AppSec

Crushing bugs in OWASP ZAProxy

At the latest OWASP meeting in Columbus, we got set up to crush some bugs in ZAProzy, the OWASP attack proxy project. ZAP is written in Java, and the project is run by Simon Bennetts and sponsored by the Mozilla Foundation.

So for the dev crowd, ZAP is an attack proxy. Attack proxies are pentesting tools, used to observe the raw HTTP requests and responses in a web application. It sits between your browser and the web server and allows you to interact with the traffic. It works just like Fiddler, except instead of the value added tools revolving around debugging, they revolve around security.

To get set up, we followed the Building OWASP ZAP using Eclipse IDE for Java document, version 3.0. I strongly recommend you start here, even if you have other Java or Subversion tools installed. I did and I am so happy. One thing if you are on Windows 8 – run Eclipse as Administrator. Just like with Visual Studio, you’ll have trouble if you don’t.

Once I followed that document, I could build ZAP. Awesome.  Now I needed something to do. Off to the bug list I went. Simon has things organized well, so you can do as I did and search for ‘idealfirstbug’ to get some bugs that are good to start with. I picked Issue 1145, which was a simple tooltip. Good for me, because as you probably know, I am not a Java programmer.

image

 

 

Alright, I need to find that text. In Eclipse, I went to Search –> Search and clicked on the File Search tab. Then I entered the faulty text, ‘Show Tab Names and Tab Icons’ and searched. Aaaaand, I got 27 responses. That’s not good at all.

But wait! They are all properties files! And they are different languages. Guess there are only so many ways to say “Tab Names’ or something. Anyway, I figure I can search the property name ‘showNames’ and see about the logic that uses it, right?

Bingo! Searching for that get me to MainToolbarPanel.java, Right there in JToggleButton there are the properties being set, just reverse of how the logic works.

[sourcecode language='java' ]
btnShowTabIconNames = new ZapToggleButton();
btnShowTabIconNames.setIcon(new ImageIcon(MainToolbarPanel.class.getResource("/resource/icon/ui_tab_icon.png")));
btnShowTabIconNames.setToolTipText(Constant.messages.getString("view.toolbar.showIcons"));
btnShowTabIconNames.setSelectedIcon(new ImageIcon(MainToolbarPanel.class.getResource("/resource/icon/ui_tab_text.png")));
btnShowTabIconNames.setSelectedToolTipText(Constant.messages.getString("view.toolbar.showNames"));
setShowTabIconNames(Model.getSingleton().getOptionsParam().getViewParam().getShowTabNames());
[/sourcecode]

 

I switched the two properties names, showIcons and showNames, and bang, bug is squashed.

Now I have to get it in the code base. This is where subclipse really shines – the ability to quickly create patches. If you come from a forking Github world, patches might be foreign, but they are a really simple, straightforward, manageable way to  submit changes to an open source system sing subversion.

First though you have to find the file you are working on in the project explorer, This is where I discovered my new favorite button, the Link With Editor button. It syncs the view in the Package Explorer with the code view. Now the file I am editing is highlighted.

image

 

 

 

 

Seriously, new favorite button.

Anyway, right click on the changed file and select Team –> Create Patch from the context menu. The Create Patch dialog will confirm what files you are building a patch for,

image

 

 

 

 

 

I’d advise saving to a file, and then click Next. Then select Project as the scope (Workspace is just for multiproject workspaces, which is rare) and click Finish. That’s it, you’re done.

At that point, I went back to Google Code and added a comment to the bug, with the patch file attached. I;m not a committer on the project, so that’s what you do – just like a pull request in git. Hopefully, but the time you read this, the bug will be closed, and all will be right with that toggle button, at least.

Comments (1) -

  • Kevin W. Wall
    I had a similar problem with certain versions of Eclipse under Windows 7 so I don't think this is strictly a Windows 8 thing. I think there is a better way to approach Eclipse having to run as administrator. What I did was to give my limited user account that I use 'Full Control' to the folder where Eclipse is installed. The other thing that I vaguely remember doing was to create a permanent egress firewall rule so that Eclipse could connect to the Internet. I don't recall the details without looking, but it probably was only outbound TCP ports 80, 443, 8080, and 8443 for any IP address. Give that a try. Certainly a lot better than running Eclipse as Admin.
Comments are closed
Mastodon