-
Add-ons
- Access Control Testing
-
Active Scan Rules
-
Active Scan Rules - Alpha
-
Active Scan Rules - Beta
-
Advanced SQLInjection Add-on
- AJAX Spider
- Alert Filters
- All In One Notes
-
AMF Support
-
Authentication Helper
- Authentication Report - JSON
- Authentication Request Identification
- Authentication Tester Dialog
- Auto-Detect Authentication
- Auto-Detect Session Management
- Browser Based Authentication
- Client Script Authentication
- Report Templates
- Header Based Session Management
- Session Management Identification
- Verification Request Identification
-
Authentication Statistics
-
Automation Framework
- Automation Framework - About
- Automation Framework - authentication
- Automation Framework - Environment
- Automation Framework - GUI
- Automation Framework - addOns Job
- Automation Framework - activeScan Job
- Automation Framework - activeScan-config Job
- Automation Framework - activeScan-policy Job
- Automation Framework - delay Job
- Automation Framework - exitStatus Job
- Automation Framework - passiveScan-config Job
- Automation Framework - passiveScan-wait Job
- Automation Framework - requestor Job
- Automation Framework - spider Job
- Automation Framework - Options
- Automation Framework - Alert Job Test
- Automation Framework - Monitor Job Test
- Automation Framework - Statistics Job Test
- Automation Framework - URL Presence Job Tests
- Automation Framework - Job Tests
-
Bean Shell Console
-
BIRT Reports
-
Browser View
-
Bug Tracker
-
Call Graph
-
Call Home
-
Client Side Integration
- Client Side Integration - AJAX Spider Enhancement
- Client Side Integration - Automation Framework Support
- Client Side Integration - Firefox Profile
- Client Side Integration - Internals
- Client Side Integration - Passive Scan Rules
- Client Side Integration
- Client Side Integration - Client Spider API
- Client Side Integration - Client Spider
-
Code Dx
-
Collection: Pentester Pack
-
Collection: Scan Rules Pack
- Common Library
-
Community Scripts
- Custom Payloads
-
Custom Report
-
Database Add-on
-
Dev Add-On
-
Diff
-
Directory List v1.0
-
Directory List v2.3
-
Directory List v2.3 LC
- DOM XSS Active Scan Rule
- Encode / Decode / Hash dialog
-
Eval Villain
-
Export Report
- Forced Browse
-
Form Handler
-
Fuzz AI Files
-
FuzzDB Files
-
FuzzDB Offensive
-
FuzzDB Web Backdoors
- Fuzzing
-
Getting Started Guide
-
GraalVM JavaScript
- GraphQL Support
- Groovy Support
- gRPC Support
-
Highlighter
-
HTTPS Info
- The HUD
- Import/Export
-
Import URLs
- Invoke Applications
-
JSON View
-
Kotlin Support
-
Linux WebDrivers
-
Log File Importer
-
MacOS WebDrivers
-
Neonmarker
- Network Add-on
- Out-of-band Application Security Testing Support
-
Online Menu
- OpenAPI Support
- Parameter Digger
-
Passive Scan Rules
-
Passive Scan Rules - Alpha
-
Passive Scan Rules - Beta
- Passive Scanner Add-on
- Plug-n-Hack
- Port Scan
- Postman Support
- Python Scripting
- Quick Start
-
Regular Expression Tester
- Replacer
-
Report Alert Generator
-
Report Generation
- Report Generation - About
- Report Generation API
- Report Generation Automation Framework Support
- Creating Reports
- High Level Report Sample
- Modern HTML Report with themes and options
- Risk and Confidence HTML
- SARIF JSON Report
- Traditional HTML with Requests and Responses
- Traditional HTML
- Traditional JSON Report with Requests and Responses
- Traditional JSON Report
- Traditional Markdown Report
- Traditional PDF
- Traditional XML Report with Requests and Responses
- Traditional XML Report
- Report Templates
- Requester Add-on
- Retest
-
Retire.js
-
Reveal
-
Revisit
-
Ruby Scripting
-
SAML Support
-
Save Raw Message
-
Save XML Message
- Scan Policies
- Script Console
- Selenium
- Sequence Scanner
- Server-Sent Events
- SOAP Support
- Spider
-
SVN Digger Files
- Technology Detection
-
Tips and Tricks
-
TLS Debug
- Token Generation and Analysis
-
TreeTools
-
Value Generator
-
ViewState
- WebSockets
-
Windows WebDrivers
-
Zest
-
Releases
- Release 1.0.0
- Release 1.1.0
- Release 1.2.0
- Release 1.3.0
- Release 1.3.1
- Release 1.3.2
- Release 1.3.3
- Release 1.3.4
- Release 1.4.0
- Release 1.4.1
- Release 2.0.0
- Release 2.1.0
- Release 2.10.0
- Release 2.11.0
- Release 2.11.1
- Release 2.12.0
- Release 2.13.0
- Release 2.14.0
- Release 2.15.0
- Release 2.16.0
- Release 2.16.1
- Release 2.2.0
- Release 2.2.1
- Release 2.2.2
- Release 2.3.0
- Release 2.3.1
- Release 2.4.0
- Release 2.4.1
- Release 2.4.2
- Release 2.4.3
- Release 2.5.0
- Release 2.6.0
- Release 2.7.0
- Release 2.8.0
- Release 2.9.0
-
Getting Started
- Scanner Rules
-
Features
- Add-ons
- Alerts
- Anti CSRF Handling
- API
