ZAP Scripting Competition Results

In August 2015 we held the first ZAP Scripting Competition.

The plan was to award prizes of $50 for the best script in each category, with additional prizes of $50 for the best Zest script and another $50 for the best overall script, totalling $700 in prizes.

In the end a total of 9 scripts were submitted by 5 individuals - less than we were hoping for, but quality made up for quantity :)

As a result we’ve decided to split the $700 evenly between those 5 people.

We are in the process of updating the prizes. We will update this page with the new details and contact the 5 winners to ensure that they claim them.

Many thanks to our winners!

The scripts submitted were:

active

• gof_lite.js (kingthorin)
• TestInsercureHTTPVerbs.py (PR) (gmaran23)

httpsender

• Capture and Replace Anti CSRF Token.js (dmettem)

passive

• f5_bigip_cookie_internal_ip.js (kingthorin)
• find base64 strings.js (snoopythesecuritydog)

targeted

• curl_command_generator.js (haseebeqx)
• json_csrf_poc_generator (haseebeqx)
• search cvedetails using target server header.js (snoopythesecuritydog)
• request_to_xml.js (PR) (haseebeqx)

The original competition announcement is below:

ZAP Scripting Competition

We will be awarding prizes of $50 for the best OWASP ZAP scripts written during August 2015!

How can you take part?

• Download and install the latest version of ZAP: 2.4.1 (if you havn’t already)
• Write ZAP scripts!
• Submit them via Pull Requests to the community scripts repo during August 2015
• Claim the relevant bounty on Bountysource - note that only one script per script type will be awarded the bounty (see below for more details)
• Prizes will be awarded via Bountysource in September 2015

What script types will we award prizes for?

All of the ones ZAP supports:

• Stand Alone - scripts that are self contained and are only run when you start them manually
• Active Rules - these run as part of the Active Scanner and can be individually enabled
• Passive Rules - these run as part of the Passive Scanner and can be individually enabled
• Proxy - these run 'inline', can change every proxied request and response and can be individually enabled. They can also trigger break points
• HTTP Sender - these run 'inline', can change every request and response (both proxied and those initiated by other ZAP components) and can be individually enabled.
• Targeted - scripts that invoked with a target URL and are only run when your start them manually
• Authentication - scripts that invoked when authentication is performed for a Context. To be used, they need to be selected when configuring the Script-Based Authentication Method for a Context.
• Input Vectors - scripts for defining exactly what ZAP should attack
• HTTP Fuzzer Processor - scripts that can control the HTTP fuzzer and manage its results
• Payload Generator - scripts that can generate payloads to be used in fuzzer
• Payload Processor - scripts that can change the payloads before being used in the fuzzer.
• Sequence - Zest scripts that define sequences of requests that perform a specific task in an application. These are used by the optional Sequence add-on available on the ZAP Marketplace

We will also be awarding additional $50 prizes for:

• The best Zest script (of any type)
• The best overall script (of any type and scripting language, including Zest)

This means there will be 14 prizes totalling $700. At least one script will win $100, and if its written in Zest it will win $150!

Additional Info

By default ZAP supports JavaScript and Zest scripts ‘out of the box’, but it also supports Jython and JRuby via the ZAP Marketplace.
The ZAP help includes some information about scripting: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts
And theres more info on the ZAP internals on the wiki: https://github.com/zaproxy/zaproxy/wiki/InternalDetails
For active and passive rules you should also see the Hacking ZAP series of blog posts.

We're looking for scripts that will be useful for developers, functional testers and pentesters, but we'll also consider scripts that are just fun.
Scripts that help with specific technologies or target specific deliberately vulnerable applications will also appreciated.

Have a look at the scripts that come with ZAP and those currently in the community scripts repo - they will help you get started and may give you ideas of whats possible.

And if you have any problems or questions then please ask on the ZAP Developer Group.

Good luck and get hacking!

The fine print

• Prizes of $50 will be awarded to the best script of each supported type by ZAP via Bountysource
• Prizes will only be paid via Bountysource - no alternative payment options will be available.
• Scripts must be submitted via Pull Requests to the community scripts repo during August 2015.
• Scripts must have been merged into the community scripts repo - scripts will only be merged once any significant issues have been fixed.
• Scripts must work with the latest released version of ZAP (currently 2.4.1)
• Scripts must be licensed as Apache v2
• Scripts must include a clear description of what they do in English (and optionally other languages)
• Scripts must not be obfuscated
• All supported script languages (currently JavaScript, Zest, Jython and JRuby are eligible for prizes)
• Other script languages will also be eligible if they are supported via an add-on made available in the ZAP Marketplace during August 2015.
• Anyone can take part in this competition, apart from the judges of course.
• If none of the scripts submitted for one type are deemed to be worthy of a prize then that prize may be awarded to an additional script of another type. If we decide not to transfer the prize then the money will be used for prizes in the near future.
• The judges decision is final.

The scripts will be judged by:

• Simon Bennetts (ZAP Project Lead)
• Freakyclown (Senior Penetration Tester at https://www.portcullis-security.com/)
• Thc202 (ZAP Core developer)