The Future of Zed Attack Proxy – Simon Bennetts, Ori Bendet – ASW #302
Full Audio
View Show IndexSegments
1. The Future of Zed Attack Proxy – Simon Bennetts, Ori Bendet – ASW #302
Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project.
Segment Resources:
- https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/
- https://www.zaproxy.org/blog/2024-09-30-improving-fuzzing-payloads-for-llms-with-fuzzai/
- https://checkmarx.com/press-releases/checkmarx-joins-forces-with-zap-to-supercharge-dynamic-application-security-testing-dast-for-the-enterprise-and-enhance-community-growth/
- KICS: https://github.com/Checkmarx/kics
- 2MS: https://github.com/Checkmarx/2ms
Guests
Simon Bennetts is the Zed Attack Proxy (ZAP) Founder and Project Leader.
He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac.
Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.
Ori brings more than 18 years of senior-level experience to his role as VP of Product Management at Checkmarx where he oversees the entire AppSec portfolio, serving thousands of customers worldwide. He is an experienced product leader combining his strong technical and go-to-marketing skills. Ori also managed Checkmarx SAST which is a Gartner and Forrester market leading solution used by thousands of customers worldwide and has been instrumental in spearheading the flagship Checkmarx One AST Platform which is gaining ground with hundreds of global customers adopting the cloud-based platform. Prior to Checkmarx, he held leadership and engineering positions at Time To Know, HPE, PicApp, and Bezeq.
Hosts
2. RCE from Iconv + PHP, Fuzzing a Codec, Fuzzing LLMs, Revisiting Recall – ASW #302
The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more!
Hosts
- 1. Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 3)
A researcher fuzzing PHP filters found that chaining together code conversion filters caused a crash. That's good! Fuzzers a great for finding code quality issues and many times those issues manifest in ways that can be exploitable.
In this case, the underlying issue was a 24-year old bug in glibc that was exploitable only in rare cases -- one of them being in PHP's filter capability.
Hear about the journey from PHP fuzzing to exploitation to fixing directly from the researcher in their presentation at this year's OffensiveCon24.
There are lots of nice appsec lessons from these articles (check out parts 1 and 2). One of them is how simple the fix was -- basically six lines of an
if
statement in two different places. But even more important was that the fix was accompanied by some code to verify it and, ideally, prevent regressions. - 2. Project Zero: Effective Fuzzing: A Dav1d Case Study
Two very small tweaks to a fuzzer led to discovery of an exploitable flaw in a video codec. Once again, an integer overflow strikes and once again a fix is dead simple -- use an unsigned int.
I love this article because it's about fuzzing. And I love the idea of tweaking existing security tools to improve their quality and coverage to discover code quality issues. That feels like a more useful way to burn CPU cycles than hoping an LLM gets lucky with a random string.
- 3. Improving Fuzzing Payloads for LLMs with FuzzAI
And now an article that combines fuzzing and LLMs, with the use case of using fuzzing techniques against LLM prompts. We cover this in more detail in this week's interview segment!
- 4. Pixel’s Proactive Approach to Security: Addressing Vulnerabilities in Cellular Modems
A short article that mentions some high-level defenses that any code based on C or C++ should follow. It also highlights how the baseband on phones has all sort of overlapping concerns like performance, security, and consistency across devices.
Since we already mentioned an OffensiveCon24 video, check out this video from OffensiveCon23 about baseband hacking.
- 5. Update on Recall security and privacy architecture | Windows Experience Blog
Here's an update from Microsoft on the security model of the new Windows Recall feature. It gives us a chance to remind appsec folks that security and privacy are peer concerns that each require threat models, design models, and controls -- it's just that all too often privacy gets incorrectly lumped under the confidentiality piece of security's CIA triad. As the early reaction to Recall shows, privacy covers more important concepts than just confidentiality, such as consent, control, and reduction.
There doesn't need to be a new "AppPriv" label for this. Let's skip straight to the part where privacy models are part of the SDLC and we see more privacy engineering teams in the vein of security engineering teams or, really, engineering teams.
- 6. VideoLAN Security Bulletin VLC 3.0.21
There's no apparent exploitation here beyond a DoS due to crashing a system.
Instead, I thought this would be another chance to talk about fuzzing -- parsers and codecs are prime targets -- and memory safety in terms of overcoming the inertia of a large, established project that's not only in a memory unsafe language, but that has very visible performance constraints. After all, most projects might insist they need the utmost performance from the binaries their code compiles to. It's just that audio and video codecs have very obvious degradation when performance is poor.
- 7. Broken Hill: A Productionized Greedy Coordinate Gradient Attack Tool for Use Against Large Language Models
We covered an LLM CTF from Bishop Fox back in episode 299. Here's a tool based on research into creating prompts that lead to jailbreaks.