備忘録/にわかエンジニアが好きなように書く

個人的にとりあえず仕組みを知るために、触りたように好きにとりあえず動くような構築してみる 個人用の備忘録となるので内容の保証はないのでその点はご了承ください。 ※変な内容や間違いを書いているなどありましたらコメントやご指摘いただけると幸いです。

OWASP ZAP診断結果レポートをFaradayで確認②(CLIコマンドからのreport追加)

 

環境

VMware ESXi 6.5 ホストに仮想マシンを作成してインストール。

・Ubuntu 16.04.3 

  - FaradayServer と FaradayClient は起動済みとする

構成

f:id:pocket01:20180211200128p:plain

事前準備

Faladay ServerとClientのパッケージでの導入と起動まで - にわかエンジニア好きなことを書く備忘録

の続きの内容となる。

reportをインポート

 1.レポートを保存

SCPやファイル共有などをつかって、レポートファイルを転送する。

レポートのファイル名にはルールみたな制約がありそう。

 2.reportの読み込み

./faraday.py --cli --workspace <workspace名> --report <レポートのパス>

こkで指定するworkspace名は事前に作成する必要がある

faraday@sv001:~$ cd faraday-dev/
faraday@sv001:~/faraday-dev$ sudo ./faraday.py --cli --workspace zap_rep --report ../.faraday/report/zap_rep/zap_20180212.xml
2018-02-17 19:58:00,527 - faraday.launcher - INFO - Checking dependencies...
2018-02-17 19:58:00,530 - faraday.launcher - INFO - Dependencies met

_____ .___
_/ ____\_____ ____________ __| _/_____ ___.__.
\ __\ \__ \ \_ __ \__ \ / __ | \__ \ < | |
| | / __ \_| | \// __ \_/ /_/ | / __ \_\___ |
|__| (____ /|__| (____ /\____ | (____ // ____|
\/ \/ \/ \/ \/

[*[ Open Source Penetration Test IDE ]*]
Where pwnage goes multiplayer

2018-02-17 19:58:00,533 - faraday.launcher - INFO - Starting Faraday IDE.
2018-02-17 19:58:00,534 - faraday.launcher - INFO - Checking configuration.
2018-02-17 19:58:00,534 - faraday.launcher - INFO - Setting up plugins.
2018-02-17 19:58:00,534 - faraday.launcher - INFO - Removing old plugins folder.
2018-02-17 19:58:00,604 - faraday.launcher - INFO - Setting up ZSH integration.
2018-02-17 19:58:00,606 - faraday.launcher - INFO - Setting up user configuration.
2018-02-17 19:58:00,607 - faraday.launcher - INFO - Using custom user configuration.
2018-02-17 19:58:00,609 - faraday.launcher - INFO - Setting up icons for GTK interface.
2018-02-17 19:58:00,628 - faraday.launcher - INFO - Setting configuration.
2018-02-17 19:58:01,641 - faraday.launcher - INFO - No updates available, enjoy Faraday.
2018-02-17 19:58:01,802 - faraday.launcher - INFO - All done. Opening environment.
2018-02-17 19:58:02,029 - faraday.launcher - INFO - Main application ExceptHook enabled.
2018-02-17 19:58:02,030 - faraday.launcher - INFO - Starting main application.

* faraday ui is ready
Make sure you got couchdb up and running.
If couchdb is up, point your browser to:
http://127.0.0.1:5985/_ui

2018-02-17 19:58:02,039 - faraday - INFO - XMLRPC API server configured on ('localhost', 9876)
2018-02-17 19:58:02,077 - faraday - INFO - REST API server configured on ('localhost', 9977)
2018-02-17 19:58:02,191 - faraday.ReportProcessor - INFO - The file is ../.faraday/report/zap_rep/zap_20180212.xml, Zap
2018-02-17 19:58:02,805 - faraday.ModelController - INFO - Plugin Started: Zap
2018-02-17 19:58:02,950 - faraday - INFO - Closing Faraday...
2018-02-17 19:58:06,539 - faraday.ModelController - INFO - Plugin Ended: Zap

