook in my secure version, other than asking for the signed_request and possibly app data
Wouldn't you still have a mixed content warning if the initial content is loaded over HTTPS and your original page is loaded over HTTP in an iframe?
Unless I'm missing something here, this solution is only going to solve the 'Facebook says i need a secure URL' problem, not 'Facebook says i need a secure URL so people can access my app over HTTPS without problems'

IFrame facebook app with httpS

Is there a way to run an HTTP*S* application as IFrame facebook app? if not, how can i prevent replay attacks and make sure that the content passed between the browser and the server is not captured.
Also, is it possible to have Ajax calls to the server going over secure channel?
Thanks,
Pomponius.
All you need to do is set your canvas URL to an https url. However, you are going to run into a number issues such as the Facebook Javascript SDK is not hosted on https. Also, you should be aware that Facebook itself is susceptible to relay attacks so you aren't really going to be able to fully mitigate the problem. As far as making AJAX calls to your server you have complete control over that so as long as your client side javascript and your server support this then it won't be a problem.