Custom Addons and manage on CVE


This documentation provides the complete steps about how to use the custom add-ons in PAC. This documentation explains the steps to use custom addons in PAC. It describes the setup of Git repository, creation of PAC application from the PAC Wizard, creation and uploading of Git connector file, storing secrets in Key Vault, and updating the PAC configuration file. The documentation also provides the complete YAML configuration for PAC file and how to run the pentest.

Setup the Git Repository

We have to store the addon file(i.e. log4j-alpha.zap) and metadata yaml file in the Git repository at particular location.

metadata.yaml

The metadata file will contain the configurations which are required for loading the add-on in ZAP.

Name: log4j
Type: addon
Engine: Java
Description: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) 
Charset: UTF-8
Dependency:
  Addons: 
    - oast
    - network

Save both log4j-alpha.zap and metadata.yaml files at particular location in git. For example, we saved our files inside the Log4Shell folder.

Git repository
.
|___ Log4Shell
│    │   log4j-alpha.zap
│    │   metadata.yaml

Create a PAC Application from the PAC Wizard

  • Create a PAC application from the PAC Wizard screen, you will see the PAC config file like below.
Collection: Prancer_Collection
ConnectionName: prancer_connector
CloudType: azure
ApplicatioName: JuiceShopCustomAttack
RiskLevel: standard
Compliance:
- CIS
- CSA-CCM
ApplicationType: WebScan
Schedule: onetime
Target: https://prancersampleapp01.eastus2.cloudapp.azure.com:9000/
WebScan:
  AjaxSpider: false
Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: delete
          NewContainerInstance:
            External:
              SubscriptionId: a6941677-4c37-42fb-960c-dad8f25060a3
              ResourceGp: farshid-test
              Region: eastus2
              ContainerGroupName: prancer-scanner-group
              ContainerName: prancer-pentest-instance
              ResourceName: prancer-instances-rsd-logshell
AuthenticationMethod: noAuthentication
# All the addons ID listed on link https://www.zaproxy.org/addons.
AddOns:
#  - accessControl
#  - ascanrulesAlpha

Create and upload a Git connector file


We need to create a connector file which will use to connect Git repository.

The name of our file: cve_connector.json

{
  "branchName": "openssl",
  "companyName": "prancer",
  "fileType": "structure",
  "gitProvider": "https://github.com/prancer-io/prancer-custom-attack.git",
  "httpsAccessToken": "secret-git-key",
  "private": true,
  "type": "filesystem"
}

name of the collection defined in git

Field Value Description
branchName branch name The branch name inside the git repository.
companyName company name enter your company name
gitProvider clone URL The URL for clone the git repository.
branchName branch name Git branch name where the zap scripts are available
httpsAccessToken secret key Any secret key which will be used to store the git token in the key vault
private true When doing custom addon or tag based custom addons, it's default behaviour is enabled to True. Read more in "Default Behavior for "private" value
type filesystem Specifying the storage adapter

Default Behavior for "private" value

  • When doing custom add-ons or tag based custom add-ons, it's default behaviour is enabled to 'True'. 
  • However, it will get disabled if the token to clone the "prancer-custom-attack" repository (where all our critical attack code is stored) is empty or not set. 

  • Once the connector file is created, use the Drag and Drop feature or simply click inside of your collection to get it added.

../img/pac/attacks/CVE_upload_file.png

Store the secrets in Key Vault

We require to store the authentication token to connect and clone the Git repository. Generate the git access token from the Git console. Here is the documentation for how to create the personal access token on Github.

  • Be sure to give the following permissions while generating the access token:
repo: Full control of private repositories
read: user Read ALL user profile data

Create the new entry in Key Vault, where Key Name is the value of httpsAccessToken and Key Value is generated access token.

../img/pac/attacks/CVE_vault_upload.png

Update the PAC Config file:

  • Open the PAC Management screen and click on PAC Configuration for which you want to add the script.

../img/pac/attacks/CVE_PAC_configure.png

Add the CVE field in the PAC configuration file.

CVE:
- Path:
    Include:
    - log4shell
    - opensslCertificate
    Exclude: []
  Connector: cve_connector
  Metadata: ""
  Parameters: {}
  Secrets: {}
Field Value Description
Connector connector name the container name which you specified in Git connector.
Path Include and Exclude paths Contains list of include and exclude paths
Path.Include list of path Contains list of script paths ( Regex ) which need to include in processing
Path.Exclude list of path Contains list of paths ( Regex ) which will be excluded while load the scripts.

Complete PAC File:

Collection: Prancer_Collection
ConnectionName: prancer_connector
CloudType: azure
ApplicatioName: JuiceShopCustomAttack
RiskLevel: standard
Compliance:
- CIS
- CSA-CCM
ApplicationType: WebScan
Schedule: onetime
Target: https://prancersampleapp01.eastus2.cloudapp.azure.com:9000/
WebScan:
  AjaxSpider: false
CVE:
- Path:
    Include:
    - log4shell
    Exclude: []
  Connector: cve_connector
  Metadata: ""
  Parameters: {}
  Secrets: {}
Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: delete
          NewContainerInstance:
            External:
              SubscriptionId: a6941677-4c37-42fb-960c-dad8f25060a3
              ResourceGp: farshid-test
              Region: eastus2
              ContainerGroupName: prancer-scanner-group
              ContainerName: prancer-pentest-instance
              ResourceName: prancer-instances-rsd-logshell
AuthenticationMethod: noAuthentication

Run the Pentest:

  • Click on start button to run the pentest.

../img/pac/attacks/CVE_run_pentest.png

  • After sometimes when the Pentest will complete then you can see the results by click on See Latest Results link.

../img/pac/attacks/CVE_see_results.png

  • It will open the Application Security Findings page.

../img/pac/attacks/CVE_pentest_result.png