Post on 06-Jul-2015
description
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Nul/OWASP/G4H Bangalore
22 Nov 2014
ZAP DemonstrationThe OWASP Zed Attack Proxy
Marudhamaran GunasekaranZap Contributor
gmaran23@gmail.com
2
Zed Attack Proxy - Then
• Released September 2010
• Ease of use a priority
• A fork of the well regarded Paros Proxy
• Involvement actively encouraged
• Adopted by OWASP October 2010
3
Zed Attack Proxy - Now•An easy to use webapp pentest tool•Completely free and open source•Ideal for beginners•But also used by professionals•Ideal for devs, esp. for automated security tests•Becoming a framework for advanced testing•Included in all major security distributions•ToolsWatch.org Top Security Tool of 2013•Not a silver bullet!
4
ZAP Principles•Free, Open source (always)
•Involvement actively encouraged
•Cross platform (write once, run anywhere)
•Easy to use (point and shoot)
•Easy to install (unzip & run)
•Internationalized (speaks 20+ languages)
•Fully documented (publish a book)
•Work well with other tools
•Reuse well regarded components (JBroFuzz, fuzzdb, DirBuster, CrawlJax, SQLMap?)
5
Ohloh Statistics•Very High Activity
•The most active OWASP Project
•29 active contributors
•278 years of effort
•
•
•
•
•Source: http://www.ohloh.net/p/zaproxy
6
The Main FeaturesAll the essentials for web application testing
•Intercepting Proxy
•Active and Passive Scanners
•Traditional and Ajax Spiders
•WebSockets support
•Forced Browsing (using OWASP DirBuster code)
•Fuzzing (using fuzzdb & OWASP JBroFuzz)
•Online Add-ons Marketplace
7
The Additional Features• Auto tagging
• Port scanner
• Session comparison
• Invoke external apps
• API + Headless mode
• Dynamic SSL Certificates
• Anti CSRF token handling
•
8
The Demo• Quick Start
• Browser configuration
• Intercepting proxy – breakpoints
• Passive scanner
• Auto tagging
• Parameters
1.
2.
3.
4.
9
The Demo•
• New Alert
• Forced browsing
• Spiders
• Fuzzing
• Zap Marketplace
• Https Information
1.
2.
3.
4.
10
The Demo• Comparing requests/responses
• Text Wizards
• Manual request editor
• Scan Options
• Safe/Protected/Standard modes
• Active scan
• Reports
•
•
1.
2.
3.
4.
5.
Next talk?Advanced scanning
Contexts
WebSockets
postMessage monitoring
Users
PnH features
Scripts (Zest)
APIs
Automation
ZAP 2.4.0Splash Screen (
http://tiny.cc/Vote4ZAPSplashScreen)
Unused tabs hidden
Scan dialogs with advanced options
Attack modes
Advanced fuzzing
Sequence scanning
Access control testing
Any Questions?
http://www.owasp.org/index.php/ZAP