点击蓝字 / 关注我们
0x00 背景
First the good news - ZAP does not typically log strings that could be used to exploit this vulnerability out of the box, so the exposure to this vulnerability should be limited. If you have not changed the default ZAP Log4j settings and have not exposed the ZAP API to untrusted addresses (which we do not advise) then at this stage we believe that you will not be vulnerable.
0x01 主动反制
http://burp/
或是http://127.0.0.1:8080/
http://zap/
或是http://127.0.0.1:8080/
http://zap/JSON/acsrf/view/optionPartialMatchingEnabled/?apikey=${upper:AAAA}
0x02 被动反制
从主程序的源码中按照关键字寻找可控输入点。
从 ZAP 自带的插件中找日志可控输入点
通过对一个各种场景齐全的网站扫描来观察 ZAP 的日志打印情况,再把可控输入点挨个测试一遍。
Authorization
中的内容打印在日志的地方。