Custom Addons and manage on CVE


This documentation provides the complete steps about how to use the custom addons in PAC. This documentation explains the steps to use custom addons in PAC. It describes the setup of Git repository, creation of PAC application from the PAC Wizard, creation and uploading of Git connector file, storing secrets in Key Vault, and updating the PAC configuration file. The documentation also provides the complete YAML configuration for PAC file and how to run the pentest.

Setup the Git Repository

We have to store the addon file(i.e. log4j-alpha.zap) and metadata yaml file in the Git repository at perticular location.

metadata.yaml

Metadata file contains the configurations which are require for load the addon in ZAP.

      Name: log4j
      Type: addon
      Engine: Java
      Description: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) 
      Charset: UTF-8
      Dependency:
        Addons: 
          - oast
          - network

Save both log4j-alpha.zap and metadata.yaml files at particular location in git. For example, we saved files inside the Log4Shell folder.

Git repository
.
|___ Log4Shell
│    │   log4j-alpha.zap
│    │   metadata.yaml

Create a PAC Application from the PAC Wizard

  • Create a PAC application from the PAC Wizard screen, you will see the PAC config file like below.
Collection: Prancer_Collection
ConnectionName: prancer_connector
CloudType: azure
ApplicatioName: JuiceShopCustomAttack
RiskLevel: standard
Compliance:
- CIS
- CSA-CCM
ApplicationType: WebScan
Schedule: onetime
Target: https://prancersampleapp01.eastus2.cloudapp.azure.com:9000/
WebScan:
  AjaxSpider: false
Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: delete
          NewContainerInstance:
            External:
              SubscriptionId: a6941677-4c37-42fb-960c-dad8f25060a3
              ResourceGp: farshid-test
              Region: eastus2
              ContainerGroupName: prancer-scanner-group
              ContainerName: prancer-pentest-instance
              ResourceName: prancer-instances-rsd-logshell
AuthenticationMethod: noAuthentication
# All the addons ID listed on link https://www.zaproxy.org/addons.
AddOns:
#  - accessControl
#  - ascanrulesAlpha

Create and upload a Git connector file


We need to create a connector file which will use to connect Git repository.

cve_connector.json

{
  "branchName": "openssl",
  "companyName": "prancer",
  "fileType": "structure",
  "gitProvider": "https://github.com/prancer-io/prancer-custom-attack.git",
  "httpsAccessToken": "secret-git-key",
  "private": true,
  "type": "filesystem"
}

name of the collection defined in git

Field Value Description
branchName branch name The branch name inside the git repository.
companyName company name enter your company name
gitProvider clone URL The URL for clone the git repository.
branchName branch name Git branch name where the zap scripts are available
httpsAccessToken secret key Any secret key which will be used to store the git token in the key vault
  • Once the connector file is created then Drag and drop the file over a collection.

../img/pac/attacks/CVE_upload_file.png

Store the secrets in Key Vault

We require to store the authentication token to connect and clone the Git repository. Generate the git access token from the Git console. Here is the documentation for create the personal access token on Github.

  • Give the following permissions while generating the access token.
repo: Full control of private repositories
read: user Read ALL user profile data

Create the new entry in Key Vault, where Key Name is the value of httpsAccessToken and Key Value is generated access token.

../img/pac/attacks/CVE_vault_upload.png

Update the PAC Config file:

  • Open the PAC Management screen and click on PAC Configuration for which you want to add the script.

../img/pac/attacks/CVE_PAC_configure.png

Add the CVE field in the PAC configuration file.

CVE:
- Path:
    Include:
    - log4shell
    - opensslCertificate
    Exclude: []
  Connector: cve_connector
  Metadata: ""
  Parameters: {}
  Secrets: {}
Field Value Description
Connector connector name the container name which you specified in Git connector.
Path Include and Exclude paths Contains list of include and exclude paths
Path.Include list of path Contains list of script paths ( Regex ) which need to include in processing
Path.Exclude list of path Contains list of paths ( Regex ) which will be excluded while load the scripts.

Complete PAC File

Collection: Prancer_Collection
ConnectionName: prancer_connector
CloudType: azure
ApplicatioName: JuiceShopCustomAttack
RiskLevel: standard
Compliance:
- CIS
- CSA-CCM
ApplicationType: WebScan
Schedule: onetime
Target: https://prancersampleapp01.eastus2.cloudapp.azure.com:9000/
WebScan:
  AjaxSpider: false
CVE:
- Path:
    Include:
    - log4shell
    Exclude: []
  Connector: cve_connector
  Metadata: ""
  Parameters: {}
  Secrets: {}
Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: delete
          NewContainerInstance:
            External:
              SubscriptionId: a6941677-4c37-42fb-960c-dad8f25060a3
              ResourceGp: farshid-test
              Region: eastus2
              ContainerGroupName: prancer-scanner-group
              ContainerName: prancer-pentest-instance
              ResourceName: prancer-instances-rsd-logshell
AuthenticationMethod: noAuthentication

Run the Pentest:

  • Click on start button to run the pentest.

../img/pac/attacks/CVE_run_pentest.png

  • After sometimes when the Pentest will complete then you can see the results by click on See Latest Results link.

../img/pac/attacks/CVE_see_results.png

  • It will open the Application Security Findings page.

../img/pac/attacks/CVE_pentest_result.png