[Owasp-leaders] Bring balance: force verification in scanning tools

psiinon psiinon at gmail.com
Mon May 23 08:50:42 UTC 2016


OK, so I now have no idea if you are for your original proposal or against
it ;)

I think its a bad idea.

As I mentioned before, I did worry before I released ZAP that I might be
adding to the problem rather than reducing it.
I dont believe thats the case now, but if I ever do come to the conclusion
that ZAP is making the internet less secure then I'll stop working on it.
I'm pretty sure that the vast majority of people who use ZAP use it for the
right reasons, and they more than make up for the minority who use it for
the wrong reasons.

FYI the licences used for some of the code included in ZAP preclude the
sale of any software that uses it.
We can not legally charge money for the ZAP software. Even if we could, I
always wanted ZAP to be a completely free tool that anyone can use and get
involved in developing.
I've always stated that there will be no 'pro' version of ZAP and I'm not
going to go back on that.

And as a side note, I dont think that the checks put in place by SaaS
products are there to protect end users.
They are to protect the SaaS service from being misused and therefore
reducing their liability.
Nothing wrong with that, and its already a feature I planned to add to ZaaS.
I'm not aware of any desktop tool implementing such a feature _except_ as a
way to protect revenues.
If anyone has any counter examples please shout.

So, the reasons why I'm against adding verification checks to desktop ZAP:

ZAP will not be usable against many legitimate sites, such as deliberately
vulnerable test sites and sites taking part in bounty programs.
Such checks would significantly reduce the number of people using ZAP. If
I'm right in my above assumption then many more people who currently use it
for good will stop using it that the ones who use it for bad things.
Most users will just stop using ZAP and will either use nothing or
alternative tools.
Some people will fork ZAP and remove those checks. These forks will either
get out of date or will be updated independently of the 'official' repos,
completely fragmenting ZAP development.
Some people will offer 'cracked' versions of ZAP, many of which will
probably be infected by malware.

I think it would probably be the end of ZAP as a popular security tool and
that would actually make the internet a little bit less secure.
Anyone can of course fork ZAP and put verifications steps in, but I would
be extremely surprised if such a fork would take off.
I'd be interested in other people views on this, but dont expect to see
verification in _desktop_ ZAP any time soon ;)

