Skip to content

Commit

Permalink
OWASP ZAPの設定を修正
Browse files Browse the repository at this point in the history 
- README に詳細な手順を追加
- 各種 context の追加
- HTTP_URL, HTTPS_URL に ZAP Proxy のホスト名を使用するよう修正
- CSRFトークン, セッションIDの修正
  • Loading branch information
@nanasess
nanasess committed Feb 25, 2021
1 parent e9b4923 commit 9a34765
Show file tree
Hide file tree
Showing 8 changed files with 368 additions and 40 deletions.
5 changes: 5 additions & 0 deletions docker-compose.owaspzap.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
version: "3"

services:
ec-cube:
environment:
# Use Zap Proxy
HTTP_URL: https://ec-cube/
HTTPS_URL: https://ec-cube/
zap:
build:
context: ./zap
Expand Down
70 changes: 70 additions & 0 deletions dockerbuild/docker-php-entrypoint
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
#!/bin/sh
set -e

BASE="/var/www/app"

rm -f /usr/local/etc/php/conf.d/docker.ini

# php config
if [ -n "${TZ}" ]; then
echo "date.timezone = ${TZ}" >> /usr/local/etc/php/conf.d/docker.ini
fi

if [ -n "${PHP_MEMORY_LIMIT}" ]; then
echo "memory_limit = ${PHP_MEMORY_LIMIT}" >> /usr/local/etc/php/conf.d/docker.ini
fi

PHP_DISPLAY_ERRORS=${PHP_DISPLAY_ERRORS:-Off}
if [ -n "${PHP_DISPLAY_ERRORS}" ]; then
echo "display_errors = ${PHP_DISPLAY_ERRORS}" >> /usr/local/etc/php/conf.d/docker.ini
fi

if [ -n "${PHP_MAX_INPUT_VARS}" ]; then
echo "max_input_vars = ${PHP_MAX_INPUT_VARS}" >> /usr/local/etc/php/conf.d/docker.ini
fi

PHP_EXPOSE_PHP=${PHP_EXPOSE_PHP:-Off}
if [ -n "${PHP_EXPOSE_PHP}" ]; then
echo "expose_php = ${PHP_EXPOSE_PHP}" >> /usr/local/etc/php/conf.d/docker.ini
fi

if [ -n "${PHP_MAX_EXECUTION_TIME}" ]; then
echo "max_execution_time = ${PHP_MAX_EXECUTION_TIME}" >> /usr/local/etc/php/conf.d/docker.ini
fi

if [ -n "${PHP_POST_MAX_SIZE}" ]; then
echo "post_max_size = ${PHP_POST_MAX_SIZE}" >> /usr/local/etc/php/conf.d/docker.ini
fi

if [ -n "${PHP_UPLOAD_MAX_FILESIZE}" ]; then
echo "upload_max_filesize = ${PHP_UPLOAD_MAX_FILESIZE}" >> /usr/local/etc/php/conf.d/docker.ini
fi


# Configure OPcache for Maximum Performance
if [ -n "${PHP_OPCACHE_MEMORY_CONSUMPTION}" ]; then
echo "opcache.memory_consumption = ${PHP_OPCACHE_MEMORY_CONSUMPTION}" >> /usr/local/etc/php/conf.d/docker.ini
fi
if [ -n "${PHP_OPCACHE_MAX_ACCELERATED_FILES}" ]; then
echo "opcache.max_accelerated_files = ${PHP_OPCACHE_MAX_ACCELERATED_FILES}" >> /usr/local/etc/php/conf.d/docker.ini
fi

# Don't Check PHP Files Timestamps
if [ -n "${PHP_OPCACHE_VALIDATE_TIMESTAMPS}" ]; then
echo "opcache.validate_timestamps = ${PHP_OPCACHE_VALIDATE_TIMESTAMPS}" >> /usr/local/etc/php/conf.d/docker.ini
fi

