Using OWASP ZAP to find vulnerabilities in your web apps David Epler Security Architect depler@aboutweb.com

About Me Primarily an Application Developer Contributor to Learn CF In a Week Created Unofficial Updater 2 to patch Adobe ColdFusion 8.0.1 & 9.0.x OWASP Individual Member OWASP ZAP Evangelist

What is OWASP Zed Attack Proxy (ZAP)? An easy to use web application penetration testing tool Completely free and Open Source no paid PRO version OWASP flagship project Included in major security distributions Kali, Samurai WTF, etc.

Brief ZAP History Fork of Paros Proxy by Simon Bennetts Code: Paros ~20%, ZAP ~80% 1st Release September 2010 Adopted by OWASP October 2010 Now at 2.3.0, with roadmap to 2.4.0+ Best Security Tool of 2013 as Voted by ToolsWatch.org Readers

Why use ZAP? Ideal for beginners, developers also used by professional pen testers Point and shoot via Quick Start Tab Manual penetration testing As a debugger As part of larger security program Automated security regression tests

Main ZAP Features Intercepting Proxy Active and Passive Scanners Traditional and AJAX spiders Forced browsing using OWASP DirBuster Fuzzing using fuzzdb and OWASP JBroFuzz Cross Platform built on Java (requires 1.7)

More ZAP Features WebSockets support Authentication and session support Smart card and client digital certificate support Anti CSRF token handling Report generation Port scanner Invoke external applications Support for wide range of scripting JavaScript, Zest, Python, Groovy Online Add-ons Marketplace Translated into 20+ languages

Intercepting Proxy Website

Intercepting Proxy Website

Installing and Configuring ZAP Download and Install https://code.google.com/p/zaproxy/ wiki/Downloads Configure browser to use ZAP as proxy FoxyProxy Standard plugin for Firefox Import OWASP ZAP Root CA needed for testing HTTPS sites/apps

Installing and Configuring ZAP Demo Time

Plug-n-Hack Configuring browser to work with security tool can be difficult Proposed standard developed by Mozilla Security Team Allows browsers and security tools to integrate more easily Allows security tools to expose functionality to browser Requires Firefox 24+ and plugin Other tools to support it Burp Suite, Kali

A Few Tips Can use Linux install on Windows, if dont have rights to install Dont forget to import certificate If you get the following when trying HTTPS ZAP Error: handshake alert: unrecognized_name Add to zap.sh/zap.bat !Djsse.enableSNIExtension=false

Testing for vulnerabilities Automated Testing Quick Start Active Scan

Testing for vulnerabilities Directed Testing Manual, using browser walk through web app ZAP capturing responses then, testing further by manipulating requests

Testing for vulnerabilities Demo Time

Integrating ZAP with other tools Run external applications Nikto sqlmap

Integrating ZAP with other tools Generate ModSecurity virtual patching rules from ZAP XML results zap2modsec.pl

Integrating ZAP with other tools Demo Time

Please be sure to fill out evaluations Blog: http://www.dcepler.net Email: depler@aboutweb.com Twitter: @dcepler Q&A - Thanks

OWASP Zed Attack Proxy Project Plug-n-Hack Issue 704: ZAP Error: handshake alert: unrecognized_name ModSecurity Advanced Topic of the Week: Automated Virtual Patching using OWASP Zed Attack Proxy Resources