 

 faraday-server.py側の出力ログ

2018-02-17 19:58:02,573 - faraday-server.server.database - INFO - New CommandRunInformation (<no-name>) was added in Workspace zap_rep
2018-02-17 19:58:02,940 - faraday-server.server.database - INFO - A CommandRunInformation (<no-name>) was updated in Workspace zap_rep
2018-02-17 19:58:02,988 - faraday-server.server.database - INFO - New Host (192.168.20.161) was added in Workspace zap_rep
2018-02-17 19:58:03,087 - faraday-server.server.database - INFO - New Interface (192.168.20.161) was added in Workspace zap_rep
2018-02-17 19:58:03,182 - faraday-server.server.database - INFO - New Service (http) was added in Workspace zap_rep
2018-02-17 19:58:03,275 - faraday-server.server.database - INFO - New Note (website) was added in Workspace zap_rep
2018-02-17 19:58:03,363 - faraday-server.server.database - INFO - New Note (192.168.20.161) was added in Workspace zap_rep
2018-02-17 19:58:03,468 - faraday-server.server.database - INFO - New VulnerabilityWeb (Base64 Disclosure) was added in Workspace zap_rep
2018-02-17 19:58:03,576 - faraday-server.server.database - INFO - New VulnerabilityWeb (Server Leaks Version Information via "Server" HTTP Response Header Field) was added in Workspace zap_rep
2018-02-17 19:58:03,692 - faraday-server.server.database - INFO - New VulnerabilityWeb (X-Content-Type-Options\u30d8\u30c3\u30c0\u306e\u8a2d\u5b9a\u30df\u30b9) was added in Workspace zap_rep
2018-02-17 19:58:03,789 - faraday-server.server.database - INFO - New VulnerabilityWeb (Insecure Component - PHP 5.4.16) was added in Workspace zap_rep
2018-02-17 19:58:03,894 - faraday-server.server.database - INFO - New VulnerabilityWeb (\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30d6\u30e9\u30a6\u30b8\u30f3\u30b0 - Apache 2) was added in Workspace zap_rep
2018-02-17 19:58:03,996 - faraday-server.server.database - INFO - New VulnerabilityWeb (Insecure Component - Apache 2.4.6) was added in Workspace zap_rep

~省略~

2018-02-17 19:58:05,361 - faraday-server.server.database - INFO - New VulnerabilityWeb (\u6587\u5b57\u30bb\u30c3\u30c8\u306e\u4e0d\u4e00\u81f4 ) was added in Workspace zap_rep
2018-02-17 19:58:05,462 - faraday-server.server.database - INFO - New VulnerabilityWeb (HTTP Parameter Override) was added in Workspace zap_rep
2018-02-17 19:58:05,560 - faraday-server.server.database - INFO - New VulnerabilityWeb (\u30cf\u30c3\u30b7\u30e5\u306e\u9732\u898b - MD4 / MD5) was added in Workspace zap_rep
2018-02-17 19:58:05,693 - faraday-server.server.database - INFO - New VulnerabilityWeb (Cookie\u306eHttpOnly\u5c5e\u6027\u304c\u672a\u8a2d\u5b9a) was added in Workspace zap_rep
2018-02-17 19:58:05,789 - faraday-server.server.database - INFO - New VulnerabilityWeb (Storable but Non-Cacheable Content) was added in Workspace zap_rep
2018-02-17 19:58:05,891 - faraday-server.server.database - INFO - New VulnerabilityWeb (User Controllable HTML Element Attribute (Potential XSS)) was added in Workspace zap_rep
2018-02-17 19:58:05,991 - faraday-server.server.database - INFO - New VulnerabilityWeb (\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u306e\u958b\u793a - ActiveVFP) was added in Workspace zap_rep
2018-02-17 19:58:06,111 - faraday-server.server.database - INFO - New VulnerabilityWeb (\u30cf\u30c3\u30b7\u30e5\u306e\u9732\u898b - SHA-1) was added in Workspace zap_rep
2018-02-17 19:58:06,218 - faraday-server.server.database - INFO - New VulnerabilityWeb (\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u306e\u958b\u793a - Java) was added in Workspace zap_rep
2018-02-17 19:58:06,326 - faraday-server.server.database - INFO - New VulnerabilityWeb (\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u306e\u958b\u793a - SQL) was added in Workspace zap_rep
2018-02-17 19:58:06,438 - faraday-server.server.database - INFO - New VulnerabilityWeb (Information Disclosure - Debug Error Messages) was added in Workspace zap_rep
2018-02-17 19:58:06,535 - faraday-server.server.database - INFO - New VulnerabilityWeb (\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u306e\u958b\u793a - PHP) was added in Workspace zap_rep

 出力内容はよくわからないがインポート中に出力される。

Faraday Dashboard確認(インポート後)

インポート前には表示されなかったZAPの診断結果が表示される。

f:id:pocket01:20180217204834p:plain

※左下のreportの Date情報がインポートを行ったタイミングの表示となってしまうので、実際ZAPでSCANした時刻ではない。