If you need test Out-of-band on ZAP? Use OAST!
Hi hackers and geeks! Today, ZAP OAST was released as Alpha version. (As I told you on https://twitter.com/hahwul/status/1415710990608461827, OAST is a tool for identifying out-of-band, similar to callback, which is very useful for SSRF, RCE, etc.)
As I expected, there is a pre-configured BOAST in the ‘odiss.eu’ domain. and building and using a custom BOAST server seems to be the good way to use it.
ZAP OAST
ZAP OAST is a tool that notified users what requests have occurred when DNS queries, HTTP requests, etc. occur for out-of-bound testing, such as the collaborator on BurpSuite and interactsh on project-discovery.
By default, it supports custom domain-based callback servers, such as Burp Collaborator, and you can also configure your own callback server by deploying the open source tool BOAST separately.
It can handle most of the protocols required for OOB testing, such as DNS, HTTP, HTTPS.
Setup OAST
Install Support OAST from the ZAP AddOn market place. and you can find OAST menu in Options
From here, you can get ID and Canary values from odiss.eu by pressing the Register button.
Use Interaction
You can take the ID value that you obtained from the Register from ZAP OAST earlier and assign odiss.eu an individual address that can be used for personal use. So, if a request such as HTTP, SMTP, etc.. occurs at this address, you can check it through the OAST Callback tab in ZAP, such as the Burp Collaborator.
URI-Path case
curl -i -k https://odiss.eu/c7uahecqkjjzee5gymjq6rhuui
Subdomain case
curl -i -k https://c7uahecqkjjzee5gymjq6rhuui.odiss.eu
Personally, it’s much better to check the DNS record, so I recommend using it as a Subdomain case.
For Custom BOAST
Using odiss.eu is good, but some of the requests go to odiss.eu anyway.
So sometimes you have to build these callback servers yourself, which can be configured through an open source project called BOAST.
https://github.com/marcoagner/boast
BOAST is a go-based application that can be used as a callback to identify out-of-band, such as odiss.eu, by simply placing one on the server and passing on the domain.
Build BOAST
clone
git clone https://github.com/marcoagner/boast
cd boast
make
make
When make is complete, the binary file builded.
./boast -h
BOAST v0.1.0 (by Marco Pereira 'AGNER')
Usage:
./boast [OPTION...]
-config string
TOML configuration file (default "boast.toml")
-dns_only
Run only the DNS receiver and its dependencies
-dns_txt string
DNS receiver's TXT record
-log_file string
Path to log file
-log_level int
Set the logging level (0=DEBUG|1=INFO) (default 1)
-v Print program version and quit
DNS Configration
It is best to have your own DNS server to use all of the features of BOAST properly. When running, BOAST runs an embedded DNS server, collects/stores domain queries, and provides them to users, which requires that they set up a glue-record for the NS domain.
TLS Certificate
BOAST sets certificates for https support in API(1337 port) and ssl support in Callback. Of these, removing https from config will not be a big deal for monitor to only http, but the API requires certificate settings because it requires https usage unconditionally.
Make Certificate Using Let’s Encrypt
Create a certificate with Let’s Encrypt and move it in the ~/go/src/agner.io/boast/tls path.
Make Certificate Using OpenSSL (for Testing)
Make cakey.
openssl genrsa -out servercakey.pem
openssl req -new -x509 -key servercakey.pem -out serverca.crt
Make private key and public key.
openssl genrsa -out server.key
openssl req -new -key server.key -out server_reqout.txt
openssl x509 -req -in server_reqout.txt -days 3650 -sha256 -CAcreateserial -CA serverca.crt -CAkey servercakey.pem -out server.crt
And change format to PEM.
openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem
Set config file
BOAST uses the toml format as config. Each section means the information below.
| Section | Subsection |
|---|---|
| storage | max_events |
| max_event_by_test | |
| max_dump_size | |
| hmac_key | |
| storage.expire | ttl |
| check_interval | |
| max_restarts | |
| dns_receiver | domain |
| public_ip |
For more information, go to https://github.com/marcoagner/boast/blob/master/docs/boast-configuration.md. And the config I write for the test is as follows.
[storage]
max_events = 1_000_000
max_events_by_test = 100
max_dump_size = "80KB"
hmac_key = "TJkhXnMqSqOaYDiTw7HsfQ=="
[storage.expire]
ttl = "24h"
check_interval = "1h"
max_restarts = 100
[api]
domain = "frozen.hahwul.com"
host = "0.0.0.0"
tls_port = 1337
tls_cert = "./public.pem"
tls_key = "./private.pem"
[api.status]
url_path = "rzaedgmqloivvw7v3lamu3tzvi"
[http_receiver]
host = "0.0.0.0"
ports = [8090]
I set up only http logging. FYI, ‘storage.hmac_key’ and ‘api.Please change status.url_path’ to a value other than the one in the example. (That’s important information for access)
Run
run!, You can also specify the config file directly with the -config flag.
./boast
2021-08-07T00:07:08.288Z 3922139 main.go:65: [INFO] Starting BOAST v0.1.0
2021-08-07T00:07:08.288Z 3922139 httprcv.go:56: [INFO] HTTP receiver: Listening on http://0.0.0.0:8099
2021-08-07T00:07:08.288Z 3922143 server.go:65: [INFO] Web API Server: status URL is https://0.0.0.0:1337/rzaedgmqloivvw7v3lamu3tzvi
2021-08-07T00:07:08.288Z 3922143 server.go:67: [INFO] Web API Server: Listening on https://0.0.0.0:1337
Conclusion
OOB itself helps to identify many vulnerabilities and is also a very important part of testing, so there was a strong need for OOB tools that can be built into ZAP. It’s great that they were developed and added quickly this time 😍