Cheers,

Simon


On Mon, May 23, 2016 at 2:17 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> *On the plus side, most people running nmap scans do not have the patience
> or prerequisite knowledge to use nmap in that manner.*
> >>Exactly so the most known patterns probes of this type would be
> identified.Only a very selected group of hackers know how to play with Nmap
> in this way...
>
> *>>So, you are NOT disagreeing that ZAP would be modified and made
> available, but rather that whether or not it would be made available for
> free???*
>
> Yes. It is a business opportunity. Right? pay Burp USD 300/year or adapt
> ZAP 😝 and charge for it.
>
> *>>-would in fact cause black hats to PROFIT from modifying and then
> reselling ZAP? So rather than restricting ZAP from the hands of malevolent
> people, you instead--as a likely unintended consequence--cause these same
> people to further profit from ZAP.*
>
> Well, reality is, they already are profiting. We are giving the whole Zap
> for free 😁.Now we cause them more trouble but off course this is also a
> business opportunity for those with resources. I honestly think that we
> make their lives more difficult because now instead of downloading Zap for
> FREE they have to pay 😝
>
> *>>But let's not do something that will leave the end situation worse than
> what we started. You are a hacker, so when you propose these things, think
> like one and how you would go about getting around those obstacles.*
>
> Well that why I asked you , did you get into ZAP code? You talk like is
> the easiest thing to do.
> How many pentesters here can get into ZAP development? No many I assure
> you.
>
> I think Kevin, you are thinking way too complex about cyber
> criminals/hacktivits.
>
> Most use the same darn tools *for free* we make available to them.Some ,
> just some adapt them, write their own scripts and for this, they use the
> same darn OS tools like Nmap and Kali distro and the powerful NSE engine to
> write on top their exploits or automate their attacks.
>
> I for example took NSE and have adapted to my purposes. Wrote a Joomla
> exploit but i'm not releasing that.I have no need to show what I do, just
> for myself.I honestly don't want to help others to hack.
>
> check Phineas hacking tutorial:
> "
> There are a lot of hackers in that world who are better than I am, but
> disgracefully fritter away their knowledge working as "defence"
> contractors, for intelligence agencies, protecting banks and corporations
> and defending the established order"
> So Phineas is just another pen tester working for the other side...or God
> knows maybe be Security Specialist during the day, Hacker at night.
>
> Did you know that OWASP had a Luzsec hacker just like that. Maybe Phineas
> is just an OWASP volunteer...God knows😎
>
> http://www.reuters.com/article/us-cyber-arrests-martyn-idUSBRE82807M20120309
>
> "Darren Martyn, who was named in an indictment unsealed in Manhattan
> federal court on Tuesday, was a local chapter leader of the Open Web
> Application Security Project, which develops open-source applications to
> improve security, according to an official at the international group."
>
>
>
> On Sun, May 22, 2016 at 8:03 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
> wrote:
>
>> On Sun, May 22, 2016 at 6:55 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Definitely Bev :-)
>>>
>>> In fact this is the kind of thing we should discuss.Should we start a
>>> formal process to bring this to a panel discussion?
>>>
>>
>> ​Let's let this thought experiment play out a little bit longer
>> before we do that.
>>>>
>>
>>> I started developing a tool 'Nmapalyzer':
>>> https://github.com/ossecsoft/nmapalyzer
>>> Is a tool to identify the data packages sent by NMAP probes. Reverse
>>> engineering of nmap TCP sent packages to a target machine
>>> https://www.gitbook.com/book/marylinh/nmapalyzer/details
>>>
>>> So Bev, there are commercial solutions doing this and some OS but not
>>> extensively. My plan with the Nmapalyzer is to help detect network
>>> traffic(passive) and set  the information with a nice dashboard. It is in
>>> research phase right now.
>>>
>>> ​A noble example, but one that will not be easy. Fy​odor designed nmap
>> with options, when appropriately used, that allows nmap
>> to be evasive and avoid detection. Good luck with that. On
>> the plus side, most people running nmap scans do not have
>> the patience or prerequisite knowledge to use nmap in that
>> manner.
>>
>> >>But given that it IS open source, a hacker would simply fork it on
>>> GitHub or BitBucket or wherever and just point fellow black hats at the
>>> modified source at some other URL.
>>>
>>> Simply?😏 He do you have fellow blackhat friends that give you exploit
>>> kits for free?
>>>
>>
>> ​Okay; yo​
>> ​u got me on that one--in the general sense. But in the
>> case of ZAP and Phineas, I think he would release the tweaked
>> ZAP for free. Phineas is doing this more as hacktivism rather
>> than profit and hacktivists are generally not motivated by
>> money.
>>>>>>
>>> blackhats don't give anything for free.Which blackhats are developing
>>> 'open source hacking tools' and giving tools for free like we do? No one,
>>> wether you pay 1 dollar or 300 for anything, they need to make a living.
>>>
>>
>> ​Well, only hacktivists. I suppose whether you view them as
>> "black hats" or "gray hats" or "white hats" depends on
>> your perspective of whether or not they are engaging in
>> activities which you perceive as fair and just. But I think
>> that most in that crowd are 1) in violation of some laws,
>> and 2) freely share their hacktivist tools with their
>> colleagues for the greater cause.
>>
>>
>>> Have you check ZAP code? Maybe this part should not be at all documented
>>> . Believe me he will move to BURP or tamper data faster than just go and
>>> take the time to change this. and give it for free...
>>>
>>> Now a professional blackhat will invest his time/money and distribute a
>>> version but it will charge some money for it, just as done with malware
>>> exploitation kits.
>>>
>>> I bet you 100USD than the moment ZAP does this, download of this new
>>> version will decrease by 50% and  a blackhat will make a version for sale
>>> for a very good price in the dark web (charge USD20 instead of buying BURP
>>> for USD300/year)
>>> Want to bet?
>>>
>>
>> ​So, you are NOT disagreeing that ZAP would be modified and
>> made available, but rather that whether or not it would be
>> made available for free???
>>
>> So don't you see the here? What you are proposing--to
>> have ZAP be restrained in some manner (e.g., by ​looking
>> for some specific file name or a file with some specific
>> contents)--would in fact cause black hats to PROFIT from
>> modifying and then reselling ZAP? So rather than restricting
>> ZAP from the hands of malevolent people, you instead--as
>> a likely unintended consequence--cause these same people to
>> further profit from ZAP.
>>
>> Is that really what you want? I think not. We need to be
>> careful before we jump to conclusions here.  And even if
>> ZAP was not open source, the fact that it compiles into
>> Java byte code makes it trivial to decompile. (And obfuscators
>> can only do so much.)
>>
>> But let's not do something that will leave the end situation
>> worse than what we started. You are a hacker, so when you
>> propose these things, think like one and how you would go
>> about getting around those obstacles.
>>
>> -
>> ​kevin​
>>
>> --
>> Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>> @KevinWWall
>> NSA: All your crypto bit are belong to us.
>>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160523/775eb364/attachment-0001.html>


More information about the OWASP-Leaders mailing list