# Configure the PHP realpath Cache
if [ -n "${PHP_REALPATH_CACHE_SIZE}" ]; then
echo "realpath_cache_size = ${PHP_REALPATH_CACHE_SIZE}" >> /usr/local/etc/php/conf.d/docker.ini
fi
if [ -n "${PHP_REALPATH_CACHE_TTL}" ]; then
echo "realpath_cache_ttl = ${PHP_REALPATH_CACHE_TTL}" >> /usr/local/etc/php/conf.d/docker.ini
fi


# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- apache2-foreground "$@"
fi
exec "$@"
5 changes: 5 additions & 0 deletions dockerbuild/php.ini
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
; Optimizations for Symfony, as documented on http://symfony.com/doc/current/performance.html
opcache.max_accelerated_files = 20000
opcache.memory_consumption=256
realpath_cache_size = 4096K
realpath_cache_ttl = 600
56 changes: 56 additions & 0 deletions zap/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,59 @@
必ずローカル環境の Docker でのみ使用し、稼動中のサイトには決して使用しないでください。
意図せずデータが更新されたり、削除される場合があります。
テストは自己責任で実施し、株式会社イーシーキューブ及び、関連する開発コミュニティは一切の責任を負いかねますのであらかじめご了承ください。

## Quick Start

**Attention!** 意図しない外部サイトへの攻撃を防ぐため、 OWASP ZAP は必ず **プロテクトモード** で使用してください

1. docker-compose を使用して EC-CUBE をインストールします
```shell
# MySQL を使用する例
docker-compose -f docker-compose.yml -f docker-compose.mysql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml up -d
# PostgreSQL を使用する例
docker-compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml up -d
1. テスト用のデータを生成します ```
```shell
# MySQL を使用する例
## require-dev のパッケージをインストールしておく
docker-compose -f docker-compose.yml -f docker-compose.mysql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml exec ec-cube composer install
## ダミーデータを生成
docker-compose -f docker-compose.yml -f docker-compose.mysql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml exec ec-cube php ctests/acceptance/_bootstrap.php
## メールアドレスを [email protected] に変更
docker-compose -f docker-compose.yml -f docker-compose.mysql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml exec mysql mysql --user=eccube_db_user --password=password eccube_db -e "UPDATE dtb_customer SET email = '[email protected]' WHERE customer_id = (SELECT customer_id FROM (SELECT MAX(customer_id) FROM dtb_customer WHERE status = 2 AND del_flg = 0) AS A);"

