Security/Automation/Winter Of Security 2016/ZAP Form Handling
Our team is comprised of three enthusiastic Information Technology students who attend Arizona State University's Polytechnic Campus. All of us have a focus area in Network Administration and Security, and an interest to learn about all different aspects of the IT industry. As part of our Senior Capstone course we are required to pick a project that spans two semesters, that will demonstrate our collective abilities which we have learned throughout our time in ASU’s program. As a group, we have elected to focus on a security related topic which led us to find Mozilla’s Winter of Security program.
- Ryan Wehe
- Christopher Laguna
- Rian Franey
- Professors: Damien Doheny and Dr. Usha Jagannathan
- Mozilla Advisor: Simon Bennetts
The ZAP traditional and Ajax spiders explore an application by putting basic default values in all forms. These may often not be valid values, for example using "ZAP" when an email address is required.
The project enhancement would allow the user to define default values based on pattern matching against the field names and/or ids.
This project is successful if:
- User able to specify default values for all forms used by the ZAP spiders
- Display all of the forms and fields for an application and allow the user to update the default values to be used
- Full support for defining default values via the API
Timeframe: March 2017.
Biweekly Update Ending 2016-MM-DD
Week One (2016-10-17)
- Set up ZAP environment.
- Successfully made changes to default values used by the ZAP spiders
- Becoming familiar with ZAP's coding
Week Three (2016-10-31)
- Built a simple Spider
- Became familiar with HTML parsing and form handling
- Created a value generator interface
Week Five (2016-11-14)
- Successfully passed form field information into the value generator as a parameter
- Restructuring the form field information into a map "field attributes" for the value generator
- Working on building a map for the form attributes for the form generator
- Addressed errors in the testing files
Week Seven (2016-11-28)
- SpiderHtmlFormParserUnitTest now works with DefaultValueGenerator
- Converted text, password, and file to type string for case insensitive comparison in DefaultValueGenerator
- Removed duplicate, unused code from SpiderHtmlFormParser.java
- Currently working on first squash commit
Updates in 2017
January - March
- First Pull Request accepted and merged into the ZAProxy(2.6)
- Continuing on development of Add-On in the ZAP-extensions project for second pull request