The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute...
-
Upload
kaia-lorance -
Category
Documents
-
view
215 -
download
0
Transcript of The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute...
![Page 1: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/1.jpg)
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP AppSecAsia-Pacific 2012
An Introduction to ZAP
The OWASP Zed Attack Proxy
Simon Bennetts
OWASP ZAP Project Lead
![Page 2: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/2.jpg)
2
What is ZAP?• An easy to use webapp pentest tool
• Completely free and open source
• An OWASP flagship project
• Ideal for beginners
• But also used by professionals
• Ideal for devs, esp. for automated security tests
• Becoming a framework for advanced testing
![Page 3: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/3.jpg)
3
ZAP Principles• Free, Open source
• Involvement actively encouraged
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Work well with other tools
• Reuse well regarded components
![Page 4: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/4.jpg)
4
Statistics• Released September 2010, fork of Paros
• V 1.3.4 downloaded 15,000 times
• V 1.4 alpha just released
• Fully internationalized
• Translated into 11 languages:Brazilian Portuguese, Chinese, Danish, French, German, Greek, Indonesian, Japanese, Persian, Polish, Spanish
• Mostly used by Professional Pentesters?
• Paros code: ~40% Zap Code: ~60%
![Page 5: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/5.jpg)
5
The Main FeaturesAll the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Spider
• Report Generation
• Brute Force (using OWASP DirBuster code)
• Fuzzing (using fuzzdb & OWASP JBroFuzz)
• Extensibility
![Page 6: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/6.jpg)
6
The Additional Features• Auto tagging
• Port scanner
• Smart card support
• Session comparison
• Invoke external apps
• BeanShell integration
• API + Headless mode
• Dynamic SSL Certificates
• Anti CSRF token handling
![Page 7: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/7.jpg)
7
New in Version 1.4• Syntax highlighting
![Page 8: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/8.jpg)
8
![Page 9: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/9.jpg)
9
New in Version 1.4• Syntax highlighting
• Fuzzdb integration
• Parameter analysis
![Page 10: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/10.jpg)
10
![Page 11: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/11.jpg)
11
New in Version 1.4• Syntax highlighting
• Fuzzdb integration
• Parameter analysis
• Enhanced XSS scanner
• Plugable extensions
• Reveal hidden fields
• Some of the Watcher checks
• Lots of bug fixes!
![Page 12: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/12.jpg)
12
Extending ZAP
• Invoking applications directly
• REST API
• Filters
• Active Scan Rules
• Passive Scan Rules
• Full Extensionshttps://code.google.com/p/zap-extensions/
![Page 13: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/13.jpg)
13
Regression Tests
http://code.google.com/p/bodgeit/wiki/RegTests
Security
![Page 14: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/14.jpg)
14
Collaborations
• Dradis – ZAP upload plugin
• OWASP AJAX Crawling Tool
• OWASP ModSecurity Core Rule Set script – SpiderLabs
• ThreadFix – Denim Group
• Ultimate Obsolete File Detection – Hacktics ASC, Ernst & Young
• Grey-box plugin – BCC Risk Advisory
![Page 15: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/15.jpg)
15
Work In Progress
• Enhance scanners to detect more vulnerabilities
• Extend API, Ant and Maven integration
• Easier to use, better help
• Improved stability
• Session analysis
![Page 16: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/16.jpg)
16
![Page 17: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/17.jpg)
17
Work In Progress
• Enhance scanners to detect more vulnerabilities
• Extend API, Ant and Maven integration
• Easier to use, better help
• Improved stability
• Session analysis
•
![Page 18: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/18.jpg)
18
The Future• Closer integration with OWASP AJAX Tool
• Support for SPDY and WebSockets
• Extensions marketplace
• Full scripting support
• Configurable Actions
• Fuzzing analysis
• What do you want??
![Page 19: The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.](https://reader036.fdocuments.in/reader036/viewer/2022062417/5516c339550346a25b8b6188/html5/thumbnails/19.jpg)
Any Questions?http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_
Project