An Introduction to ZAP The OWASP Zed Attack Proxy OWASP AppSec Simon Bennetts
OWASP AppSec The OWASP Foundation http://www.owasp.org Asia-Pacific 2012 An Introduction to ZAP The OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • An OWASP flagship project • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Becoming a framework for advanced testing 2 ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 3 Statistics • Released September 2010, fork of Paros • V 1.3.4 downloaded 15,000 times • V 1.4 alpha just released • Fully internationalized • Translated into 11 languages: Brazilian Portuguese, Chinese, Danish, French, German, Greek, Indonesian, Japanese, Persian, Polish, Spanish • Mostly used by Professional Pentesters? • Paros code: ~40% Zap Code: ~60% 4 The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Spider • Report Generation • Brute Force (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Extensibility 5 The Additional Features • Auto tagging • Port scanner • Smart card support • Session comparison • Invoke external apps • BeanShell integration • API + Headless mode • Dynamic SSL Certificates • Anti CSRF token handling 6 New in Version 1.4 • Syntax highlighting 7 8 New in Version 1.4 • Syntax highlighting • Fuzzdb integration • Parameter analysis 9 10 New in Version 1.4 • Syntax highlighting • Fuzzdb integration • Parameter analysis • Enhanced XSS scanner • Plugable extensions • Reveal hidden fields • Some of the Watcher checks • Lots of bug fixes! 11 Extending ZAP • • • • • • Invoking applications directly REST API Filters Active Scan Rules Passive Scan Rules Full Extensions https://code.google.com/p/zap-extensions/ 12 Security Regression Tests http://code.google.com/p/bodgeit/wiki/RegTests 13 Collaborations • Dradis – ZAP upload plugin • OWASP AJAX Crawling Tool • OWASP ModSecurity Core Rule Set script – SpiderLabs • ThreadFix – Denim Group • Ultimate Obsolete File Detection – Hacktics ASC, Ernst & Young • Grey-box plugin – BCC Risk Advisory 14 Work In Progress • Enhance scanners to detect more vulnerabilities • Extend API, Ant and Maven integration • Easier to use, better help • Improved stability • Session analysis 15 16 Work In Progress • Enhance scanners to detect more vulnerabilities • Extend API, Ant and Maven integration • Easier to use, better help • Improved stability • Session analysis • 17 The Future • Closer integration with OWASP AJAX Tool • Support for SPDY and WebSockets • Extensions marketplace • Full scripting support • Configurable Actions • Fuzzing analysis • What do you want?? 18 Any Questions? http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
© Copyright 2024