Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP)...
Transcript of Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP)...
Web Testing with OWASP ZED Application Proxy (ZAP)
@MikeLandeck
CactusCon 2014
How ZAP Works
Tester enters input
Browser directs
input to ZAP
ZAP proxies to web server
Tester views
response in ZAP
ZAP proxies to Browser
Web Server
Responds
Launch Ice Weasel
Or you can simply type “iceweasel” at the command prompt
ZAP Set-up
1. From Iceweasel, open the Preferences console by clicking Edit Preferences
2. Click the Network Tab3. Click Settings
Configure the Proxy
1. Select “Manual proxy configurations”2. HTTP Proxy = 127.0.0.13. Port = 8080
Open ZAP
Applications Kali Linux Web Applications Web Application Proxies owasp-zap
Or you can just type “zap” at the command line
ZAP Demo’s
1. Options Menu1. Active Scan Settings2. Authentication
2. Manual Inspection1. Sites2. Alerts
3. Encode/Decode4. Active Scan5. Forced Browse6. Save7. Report
ZAP Report
Rule Out False Positives
You may not be able to rule all the false positives yourself.
As a tester, it is completely acceptable to request a developer, architect, system admin or application admin to help you make sense of a finding.