HTTP inference for OWASP ZAP: Improve penetration testing via HTTP automated analysis

The increasingly large number of vulnerabilities that affect web-based applications has severe consequences. Attackers rely on these flaws to routinely compromise millions of web sites, steal personal and financial data, and penetrate private infrastructures. To mitigate the Web’s security problems many techniques and tools have been developed over the years. The three major approaches to identify vulnerabilities are SAST (static application security testing), DAST (dynamic application security testing) and IAST (Interactive application security testing). SAST requires the source code of the application while DAST and IAST require the application to be up-and-running and ready for passive/active testing. All the three approaches feature pros and cons. In general, SAST is subject to false positives (report attacks that are not real attacks) while DAST to false negatives (miss real attacks). IAST features almost zero false positives, but it requires complete ownership of the testing landscape in which IAST agents must be deployed to monitor the execution of the application and the coverage of the analysis depends on the available functional tests as well as on the available techniques to amplify this coverage. We at SAP Security Research have been working on DAST techniques to detect vulnerabilities such as logic flaws and Cross-site Request Forgery (CSRF/XSRF). These techniques have been further developed and experimented internally at SAP to reach a more mature status. The aim of this work is to further progress SAP's techniques and to integrate them within best-suited penetration test frameworks (e.g., OWASP ZAP) to enable broader adoption.