# PostgreSQL を使用する例
## require-dev のパッケージをインストールしておく
docker-compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml exec ec-cube composer install
## ダミーデータを生成
docker-compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml exec ec-cube php ctests/acceptance/_bootstrap.php
## メールアドレスを [email protected] に変更
docker-compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml exec postgres psql --user=eccube_db_user eccube_db -c "UPDATE dtb_customer SET email = '[email protected]' WHERE customer_id = (SELECT MAX(customer_id) FROM dtb_customer WHERE status = 2 AND del_flg = 0);"
```
1. OWASP ZAP を起動します。Firefox 以外のブラウザで `http://localhost:8081/zap/` へアクセスすると、OWASP ZAP の管理画面が表示されます
1. Firefox を起動し、設定→ネットワーク設定→接続設定からプロキシーの設定をします
- **手動でプロキシーを設定する** を選択
- HTTPプロキシー: localhost, ポート: 8090
- **このプロキシーを FTP と HTTPS でも使用する** にチェックを入れる
1. Firefox に SSL ルート CA 証明書をインポートします
- ローカルの `path/to/ec-cube/zap/owasp_zap_root_ca.cer` に証明書が生成されています
- 設定→プライバシーとセキュリティ→証明書→証明書を表示から証明書マネージャーを表示
- 認証局証明書→読み込むをクリックし、 `path/to/ec-cube/zap/owasp_zap_root_ca.cer` を選択
- **この認証局によるウェブサイトの識別を信頼する** にチェックを入れ、 OK をクリック、設定を閉じます
1. Firefox で `https://ec-cube/` へアクセスし、プロキシー経由で EC-CUBE にアクセスできるのを確認します。
1. コンテキストをインポートします。
```shell
## 管理画面用
docker-compose -f docker-compose.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml exec zap zap-cli -p 8090 context import /zap/wrk/admin.context
## フロント(ログイン用)
docker-compose -f docker-compose.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml exec zap zap-cli -p 8090 context import /zap/wrk/front_login.context
## フロント(ゲスト用)
docker-compose -f docker-compose.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml exec zap zap-cli -p 8090 context import /zap/wrk/front_guest.context
```
**Note:** *複数のコンテキストを同時にインポートすると、セッションが競合してログインできなくなる場合があるため注意*
{: .notice--warning}
1. OWASP ZAP のツールバーにある [Forced User Mode On/Off ボタン](https://www.zaproxy.org/docs/desktop/ui/tltoolbar/#--forced-user-mode-on--off) を ON にすると、OWASP ZAP の自動ログインが有効になり、ユーザーログイン中のテストが有効になります
1. テストを実施します
1. Firefox でページを巡回(手動探索)します
1. 手動探索して検出された URL に対して動的スキャンを実施します
1. アラートの検出を確認します
79 changes: 79 additions & 0 deletions zap/admin.context
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<context>
<name>admin</name>
<desc/>
<inscope>true</inscope>
<incregexes>\Qhttps://ec-cube/admin\E.*</incregexes>
<tech>
<include>Db.MySQL</include>
<include>Db.PostgreSQL</include>
<include>Db.SQLite</include>
<include>Language.JavaScript</include>
<include>Language.PHP</include>
<include>OS.Linux</include>
<include>OS.MacOS</include>
<include>SCM.Git</include>
<include>WS.Apache</include>
<exclude>Db</exclude>
<exclude>Db.CouchDB</exclude>
<exclude>Db.Firebird</exclude>
<exclude>Db.HypersonicSQL</exclude>
<exclude>Db.IBM DB2</exclude>
<exclude>Db.Microsoft Access</exclude>
<exclude>Db.Microsoft SQL Server</exclude>
<exclude>Db.MongoDB</exclude>
<exclude>Db.Oracle</exclude>
<exclude>Db.SAP MaxDB</exclude>
<exclude>Db.Sybase</exclude>
<exclude>Language</exclude>
<exclude>Language.ASP</exclude>
<exclude>Language.C</exclude>
<exclude>Language.JSP/Servlet</exclude>
<exclude>Language.Java</exclude>
<exclude>Language.Python</exclude>
<exclude>Language.Ruby</exclude>
<exclude>Language.XML</exclude>
<exclude>OS</exclude>
<exclude>OS.Windows</exclude>
<exclude>SCM</exclude>
<exclude>SCM.SVN</exclude>
<exclude>WS</exclude>
<exclude>WS.IIS</exclude>
<exclude>WS.Tomcat</exclude>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>2</type>
<loggedout>\Qログイン認証の有効期限切れの可能性があります\E</loggedout>
<form>
<loginurl>https://ec-cube/admin/index.php</loginurl>
<loginbody>login_id={%username%}&amp;password={%password%}&amp;transactionid=xxx&amp;mode=login</loginbody>
<loginpageurl>https://ec-cube/admin/index.php</loginpageurl>
</form>
</authentication>
