Owasp zap

1,294 views
1,029 views

Published on

Published in: Software, Technology

Owasp zap

  1. 1. Using OWASP ZAP to find vulnerabilities in your web apps David Epler Security Architect depler@aboutweb.com
  2. 2. About Me • Primarily an Application Developer • Contributor to Learn CF In a Week • Created Unofficial Updater 2 to patch Adobe ColdFusion 8.0.1 & 9.0.x • OWASP Individual Member • OWASP ZAP Evangelist
  3. 3. What is OWASP Zed Attack Proxy (ZAP)? • An easy to use web application penetration testing tool • Completely free and Open Source • no paid PRO version • OWASP flagship project • Included in major security distributions • Kali, Samurai WTF, etc.
  4. 4. Brief ZAP History • Fork of Paros Proxy by Simon Bennetts • Code: Paros ~20%, ZAP ~80% • 1st Release September 2010 • Adopted by OWASP October 2010 • Now at 2.3.0, with roadmap to 2.4.0+ • Best Security Tool of 2013 as Voted by ToolsWatch.org Readers
  5. 5. Why use ZAP? • Ideal for beginners, developers • also used by professional pen testers • Point and shoot via Quick Start Tab • Manual penetration testing • As a debugger • As part of larger security program • Automated security regression tests
  6. 6. Main ZAP Features • Intercepting Proxy • Active and Passive Scanners • Traditional and AJAX spiders • Forced browsing • using OWASP DirBuster • Fuzzing • using fuzzdb and OWASP JBroFuzz • Cross Platform • built on Java (requires 1.7)
  7. 7. More ZAP Features • WebSockets support • Authentication and session support • Smart card and client digital certificate support • Anti CSRF token handling • Report generation • Port scanner • Invoke external applications • Support for wide range of scripting • JavaScript, Zest, Python, Groovy • Online Add-ons Marketplace • Translated into 20+ languages
  8. 8. Intercepting Proxy Website
  9. 9. Intercepting Proxy Website
  10. 10. Installing and Configuring ZAP • Download and Install • https://code.google.com/p/zaproxy/ wiki/Downloads • Configure browser to use ZAP as proxy • FoxyProxy Standard plugin for Firefox • Import OWASP ZAP Root CA • needed for testing HTTPS sites/apps
  11. 11. Installing and Configuring ZAP Demo Time
  12. 12. Plug-n-Hack • Configuring browser to work with security tool can be difficult • Proposed standard developed by Mozilla Security Team • Allows browsers and security tools to integrate more easily • Allows security tools to expose functionality to browser • Requires Firefox 24+ and plugin • Other tools to support it • Burp Suite, Kali
  13. 13. A Few Tips • Can use Linux install on Windows, if don’t have rights to install • Don’t forget to import certificate • If you get the following when trying HTTPS • ZAP Error: handshake alert: unrecognized_name • Add to zap.sh/zap.bat • !Djsse.enableSNIExtension=false
  14. 14. Testing for vulnerabilities • Automated Testing • Quick Start • Active Scan
  15. 15. Testing for vulnerabilities • Directed Testing • Manual, using browser walk through web app • ZAP capturing responses then, testing further by manipulating requests
  16. 16. Testing for vulnerabilities Demo Time
  17. 17. Integrating ZAP with other tools • Run external applications • Nikto • sqlmap
  18. 18. Integrating ZAP with other tools • Generate ModSecurity virtual patching rules from ZAP XML results • zap2modsec.pl
  19. 19. Integrating ZAP with other tools Demo Time
  20. 20. • Please be sure to fill out evaluations • Blog: http://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler Q&A - Thanks
  21. 21. • OWASP Zed Attack Proxy Project • Plug-n-Hack • Issue 704: ZAP Error: handshake alert: unrecognized_name • ModSecurity Advanced Topic of the Week: Automated Virtual Patching using OWASP Zed Attack Proxy Resources

×