Reporting Web Vulnerabilities to Mozilla using Zest

Simon Bennetts

Overview

We always want to hear about potential vulnerabilities in our software, and have a long running Bug Bounty program to reward those who find serious security bugs.

However we sometimes receive bug notifications for vulnerabilities in our websites that are difficult to reproduce.

This is one of the reasons why we developed Zest: a security scripting language.

We would like to encourage everyone to submit vulnerability reports for server side web applications using Zest. There are plans for Zest to also handle client side vulnerabilities in the future.

Introducing Zest

Zest is an experimental specialized scripting language (also known as a domain-specific language) developed by the Mozilla security team and is intended to be used in web oriented security tools.

Zest scripts are defined in JSON, but they are designed to be represented visually in security tools.

Zest is completely free, open source and can be included in any tool whether open or closed, free or commercial.

Creating a simple Zest script using ZAP

To demonstrate how to create a Zest script we will use the OWASP Zed Attack Proxy (ZAP) which has built in support for Zest.

ZAP is an intercepting proxy, so you will need to configure your browser to proxy through ZAP. Details of how to do this are included in the ZAP help file, but if you are unsure of how to do this then you can also use Plug-n-Hack as described in the next session, as this will configure your browser for you.

The latest version of the Zest add-on for ZAP provides a toolbar button for quickly recording Zest scripts:

If this button is not shown then click on the “Manage Add-ons’ button on the tool bar (the 3 stacked blocks), click the ‘Check for updates’ button and update the Zest add-on.

Note that while Zest is included with ZAP, there is a known problem whereby Zest support can get removed from ZAP after an update, so if Zest is not included in the list of installed add-ons then select the Marketplace tab, find and select the Zest add-on and install it from there. In either case you should restart ZAP.

Clicking on the “Record a new Zest script…” button will open a dialog for creating a new Zest script. You only need give the script a title, but if you also select (or type) a prefix from the pull down list of sites you have already accessed then ZAP will only record requests with that prefix. The toolbar button will turn red to indicate you are recording and stay pressed.

Now use your browser to reproduce the server side vulnerability that you wish to report.

When you have finished click the toolbar button again to stop recording. The button will turn black.

If you now look at ZAP you should see a graphical representation of the script you have just recorded in the script in the ‘Scripts’ tab and the JSON representation in the ‘Script Console’ tab:

Creating a simple Zest script using ZAP and PnH

If you are new to ZAP then an alternative approach is to use Plug-n-Hack (PnH) another initiative from the Mozilla Security Team, and covered by another blog post.

To configure Firefox to use ZAP just click on the ‘Plug-n-Hack’ button on the ZAP ‘Quick Start’ tab:

Install the Plug-n-Hack Firefox Add-on and accept all of the dialogs. Note that we recommend that you use a separate Firefox profile for security testing.

Your browser should now be proxying via ZAP – try visiting some sites and verify that they appear in the ZAP ‘History’ tab.

You can now record a Zest script as above, but you can also control both PnH and ZAP via the Firefox Developer Toolbar.

Use ‘Shift F2′ to access the Developer Toolbar and then type ‘zap’ – you should see a list of commands like:

To record a Zest script in ZAP select (or type) the following command:

zap record on global

Now use your browser to reproduce the server side vulnerability that you wish to report.

When you have finished select (or type) the following command:

zap record off global

The Zest script will now be visible in the ‘Scripts’ tab and the JSON representation in the ‘Script Console’ tab as above.

Reporting the bug

To report the issue please file a bug in bugzilla, clearly describing the problem as you understand it.

Check that your Zest script does not contain any personal data, then save it to disk using the ‘Save Script..’ button in the ‘Scripts’ tab.

This script includes the data that you sent and received in your browser while you were recording, which allows us to see exactly what you did and what the result was. This makes reproducing potential vulnerabilities much easier.

Attach this file, which contains the JSON version of your script, via the Web Bounty Form.

For more details about how to submit security bugs see the ‘Process’ section of the Bug Bounty page.

You can just attach the script as is, but you may also want to edit it before submitting it to us.

Editing Zest scripts in ZAP

You can double click on any Zest node in the tree and edit it. You can also right click on nodes to delete them. This means that you can easily remove requests that are unrelated to the problem you are reporting.

If you select a Zest Request node then the related request and response will be shown in the ZAP ‘Request’ and ‘Response’ tabs.

You can also redact strings in the responses that you dont want to include, for example session cookies and passwords.

To do this select the relevant request and then select the ‘Response’ tab.

Find and highlight the relevant string, right click on it and select ‘Redact Text…’

This will cause the a dialog to be shown which allows you to specify the replacement string (default 5 ‘block’ characters) and an option to ‘Apply to all current requests’ which will cause the string to be replaced everywhere it appears in the script.

Running Zest scripts in ZAP

You can run Zest scripts in ZAP via the ‘Run’ button in the ‘Script Console’ tab.

Note that this is only enabled for ‘stand alone’ scripts – ZAP supports many other types of scripts which are integrated with ZAP features like the active scanner and therefore cannot be run independently.

When you run your script you will see the requests and responses shown in the ‘Zest Results’ tab.

You may see that some requests are flagged as failing.

This is because by default ZAP adds 2 assertions to each request – these check that the status code matches and that the response length is the same as before, plus or minus 2%. You can remove or change these assertions and add new ones if you like, all via right click menus.

You can compare new results with the previous ones by right clicking the request in the ‘Zest results’ tab and selecting ‘Zest: Compare with original response':

Creating Advanced Zest Scripts in ZAP

You can add new requests to a Zest script by right clicking on any request in ZAP and selecting ‘Add to Zest Script':

Zest supports other types of statements, including:

  • Conditionals
  • Loops
  • Assignments
  • Actions
  • Controls

These can all be added via right clicking on the Zest tree nodes:

These statements allow very powerful scripts to be created quickly and easily.

ZAP also adds useful features, such as automatically adding assign statements to handle any anti CSRF tokens if detects.

For more information about these statements see the Zest pages on MDN.

Demo

I demoed Zest at AppSec USA in November 2013, and the full video of my talk is available on YouTube. The Zest part of the talk starts at 23:47.

Feedback

Zest is still at an early stage of development and all constructive feedback is very welcome.

Anyone can contribute to the onward development of Zest, and teams or individuals who develop security tools are especially welcome to join and help shape Zest’s future.

The Zest code is on GitHub and there is a Google Group for discussing everything about Zest.