- Active Scan
- Authentication
- Authentication Methods
- Authentication Verification Strategies
- Breakpoints
- Callbacks
- Contexts
- Custom Page
- Data Driven Content
- Globally Excluded URLs
- HTTP Sessions
- Manipulator-in-the-middle Proxy
- Marketplace
- Modes
- Notes
- Passive Scan
- Software Bill of Materials
- Scan Policy
- Scope
- Scripts
- Session Management
- Sites Tree
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- A Basic Penetration Test
- Configuring Proxies
-
Desktop UI Overview
-
Dialogs
- Add Alert dialog
- Add/Edit Breakpoint dialog
- Add Note dialog
- Active Scan dialog
- Encode / Decode / Hash dialog
- Find dialog
- History Filter dialog
- Manual Request Editor dialog
- Manage Add-ons
- Manage History Tags dialog
-
Options dialog
- Options Alerts screen
- Options Anti CRSF screen
- Options API screen
- Options Active Scan screen
- Options Active Scan Input Vectors screen
- Options Breakpoints screen
- Options Callback Address screen
- Options Client Certificate screen
- Options Check for Updates screen
- Options Connection screen
- Options Database screen
- Dynamic SSL Certificates
- Options Extensions screen
- Options Global Exclude URL screen
- Options HTTP Sessions screen
- Options JVM screen
- Options Keyboard screen
- Options language screen
- Options Local Proxies screen
- Options Passive Scan Tags screen
- Options Passive Scanner Screen
- Options Passive Scan Rules Screen
- Options Rule Configuration screen
- Options Scripts screen
- Options Search screen
- Options Spider screen
- Options Statistics screen
- Options Display screen
- Persist Session dialog
- Scan Policy Dialog
- Scan Policy Manager dialog
- Scan Progress Dialog
- Session Properties dialog
- Spider dialog
- Footer
- The Tabs
- Top Level Menu
- Top Level Toolbar
- Views
-
Dialogs
Image Location and Privacy Scanner
The following passive scan rule is included in this add-on:
Image Location and Privacy Scanner
Passively scans for GPS location and other privacy-related exposures in images during normal security assessments of websites. Image Location and Privacy Scanner (ILS) assists in situations where end users may post profile images and possibly give away their home location, e.g. a dating site or children’s chatroom.
More information on this topic, including a white paper based on a real-world site audit given as a presentation at the New Jersey chapter of the OWASP organization, can be found at https://www.veggiespam.com/ils/.
This software scans images to find the GPS information inside of Exif tags, IPTC codes, and proprietary camera tags. Then, ILS flags the findings in the ZAP Alerts list as an information message. It would be up to the auditor to determine if location exposure is truly a security risk based on context.
Sample Findings
Configure the web browser to proxy through ZAP and then browse to a few sample sites to see Alerts being raised:
- MetaData Extractor’s SampleOutput page contains some good images. (Note: For some URLs, you need a GitHub session cookie)
- iPhone 4 shows GPS data.
- FujiFilm FinePix S1 Pro has embedded IPTC locations and keywords.
- Panasonic DMC-TZ10 shows proprietary Panasonic MakerNote tags including city, state, country along with facial recognition information, like the name and age of the person in the picture. ZAP screenshot is shown below.
- This professional photographer utilizes Exif & IPTC data in many of the full-sized (non-thumbnail) photos: Raia.com
.jpg){kind=link}
Usage Notes
- Before ZAP 2.7.x, you must manually enabled image scanning with: Tools → Options → Display → “Process images in the HTTP requests/responses” for ILS to function at all.
- By default, ZAP hides images in the history, but ILS stills scan these images for findings. If an alert is triggered, then the image and its alerts will appear in the Alerts tab but not in the History tab. To show images in the history, both with alerts and without, enable with “Process images in the HTTP” as above.
- If you have image processing completely disabled via Tools → Options → Network → Global Exclusions → Extension - Image (née Global Exclude URL), then any passive image scanner, like ILS, will be unable to see the images and report on privacy issues - thus disuse this feature with images so ILS can function.
Latest code: ZAP Extension “imagelocationscanner” Source
Project Source Code Origin with more information: Veggiespam’s Image Location Scanner on GitHub
Project Home Page: Veggiespam’s Image Location Scanner
Keywords: Infosec, Audit, Information Exposure, Data Leakage, Vulnerability, GPS, Exif, IPTC, PII, OpSec, Privacy
Alert ID: 10103.