The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute...
-
Upload
kaia-lorance -
Category
Documents
-
view
215 -
download
0
Transcript of The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute...
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP AppSecAsia-Pacific 2012
An Introduction to ZAP
The OWASP Zed Attack Proxy
Simon Bennetts
OWASP ZAP Project Lead
2
What is ZAP?• An easy to use webapp pentest tool
• Completely free and open source
• An OWASP flagship project
• Ideal for beginners
• But also used by professionals
• Ideal for devs, esp. for automated security tests
• Becoming a framework for advanced testing
3
ZAP Principles• Free, Open source
• Involvement actively encouraged
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Work well with other tools
• Reuse well regarded components
4
Statistics• Released September 2010, fork of Paros
• V 1.3.4 downloaded 15,000 times
• V 1.4 alpha just released
• Fully internationalized
• Translated into 11 languages:Brazilian Portuguese, Chinese, Danish, French, German, Greek, Indonesian, Japanese, Persian, Polish, Spanish
• Mostly used by Professional Pentesters?
• Paros code: ~40% Zap Code: ~60%
5
The Main FeaturesAll the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Spider
• Report Generation
• Brute Force (using OWASP DirBuster code)
• Fuzzing (using fuzzdb & OWASP JBroFuzz)
• Extensibility
6
The Additional Features• Auto tagging
• Port scanner
• Smart card support
• Session comparison
• Invoke external apps
• BeanShell integration
• API + Headless mode
• Dynamic SSL Certificates
• Anti CSRF token handling
7
New in Version 1.4• Syntax highlighting
8
9
New in Version 1.4• Syntax highlighting
• Fuzzdb integration
• Parameter analysis
10
11
New in Version 1.4• Syntax highlighting
• Fuzzdb integration
• Parameter analysis
• Enhanced XSS scanner
• Plugable extensions
• Reveal hidden fields
• Some of the Watcher checks
• Lots of bug fixes!
12
Extending ZAP
• Invoking applications directly
• REST API
• Filters
• Active Scan Rules
• Passive Scan Rules
• Full Extensionshttps://code.google.com/p/zap-extensions/
13
Regression Tests
http://code.google.com/p/bodgeit/wiki/RegTests
Security
14
Collaborations
• Dradis – ZAP upload plugin
• OWASP AJAX Crawling Tool
• OWASP ModSecurity Core Rule Set script – SpiderLabs
• ThreadFix – Denim Group
• Ultimate Obsolete File Detection – Hacktics ASC, Ernst & Young
• Grey-box plugin – BCC Risk Advisory
15
Work In Progress
• Enhance scanners to detect more vulnerabilities
• Extend API, Ant and Maven integration
• Easier to use, better help
• Improved stability
• Session analysis
16
17
Work In Progress
• Enhance scanners to detect more vulnerabilities
• Extend API, Ant and Maven integration
• Easier to use, better help
• Improved stability
• Session analysis
•
18
The Future• Closer integration with OWASP AJAX Tool
• Support for SPDY and WebSockets
• Extensions marketplace
• Full scripting support
• Configurable Actions
• Fuzzing analysis
• What do you want??
Any Questions?http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_
Project