[Owasp-leaders] Bring balance: force verification in scanning tools

Azzeddine Ramrami azzeddine.ramrami at owasp.org
Mon May 23 14:24:10 UTC 2016


+1

On Mon, May 23, 2016 at 3:23 PM, Tony Turner <tony.turner at owasp.org> wrote:

> I personally do not think this is a problem that needs to be solved. This
> seems like a lot of wasted energy to me that would be better spent focused
> on a project that actually improves application security. Hackers use tools
> developed for Security Pros. Security Pros use tools developed for hackers.
> And the wheel goes round and round. Nothing to see here. Move along...
>
> On Mon, May 23, 2016 at 7:30 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Thank you Simon for providing your pov. My observations
>>
>> *>>OK, so I now have no idea if you are for your original proposal or
>> against it ;)*
>> I like to support based on facts. Data. Stats. We don't have any of this
>> to support that ZAP is being more abused and that actually is really
>> helping security. fact is there are more breaches now and more hactivist
>> using and promoting ZAP for the bad reasons.
>>
>> *>> I did worry before I released ZAP that I might be adding to the
>> problem rather than reducing it. I dont believe thats the case now*
>> How do you know? Do we have stats to support this is not the case? If you
>> have data, show me.
>>
>> *>>I'm pretty sure that the vast majority of people who use ZAP use it
>> for the right reasons*
>> Again. Do we have stats to support your view? You could be bias because
>> ZAP is an 'attack' tool and the nature of it basically is for breaking into
>> web apps.Do you feel responsible for this part?
>>
>> *>>FYI the licences used for some of the code included in ZAP preclude
>> the sale of any software that uses it.*
>> Blackhats in the onion don't care about these licenses. They will sell a
>> version if it makes a buck.
>>
>> *>>And as a side note, I dont think that the checks put in place by SaaS
>> products are there to protect end users.*
>> *They are to protect the SaaS service from being misused and therefore
>> reducing their liability*
>> Being misused.That is the point. How do you know that ZAP is not being
>> misused by the majority? Actually that counts for all the attack tools in
>> the appsec arena. However, ZAP has many free features that no commercial
>> tool is giving for free.
>>
>> *>>Nothing wrong with that, and its already a feature I planned to add to
>> ZaaS.*
>> To avoid misused I assume. but will the ZaaS be open source too? I mean,
>> anyone can take the code and adapted too right? How do you know that won't
>> be Zaas in the onion offering that service using Zaas?mmm looks like a
>> business our blackhats could begin with...
>>
>> *>>I think it would probably be the end of ZAP as a popular security tool
>> and that would actually make the internet a little bit less secure.*
>> Popular among who? You bet less people will download it but since we have
>> no stats of what kind of peeps are using it for, you cannot conclude this
>> easily.
>>
>> Hey Simon, this whole discussion is a psychological confrontation
>> regarding building attack tools that are being misused.
>> So please, forgive me if I'm confronting you with did, but I just wanted
>> to check how do developers of these tools feels about
>>
>> The stats regarding data breaches are uprise. Why? Now more than ever,
>> there are more data breaches and for what the data and stats tells me is
>> what ever is happening, we don't do enough or we do the wrong things to
>> help appsec security.
>>
>> http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
>>
>> regards
>>
>> Johanna
>>
>>
>>
>> On Mon, May 23, 2016 at 4:50 AM, psiinon <psiinon at gmail.com> wrote:
>>
>>> OK, so I now have no idea if you are for your original proposal or
>>> against it ;)
>>>
>>> I think its a bad idea.
>>>
>>> As I mentioned before, I did worry before I released ZAP that I might be
>>> adding to the problem rather than reducing it.
>>> I dont believe thats the case now, but if I ever do come to the
>>> conclusion that ZAP is making the internet less secure then I'll stop
>>> working on it.
>>> I'm pretty sure that the vast majority of people who use ZAP use it for
>>> the right reasons, and they more than make up for the minority who use it
>>> for the wrong reasons.
>>>
>>> FYI the licences used for some of the code included in ZAP preclude the
>>> sale of any software that uses it.
>>> We can not legally charge money for the ZAP software. Even if we could,
>>> I always wanted ZAP to be a completely free tool that anyone can use and
>>> get involved in developing.
>>> I've always stated that there will be no 'pro' version of ZAP and I'm
>>> not going to go back on that.
>>>
>>> And as a side note, I dont think that the checks put in place by SaaS
>>> products are there to protect end users.
>>> They are to protect the SaaS service from being misused and therefore
>>> reducing their liability.
