OWASP 2013 APPSEC USA Talk - OWASP ZAP

download OWASP 2013 APPSEC USA Talk - OWASP ZAP

If you can't read please download the document

Transcript of OWASP 2013 APPSEC USA Talk - OWASP ZAP

ZAP Innovations
OWASP
Zed Attack Proxy

Simon Bennetts

OWASP ZAP Project LeadMozilla Security [email protected]

What is ZAP?

An easy to use webapp pentest tool

Completely free and open source

An OWASP flagship project

Ideal for beginners

But also used by professionals

Ideal for devs, esp. for automated security tests

Becoming a framework for advanced testing

Included in all major security distributions

Not a silver bullet!

ZAP Principles

Free, Open source

Involvement actively encouraged

Cross platform

Easy to use

Easy to install

Internationalized

Fully documented

Work well with other tools

Reuse well regarded components

Statistics

Released September 2010, fork of Paros

V 2.2.2 released in Sept 2013

V 2.1.0 downloaded > 25K times

Translated into 20+ languages

Over 50 translators

Mostly used by Professional Pentesters?

Paros code: ~20% ZAP Code: ~80%

Ohloh Statistics

Very High Activity

The most active OWASP Project

28 active contributors

236 years of effort

Source: http://www.ohloh.net/p/zaproxy

User Questionnaire

The Main Features

All the essentials for web application testing

Intercepting Proxy

Active and Passive Scanners

Traditional and Ajax Spiders

WebSockets support

Forced Browsing (using OWASP DirBuster code)

Fuzzing (using fuzzdb & OWASP JBroFuzz)

Online Add-ons Marketplace

Some Additional Features

Auto tagging

Port scanner

Script Console

Report generation

Smart card support

Contexts and scope

Session management

Invoke external apps

Dynamic SSL Certificates

How can you use ZAP?

Point and shoot the Quick Start tab

Proxying via ZAP, and then scanning

Manual pentesting

Automated security regression tests

As a debugger

As part of a larger security program

Regression Tests

http://code.google.com/p/zaproxy/wiki/SecRegTests

Security

ZAP Embedded

ThreadFix Denim Group
Software vulnerability aggregation
and management system

Minion Mozilla
Security automation platform

Ajax Spider via Crawljax

Guifre Ruiz

WebSockets support

Robert Kock

New Spider plus Session awareness

Cosmin Stefan

All included since 2.1.0

Enhanced HTTP Session Handling
Cosmin Stefan

SAML 2.0
Pulasthi Mahawithana

Advanced Reporting using BIRT
Rauf Butt

CMS Scanner
Abdelhadi Azouni

Dynamically Configurable Actions
Alessandro Secco

Enhanced Sessions

Student: Cosmin Stefan Studying for MSc at University of Denmark

Mentor: Guifre Ruiz (GSoC student 2012)

Project: Plugable, fully integrated session and authentication, (semi) automation of access control testing, a platform to build on

Status: Committed into the trunk

SAML 2.0

Student: Pulasthi Mahawithana Studying at University of Moratuwa, Sri Lanka

Mentors: Prasad Shenoy, Kevin Wall

Project: Detect, decode and fuzz SAML messages, simulate XSW attacks

Status: Alpha add-on available now

Advanced Reporting

Student: Rauf Butt Studying at Regent's College, London

Mentors: Johanna Curiel

Project: Flexible, plugable and highly configurable BIRT generated reports

Status: Code committed, add-on available soon?

CMS Scanner

Student: Abdelhadi Azouni Studying at High School of Computer Science, Algiers

Mentors: Mennouchi Islam Azedine

Project: Fingerprint CMS software and versions, enumerate vulnerabilities in core, plugins or templates

Status: Code committed, add-on available soon?

Dynamic actions

Student: Alessandro Secco, studying at University Padua, Italy

Mentors: Simon Bennetts

Project: Provide a very simple and flexible way to extend ZAP, replace old Paros Filters

Status: Code committed, add-on included in 2.2.0

More new stuff

New add-ons: Technology detection using Wappalyzer

HTTPS Info

New / updated Scan rules: Command injection

Code injection

Xpath injection

SQL injection (inc a port of SQLMap core)

Even more new stuff

New active scan targets and formats HTTP headers + Cookies

Multipart Forms

XML

JSON

Google Web Toolkit

OData

DemoTime

Plug-n-Hack Phase 1

Allow browsers and security tools to integrate more easily

Allows security tools to expose functionality to browsers

Proposed standard

Developed by Mozilla Security Team

Browser and security tool independent

Tools signed up: Firefox (via an add-on)

ZAP (ditto)

Minion

Burp Suite

OWASP OWTF

Kali

Plug-n-Hack

Scripting

Previously just supported 'run now' scripts

Scripting is now embedded into ZAP

Different types of scripts Stand aloneAs now

TargetedSpecify URLs to run against

ActiveRun in Active scanner

PassiveRun in Passive scanner

ProxyRun 'inline'

Zest - Overview

An experimental scripting language

Developed by Mozilla Security Team

Free and open source (of course)

Format: JSON designed to be represented visually in security tools

Tool independent can be used in open and closed, free or commercial software

Is included by default in ZAP from 2.2.0

Will replace filters Alessandro's project

Zest Use cases

Reporting vulnerabilities to companies

Reporting vulnerabilities to developers

Defining tool independent active and passive scan rules

Deep integration with security tools

Zest Passive Scan Rule

Zest - Statements

HTTP(S) Requests

Assertions

Conditionals

Assignments

Actions

Loops

More to come

Zest - Runtime

Java runtime: reference implementation, used by ZAP, but ZAP independent

Runtimes also being developed: Javascript

Python

Want to implement another one?
We'll help you :)

Plug-n-Hack Phase 2

Allows browsers to to expose functionality to security tools

This phase doesn't need browser plugins

Work in progress!

Inject javascript into 'monitored pages'

Heartbeat shows which pages are alive

Intercept and change postMessages

Fuzz postMessages

DOM XSS oracle

ZAP Hackathon!

Tomorrow Thursday 21st 9am - 1pm

Learn how to work on ZAP: Active/Passive scan rules

Scripts

Add-ons

Localization

Documentation

Will include demos plus plenty
of time to work on ZAP

Conclusion

ZAP is changing rapidly

New features are being introduced which exceed the capabilities of other tools

We're implementing functionality so that it can be reused in other tools

Its a community based tool get involved!

We want feedback - fill in the Questionnaire!
(linked of ZAP homepage)

Come along to the Hackathon tomorrow :)

Questions?

http://www.owasp.org/index.php/ZAP

The OWASP Foundationhttp://www.owasp.org

Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.