<users>
<user>55;true;YWRtaW4=;2;YWRtaW4=~cGFzc3dvcmQ=~</user>
</users>
<forceduser>55</forceduser>
<session>
<type>0</type>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>
71 changes: 71 additions & 0 deletions zap/front_guest.context
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<context>
<name>front_guest</name>
<desc/>
<inscope>true</inscope>
<incregexes>\Qhttps://ec-cube\E.*</incregexes>
<excregexes>\Qhttps://ec-cube/admin\E.*</excregexes>
<tech>
<include>Db.MySQL</include>
<include>Db.PostgreSQL</include>
<include>Db.SQLite</include>
<include>Language.JavaScript</include>
<include>Language.PHP</include>
<include>OS.Linux</include>
<include>OS.MacOS</include>
<include>SCM.Git</include>
<include>WS.Apache</include>
<exclude>Db</exclude>
<exclude>Db.CouchDB</exclude>
<exclude>Db.Firebird</exclude>
<exclude>Db.HypersonicSQL</exclude>
<exclude>Db.IBM DB2</exclude>
<exclude>Db.Microsoft Access</exclude>
<exclude>Db.Microsoft SQL Server</exclude>
<exclude>Db.MongoDB</exclude>
<exclude>Db.Oracle</exclude>
<exclude>Db.SAP MaxDB</exclude>
<exclude>Db.Sybase</exclude>
<exclude>Language</exclude>
<exclude>Language.ASP</exclude>
<exclude>Language.C</exclude>
<exclude>Language.JSP/Servlet</exclude>
<exclude>Language.Java</exclude>
<exclude>Language.Python</exclude>
<exclude>Language.Ruby</exclude>
<exclude>Language.XML</exclude>
<exclude>OS</exclude>
<exclude>OS.Windows</exclude>
<exclude>SCM</exclude>
<exclude>SCM.SVN</exclude>
<exclude>WS</exclude>
<exclude>WS.IIS</exclude>
<exclude>WS.Tomcat</exclude>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>0</type>
</authentication>
<forceduser>-1</forceduser>
<session>
<type>0</type>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>
80 changes: 80 additions & 0 deletions zap/front_login.context
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<context>
<name>front_login</name>
<desc/>
<inscope>true</inscope>
<incregexes>\Qhttps://ec-cube\E.*</incregexes>
<excregexes>\Qhttps://ec-cube/admin\E.*</excregexes>
<tech>
<include>Db.MySQL</include>
<include>Db.PostgreSQL</include>
<include>Db.SQLite</include>
<include>Language.JavaScript</include>
<include>Language.PHP</include>
<include>OS.Linux</include>
<include>OS.MacOS</include>
<include>SCM.Git</include>
<include>WS.Apache</include>
<exclude>Db</exclude>
<exclude>Db.CouchDB</exclude>
<exclude>Db.Firebird</exclude>
<exclude>Db.HypersonicSQL</exclude>
<exclude>Db.IBM DB2</exclude>
<exclude>Db.Microsoft Access</exclude>
<exclude>Db.Microsoft SQL Server</exclude>
<exclude>Db.MongoDB</exclude>
<exclude>Db.Oracle</exclude>
<exclude>Db.SAP MaxDB</exclude>
<exclude>Db.Sybase</exclude>
<exclude>Language</exclude>
<exclude>Language.ASP</exclude>
<exclude>Language.C</exclude>
<exclude>Language.JSP/Servlet</exclude>
<exclude>Language.Java</exclude>
<exclude>Language.Python</exclude>
<exclude>Language.Ruby</exclude>
<exclude>Language.XML</exclude>
<exclude>OS</exclude>
<exclude>OS.Windows</exclude>
<exclude>SCM</exclude>
<exclude>SCM.SVN</exclude>
<exclude>WS</exclude>
<exclude>WS.IIS</exclude>
<exclude>WS.Tomcat</exclude>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>2</type>
<loggedout>\Qalt="ログイン"\E</loggedout>
<form>
<loginurl>https://ec-cube/frontparts/login_check.php</loginurl>
<loginbody>login_email={%username%}&amp;login_pass={%password%}&amp;transactionid=xxx&amp;mode=login&amp;url=/mypage/login.php</loginbody>
<loginpageurl>https://ec-cube/mypage/</loginpageurl>
</form>
</authentication>
<users>
<user>110;true;emFwX3VzZXI=;2;emFwX3VzZXJAZXhhbXBsZS5jb20=~cGFzc3dvcmQ=~</user>
</users>
<forceduser>110</forceduser>
<session>
<type>0</type>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>
Loading

0 comments on commit 9a34765

Please sign in to comment.