2014 ZAP Workshop 1: Getting Started

2,560 views

Published on

The first of a series of workshops on OWASP ZAP delivered remotely to OWASP Canberra.

Published in: Internet
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,560
On SlideShare
0
From Embeds
0
Number of Embeds
78
Actions
Shares
0
Downloads
91
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

2014 ZAP Workshop 1: Getting Started

  1. 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP Canberra 2014 OWASP ZAP Workshop 1: Getting started Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com
  2. 2. The plan • Introduction • The main bit • Demo feature • Let you play with feature • Answer any questions • Repeat • Plans for the future sessions 2
  3. 3. 3 What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Becoming a framework for advanced testing • Included in all major security distributions • ToolsWatch.org Top Security Tool of 2013 • Not a silver bullet!
  4. 4. 4 ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components
  5. 5. 5 Statistics • Released September 2010, fork of Paros • V 2.3.1 released in May 2014 • V 2.3.1 downloaded > 35K times • Translated into 20+ languages • Over 90 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80%
  6. 6. 6 Open HUB Statistics • Very High Activity • The most active OWASP Project • 31 active contributors • 327 years of effort Source: https://www.openhub.net/p/zaproxy
  7. 7. Some ZAP use cases • Point and shoot – the Quick Start tab • Proxying via ZAP, and then scanning • Manual pentesting • Automated security regression tests • Debugging • Part of a larger security program 7
  8. 8. The BodgeIt Store • A simple vulnerable web app • Easy to install, minimal dependencies • In memory db • Scoring page – how well can you do? 8
  9. 9. The ZAP UI • Top level menu • Top level toolbar • Tree window • Workspace window • Information window • Footer 9
  10. 10. Quick Start - Attack • Specify one URL • ZAP will spider that URL • Then perform an Active Scan • And display the results • Simple and effective • Little control & cant handle authentication 10
  11. 11. Proxying via ZAP • Plug-n-Hack easiest option, if using Firefox • Otherwise manually configure your browser to proxy via ZAP • And import the ZAP root CA • Requests made via your browser should appear in the Sites & History tabs • IE – dont “Bypass proxy for local addresses” 11
  12. 12. Practical 1 • Try out the Quick Start – Attack • Configure your browser to proxy via ZAP • Manually explore your target application 12
  13. 13. The Spiders • Traditional Spider • Fast • Cant handle JavaScript very well • AJAX Spider • Launches a browser • Slower • Can handle Java Script 13
  14. 14. Practical 2 • Use the 'traditional' spider on your target application • Use the AJAX spider on your target application • If you're using BodgeIt – can you find the 'hidden' content? 14
  15. 15. Active and Passive Scanning• Passive Scanning is safe • Active Scanning in NOT safe • Only use on apps you have permission to test • Launch via tab or 'attack' right click menu • Effectiveness depends on how well you explored your app 15
  16. 16. Practical 3 • Review the Passive issues already found • Run the Active Scanner on your target application • If you're using BodgeIt – • Can you login as user1 or admin? • Can you get an “XSS” popup? 16
  17. 17. Intercepting and changing Break on all requests Break on all responses Submit and step Submit and continue Bin the request or response Add a custom HTTP break point 17
  18. 18. Practical 4 • Intercept and change requests and responses • Use custom break points just on a specific page • If you're using BodgeIt – can you make some money via the basket? 18
  19. 19. Some final pointers • Generating reports • Save sessions at the start • Right click everywhere • Play with the UI options • Explore the ZAP Marketplace • F1: The User Guide • Menu: Online / ZAP User Group 19
  20. 20. 20 Future Sessions? • Fuzzing • Advanced Active Scanning • Contexts • Authentication • Scripts • Zest • The API • Websockets • What do you want?? 
  21. 21. Any Questions? http://www.owasp.org/index.php/ZAP

×