Passive Scan in OWASP ZAP - owasp

I have started learning OWASP ZAP and I am confused about passive scanning in OWASP ZAP.
On right clicking the node in Site tree I do not see any passive scanning option, however under Tools | Options I am able to see Passive Scan Rules.
How Can I run Passive Scan in OWASP ZAP?
Is the "URL to attack" in the Quick Start same as Active Scan after Spidering
Thanks

They run by default, so you have to actually choose to disable them :)
ZAP will run the (enabled) passive scan rules against all URLs that are either proxied through ZAP or visited by either of the spiders.
https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan
Cheers,
Simon (ZAP Project Lead)

Related

How to execute OWASP ZAP `Spider` for a recorded and exported `Sites` and `Context` through Node

I have recorded a flow and created/Exported a Sites and Context using OWASP ZAP Tool.
Now I need to run ZAP SPIDER on the records Sites with Context through NodeJS
I have done npm install zaproxy
now I need to know how can I access/Import the recorded Context and Sites in my code and execute Spider and generate Reports on it.
Thanks in Advance
I cover using the ZAP API in this vid: https://www.youtube.com/watch?v=3vVnMh6AUkk&list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB&index=14
Do you have to use the NodeJS client? Thats not really maintained by the ZAP core team and is currently out of date.

How do I enable Failed Request Tracing in IIS 10.0 on Windows 10 development PC?

How to I enable Failed Request Tracing in IIS 10.0 on my Windows 10 dev pc?
I can find instructions for IIS7 and IIS8.5 (see http://www.iis.net/learn/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis-85) but doesn't seem to be available in IIS10.
According to above instructions there should be a link to "Failed Request Tracing" under "Configure" in the Actions pane - but see in screen shot it is clearly not there:
screen shot of IIS Actions pane
The instructions should work exactly the same since the UI has not changed. Make sure that you install Failed Request Tracing, for that run
OptionalFeatures.exe and make sure that Tracing is enabled in the Internet Information Services->World Wide Web Services->Health and Diagnostics.
You can also add this feature by going to Start -> Turn Windows features on or off -> Internet Information Services -> Health and Diagnostics.
You can enable the tracing feature using this PowerShell command (Running as Administrator)
Install-WindowsFeature Web-Http-Tracing

Right design for SiteMinder

I have to give my recommendations for an architecture for SSO using Site Minder.
We have few J2EE applications. These J2EE applications are designed to work when http headers have information after authentication by SSO provider. We have kept our applications SSO provider agnostic. This means we only rely on headers from SSO provider. This worked well with RSA as the SSO provider.
Now there is another architecture proposed with SiteMinder. The way request will flow is
SiteMinder with IIS -> Apache Reverse Proxy -> Tomcat Application -> Backend Applications.
To break down we will have
a) SiteMinder with IIS (public facing site)
b) Apache Reverse Proxy ( For routing)
c) Tomcat Application (For routing and a logic for site access based on time)
d) Backend applications
The reason for bringing the new architecture is that all back end applications have code for site access. The site can be down for some time, which is controlled by a property file.
I find this architecture wrong. I do not understand why Apache Reverse Proxy is requried. I would still go with simple architecture with flow as
a) SiteMinder with IIS doing the routing -> Backend Applications(accessing a common service to check whether site can be accessed or not)
Am I missing something?
The Apache reverse proxy would make it easier to load balance between multiple IIS instances. As far as I know to do something similar on IIS you would need to use the ARR (application request routing) module which won't be optimised to work with Tomcat etc.
However, the SiteMinder with IIS does seem an added overhead in your architecture. The Apache reverse proxy also supports SiteMinder agents. Why don't you push for setting up the SiteMinder agent on the Apache proxy and remove IIS completely from the picture. I can think of the following benefits:
Remove one extra layer from the architecture
Remove an extra network hop
Clean up the stack. Apache + Tomcat is very standard in enterprises while IIS + Apache + Tomcat definitely isn't.
Hope this helps
I don't see either the rationale behind the second architecture. The first scenario is a much more common deployment of Siteminder.
Be aware that this kind of architecture potentially opens vulnerabilities (logon bypass notably). See my answer on this question. Those remarks are true for both architectures.

Can I set-up Springsource ToolSuite (STS) or Eclipse to pick up my Network ID and password for Internet Access

When using Eclipse (3.6.) or STS (2.6. or 2.8., based on Eclipse 3.6.) you need to set-up proxy entries in order to be able to access the internet.
This can be a pain so I'd like to be able to set-up the entry to automatically detect the userID and password.
I presume that this can be done as we used to have to enter our ID and password for internet access when using IE, or Firefox, but this is now done for us using Kerberos.
I've been told that if Eclipse links to Kerberos or NTLM - Then we can set up the proxy.
So does anyone know if Eclipse will link into Kerberos or NTLM ? and if so, how do we do it ?
Thanks.
I think you are looking for the preference page Preferences -> General -> Network Connection. You can set your proxy and other network information here.

Windows authentication with Eclipse

I use Eclipse daily for software development and those of you that use it know that you download plugins and updates regularly. The company I work for has Bluecoat installed, which blocks all of the updates. However, the update URLs are not blocked in Internet Explorer. With this said, the problem seems to be that Eclipse is not using Windows authentication when it requests updates from the URLs. Is there a way to set Eclipse up so that it acts like IE?
That could be linked to the proxy and not to Bluecoat:
If IE does authorized the access to update URLs, it must do so through an authenticated proxy connection.
If you do have such a setting (proxyname:port , user/password), you should report that setting on your eclipse, in order for p2 within that eclipse to use those same settings.
(Menu Preferences : General / Network Connections)