Using OWASP ZAP to find vulnerabilities in your web apps David
Epler Security Architect [email protected]
About Me Primarily an Application Developer Contributor to
Learn CF In a Week Created Unofficial Updater 2 to patch Adobe
ColdFusion 8.0.1 & 9.0.x OWASP Individual Member OWASP ZAP
Evangelist
What is OWASP Zed Attack Proxy (ZAP)? An easy to use web
application penetration testing tool Completely free and Open
Source no paid PRO version OWASP flagship project Included in major
security distributions Kali, Samurai WTF, etc.
Brief ZAP History Fork of Paros Proxy by Simon Bennetts Code:
Paros ~20%, ZAP ~80% 1st Release September 2010 Adopted by OWASP
October 2010 Now at 2.3.0, with roadmap to 2.4.0+ Best Security
Tool of 2013 as Voted by ToolsWatch.org Readers
Why use ZAP? Ideal for beginners, developers also used by
professional pen testers Point and shoot via Quick Start Tab Manual
penetration testing As a debugger As part of larger security
program Automated security regression tests
Main ZAP Features Intercepting Proxy Active and Passive
Scanners Traditional and AJAX spiders Forced browsing using OWASP
DirBuster Fuzzing using fuzzdb and OWASP JBroFuzz Cross Platform
built on Java (requires 1.7)
More ZAP Features WebSockets support Authentication and session
support Smart card and client digital certificate support Anti CSRF
token handling Report generation Port scanner Invoke external
applications Support for wide range of scripting JavaScript, Zest,
Python, Groovy Online Add-ons Marketplace Translated into 20+
languages
Intercepting Proxy Website
Intercepting Proxy Website
Installing and Configuring ZAP Download and Install
https://code.google.com/p/zaproxy/ wiki/Downloads Configure browser
to use ZAP as proxy FoxyProxy Standard plugin for Firefox Import
OWASP ZAP Root CA needed for testing HTTPS sites/apps
Installing and Configuring ZAP Demo Time
Plug-n-Hack Configuring browser to work with security tool can
be difficult Proposed standard developed by Mozilla Security Team
Allows browsers and security tools to integrate more easily Allows
security tools to expose functionality to browser Requires Firefox
24+ and plugin Other tools to support it Burp Suite, Kali
A Few Tips Can use Linux install on Windows, if dont have
rights to install Dont forget to import certificate If you get the
following when trying HTTPS ZAP Error: handshake alert:
unrecognized_name Add to zap.sh/zap.bat
!Djsse.enableSNIExtension=false
Testing for vulnerabilities Automated Testing Quick Start
Active Scan
Testing for vulnerabilities Directed Testing Manual, using
browser walk through web app ZAP capturing responses then, testing
further by manipulating requests
Testing for vulnerabilities Demo Time
Integrating ZAP with other tools Run external applications
Nikto sqlmap
Integrating ZAP with other tools Generate ModSecurity virtual
patching rules from ZAP XML results zap2modsec.pl
Integrating ZAP with other tools Demo Time
Please be sure to fill out evaluations Blog:
http://www.dcepler.net Email: [email protected] Twitter: @dcepler
Q&A - Thanks
OWASP Zed Attack Proxy Project Plug-n-Hack Issue 704: ZAP
Error: handshake alert: unrecognized_name ModSecurity Advanced
Topic of the Week: Automated Virtual Patching using OWASP Zed
Attack Proxy Resources