>>> Nothing wrong with that, and its already a feature I planned to add to
>>> ZaaS.
>>> I'm not aware of any desktop tool implementing such a feature _except_
>>> as a way to protect revenues.
>>> If anyone has any counter examples please shout.
>>>
>>> So, the reasons why I'm against adding verification checks to desktop
>>> ZAP:
>>>
>>> ZAP will not be usable against many legitimate sites, such as
>>> deliberately vulnerable test sites and sites taking part in bounty programs.
>>> Such checks would significantly reduce the number of people using ZAP.
>>> If I'm right in my above assumption then many more people who currently use
>>> it for good will stop using it that the ones who use it for bad things.
>>> Most users will just stop using ZAP and will either use nothing or
>>> alternative tools.
>>> Some people will fork ZAP and remove those checks. These forks will
>>> either get out of date or will be updated independently of the 'official'
>>> repos, completely fragmenting ZAP development.
>>> Some people will offer 'cracked' versions of ZAP, many of which will
>>> probably be infected by malware.
>>>
>>> I think it would probably be the end of ZAP as a popular security tool
>>> and that would actually make the internet a little bit less secure.
>>> Anyone can of course fork ZAP and put verifications steps in, but I
>>> would be extremely surprised if such a fork would take off.
>>> I'd be interested in other people views on this, but dont expect to see
>>> verification in _desktop_ ZAP any time soon ;)
>>>
>>> Cheers,
>>>
>>> Simon
>>>
>>>
>>> On Mon, May 23, 2016 at 2:17 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> *On the plus side, most people running nmap scans do not have the
>>>> patience or prerequisite knowledge to use nmap in that manner.*
>>>> >>Exactly so the most known patterns probes of this type would be
>>>> identified.Only a very selected group of hackers know how to play with Nmap
>>>> in this way...
>>>>
>>>> *>>So, you are NOT disagreeing that ZAP would be modified and made
>>>> available, but rather that whether or not it would be made available for
>>>> free???*
>>>>
>>>> Yes. It is a business opportunity. Right? pay Burp USD 300/year or
>>>> adapt ZAP 😝 and charge for it.
>>>>
>>>> *>>-would in fact cause black hats to PROFIT from modifying and then
>>>> reselling ZAP? So rather than restricting ZAP from the hands of malevolent
>>>> people, you instead--as a likely unintended consequence--cause these same
>>>> people to further profit from ZAP.*
>>>>
>>>> Well, reality is, they already are profiting. We are giving the whole
>>>> Zap for free 😁.Now we cause them more trouble but off course this is
>>>> also a business opportunity for those with resources. I honestly think that
>>>> we make their lives more difficult because now instead of downloading Zap
>>>> for FREE they have to pay 😝
>>>>
>>>> *>>But let's not do something that will leave the end situation worse
>>>> than what we started. You are a hacker, so when you propose these things,
>>>> think like one and how you would go about getting around those obstacles.*
>>>>
>>>> Well that why I asked you , did you get into ZAP code? You talk like is
>>>> the easiest thing to do.
>>>> How many pentesters here can get into ZAP development? No many I assure
>>>> you.
>>>>
>>>> I think Kevin, you are thinking way too complex about cyber
>>>> criminals/hacktivits.
>>>>
>>>> Most use the same darn tools *for free* we make available to them.Some
>>>> , just some adapt them, write their own scripts and for this, they use the
>>>> same darn OS tools like Nmap and Kali distro and the powerful NSE engine to
>>>> write on top their exploits or automate their attacks.
>>>>
>>>> I for example took NSE and have adapted to my purposes. Wrote a Joomla
>>>> exploit but i'm not releasing that.I have no need to show what I do, just
>>>> for myself.I honestly don't want to help others to hack.
>>>>
>>>> check Phineas hacking tutorial:
>>>> "
>>>> There are a lot of hackers in that world who are better than I am, but
>>>> disgracefully fritter away their knowledge working as "defence"
>>>> contractors, for intelligence agencies, protecting banks and corporations
>>>> and defending the established order"
>>>> So Phineas is just another pen tester working for the other side...or
>>>> God knows maybe be Security Specialist during the day, Hacker at night.
>>>>
>>>> Did you know that OWASP had a Luzsec hacker just like that. Maybe
>>>> Phineas is just an OWASP volunteer...God knows😎
>>>>
>>>> http://www.reuters.com/article/us-cyber-arrests-martyn-idUSBRE82807M20120309
>>>>
>>>> "Darren Martyn, who was named in an indictment unsealed in Manhattan
>>>> federal court on Tuesday, was a local chapter leader of the Open Web
>>>> Application Security Project, which develops open-source applications to
>>>> improve security, according to an official at the international group."
>>>>
>>>>
>>>>
>>>> On Sun, May 22, 2016 at 8:03 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>>> wrote:
>>>>
>>>>> On Sun, May 22, 2016 at 6:55 PM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> Definitely Bev :-)
>>>>>>
>>>>>> In fact this is the kind of thing we should discuss.Should we start a
>>>>>> formal process to bring this to a panel discussion?
>>>>>>
>>>>>
>>>>> ​Let's let this thought experiment play out a little bit longer
>>>>> before we do that.
>>>>>>>>>>
>>>>>
>>>>>> I started developing a tool 'Nmapalyzer':
>>>>>> https://github.com/ossecsoft/nmapalyzer
>>>>>> Is a tool to identify the data packages sent by NMAP probes. Reverse
>>>>>> engineering of nmap TCP sent packages to a target machine
>>>>>> https://www.gitbook.com/book/marylinh/nmapalyzer/details
>>>>>>
>>>>>> So Bev, there are commercial solutions doing this and some OS but not
>>>>>> extensively. My plan with the Nmapalyzer is to help detect network
>>>>>> traffic(passive) and set  the information with a nice dashboard. It is in
>>>>>> research phase right now.
>>>>>>
>>>>>> ​A noble example, but one that will not be easy. Fy​odor designed
>>>>> nmap with options, when appropriately used, that allows nmap
>>>>> to be evasive and avoid detection. Good luck with that. On
>>>>> the plus side, most people running nmap scans do not have
>>>>> the patience or prerequisite knowledge to use nmap in that
>>>>> manner.
>>>>>
>>>>> >>But given that it IS open source, a hacker would simply fork it on
>>>>>> GitHub or BitBucket or wherever and just point fellow black hats at the
>>>>>> modified source at some other URL.
>>>>>>
>>>>>> Simply?😏 He do you have fellow blackhat friends that give you
>>>>>> exploit kits for free?
>>>>>>
>>>>>
>>>>> ​Okay; yo​
>>>>> ​u got me on that one--in the general sense. But in the
>>>>> case of ZAP and Phineas, I think he would release the tweaked
>>>>> ZAP for free. Phineas is doing this more as hacktivism rather
>>>>> than profit and hacktivists are generally not motivated by
>>>>> money.
>>>>>>>>>>>>>>>
>>>>>> blackhats don't give anything for free.Which blackhats are developing
>>>>>> 'open source hacking tools' and giving tools for free like we do? No one,
>>>>>> wether you pay 1 dollar or 300 for anything, they need to make a living.
>>>>>>
>>>>>
>>>>> ​Well, only hacktivists. I suppose whether you view them as
>>>>> "black hats" or "gray hats" or "white hats" depends on
>>>>> your perspective of whether or not they are engaging in
>>>>> activities which you perceive as fair and just. But I think
>>>>> that most in that crowd are 1) in violation of some laws,
>>>>> and 2) freely share their hacktivist tools with their
>>>>> colleagues for the greater cause.
>>>>>
>>>>>
>>>>>> Have you check ZAP code? Maybe this part should not be at all
>>>>>> documented . Believe me he will move to BURP or tamper data faster than
>>>>>> just go and take the time to change this. and give it for free...
>>>>>>
>>>>>> Now a professional blackhat will invest his time/money and distribute
>>>>>> a version but it will charge some money for it, just as done with malware
>>>>>> exploitation kits.
>>>>>>
>>>>>> I bet you 100USD than the moment ZAP does this, download of this new
>>>>>> version will decrease by 50% and  a blackhat will make a version for sale
>>>>>> for a very good price in the dark web (charge USD20 instead of buying BURP
>>>>>> for USD300/year)
>>>>>> Want to bet?
>>>>>>
>>>>>
>>>>> ​So, you are NOT disagreeing that ZAP would be modified and
>>>>> made available, but rather that whether or not it would be
>>>>> made available for free???
>>>>>
>>>>> So don't you see the here? What you are proposing--to
>>>>> have ZAP be restrained in some manner (e.g., by ​looking
>>>>> for some specific file name or a file with some specific
>>>>> contents)--would in fact cause black hats to PROFIT from
>>>>> modifying and then reselling ZAP? So rather than restricting
>>>>> ZAP from the hands of malevolent people, you instead--as
>>>>> a likely unintended consequence--cause these same people to
>>>>> further profit from ZAP.
>>>>>
>>>>> Is that really what you want? I think not. We need to be
>>>>> careful before we jump to conclusions here.  And even if
>>>>> ZAP was not open source, the fact that it compiles into
>>>>> Java byte code makes it trivial to decompile. (And obfuscators
>>>>> can only do so much.)
>>>>>
>>>>> But let's not do something that will leave the end situation
>>>>> worse than what we started. You are a hacker, so when you
>>>>> propose these things, think like one and how you would go
>>>>> about getting around those obstacles.
>>>>>
>>>>> -
>>>>> ​kevin​
>>>>>
>>>>> --
>>>>> Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>>>> @KevinWWall
>>>>> NSA: All your crypto bit are belong to us.
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> WAFEC Project Leader
> STING Game Project Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Azzeddine RAMRAMI
+33 6 65 48 90 04.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160523/a4dc1492/attachment-0001.html>


More information about the OWASP-Leaders mailing list