1 / 19

An Introduction to ZAP The OWASP Zed Attack Proxy

OWASP AppSec Asia-Pacific 2012. An Introduction to ZAP The OWASP Zed Attack Proxy. Simon Bennetts OWASP ZAP Project Lead psiinon@gmail.com. What is ZAP?. An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners

madison
Download Presentation

An Introduction to ZAP The OWASP Zed Attack Proxy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP AppSec Asia-Pacific 2012 An Introduction to ZAPThe OWASP Zed Attack Proxy • Simon Bennetts • OWASP ZAP Project Lead • psiinon@gmail.com

  2. What is ZAP? • An easy to use webapppentest tool • Completely free and open source • An OWASP flagship project • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Becoming a framework for advanced testing

  3. ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components

  4. Statistics • Released September 2010, fork of Paros • V 1.3.4 downloaded 15,000 times • V 1.4 alpha just released • Fully internationalized • Translated into 11 languages:Brazilian Portuguese, Chinese, Danish, French, German, Greek, Indonesian, Japanese, Persian, Polish, Spanish • Mostly used by Professional Pentesters? • Paros code: ~40% Zap Code: ~60%

  5. The Main Features • All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Spider • Report Generation • Brute Force (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Extensibility

  6. The Additional Features • Auto tagging • Port scanner • Smart card support • Session comparison • Invoke external apps • BeanShell integration • API + Headless mode • Dynamic SSL Certificates • Anti CSRF token handling

  7. New in Version 1.4 • Syntax highlighting

  8. New in Version 1.4 • Syntax highlighting • Fuzzdb integration • Parameter analysis

  9. New in Version 1.4 • Syntax highlighting • Fuzzdb integration • Parameter analysis • Enhanced XSS scanner • Plugable extensions • Reveal hidden fields • Some of the Watcher checks • Lots of bug fixes!

  10. Extending ZAP • Invoking applications directly • REST API • Filters • Active Scan Rules • Passive Scan Rules • Full Extensionshttps://code.google.com/p/zap-extensions/

  11. Regression Tests Security http://code.google.com/p/bodgeit/wiki/RegTests

  12. Collaborations • Dradis – ZAP upload plugin • OWASP AJAX Crawling Tool • OWASP ModSecurity Core Rule Set script – SpiderLabs • ThreadFix– Denim Group • Ultimate Obsolete File Detection – Hacktics ASC, Ernst & Young • Grey-box plugin – BCC Risk Advisory

  13. Work In Progress • Enhance scanners to detect more vulnerabilities • Extend API, Ant and Maven integration • Easier to use, better help • Improved stability • Session analysis

  14. Work In Progress • Enhance scanners to detect more vulnerabilities • Extend API, Ant and Maven integration • Easier to use, better help • Improved stability • Session analysis

  15. The Future • Closer integration with OWASP AJAX Tool • Support for SPDY and WebSockets • Extensions marketplace • Full scripting support • Configurable Actions • Fuzzing analysis • What do you want?? 

  16. Any Questions?http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

More Related