OWASP AppSec                                                                                                   The OWASP F...
What is ZAP?•   An easy to use webapp pentest tool•   Completely free and open source•   An OWASP flagship project•   Idea...
ZAP Principles•   Free, Open source•   Involvement actively encouraged•   Cross platform•   Easy to use•   Easy to install...
Statistics• Released September 2010, fork of Paros• V 1.4.0 downloaded 19,000 times• V 1.4.1 released in August• Downloade...
The Main FeaturesAll the essentials for web application testing• Intercepting Proxy• Active and Passive Scanners• Spider• ...
The Additional Features•   Auto tagging•   Port scanner•   Smart card support•   Session comparison•   Invoke external app...
New in Version 1.4• Syntax highlighting• Fuzzdb integration• Parameter analysis• Enhanced XSS scanner• Plugable extensions...
Extending ZAP• Invoking applications directly• REST API• Filters• Active Scan Rules• Passive Scan Rules• Full Extensions  ...
SecurityRegression Testshttp://code.google.com/p/zaproxy/wiki/SecRegTests                                                 ...
Collaborations• Dradis – ZAP upload plugin• OWASP ModSecurity Core Rule Set    script – SpiderLabs• ThreadFix – Denim Grou...
ZAP 2.0
●    New Spider plus Session awareness    Cosmin Stefan
●    New Spider plus Session awareness    Cosmin Stefan
●    New Spider plus Session awareness    Cosmin Stefan●    Ajax Spider via Crawljax    Guifre Ruiz
●    New Spider plus Session awareness    Cosmin Stefan●    Ajax Spider via Crawljax    Guifre Ruiz
●    New Spider plus Session awareness    Cosmin Stefan●    Ajax Spider via Crawljax    Guifre Ruiz●    WebSockets support...
●    New Spider plus Session awareness    Cosmin Stefan●    Ajax Spider via Crawljax    Guifre Ruiz●    WebSockets support...
MORE planned 2.0 features• Session Scope• Modes                            21
MORE planned 2.0 features• Session Scope• Modes• Script Console                            23
MORE planned 2.0 features• Session Scope• Modes• Script Console• Authentication management                              25
MORE planned 2.0 features• Session Scope• Modes• Script Console• Authentication management• New / updated scanner rules• F...
Any Questions?http://www.owasp.org/index.php/ZAP
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
Upcoming SlideShare
Loading in...5
×

OWASP 2012 AppSec Dublin ZAP Intro

5,391

Published on

Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation at AppSec Dublin 2012.
For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Published in: Technology

OWASP 2012 AppSec Dublin ZAP Intro

  1. 1. OWASP AppSec The OWASP FoundationDublin 2012 http://www.owasp.org An Introduction to ZAP OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team Copyright © The OWASP Foundation psiinon@gmail.com Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  2. 2. What is ZAP?• An easy to use webapp pentest tool• Completely free and open source• An OWASP flagship project• Ideal for beginners• But also used by professionals• Ideal for devs, esp. for automated security tests• Becoming a framework for advanced testing 2
  3. 3. ZAP Principles• Free, Open source• Involvement actively encouraged• Cross platform• Easy to use• Easy to install• Internationalized• Fully documented• Work well with other tools• Reuse well regarded components 3
  4. 4. Statistics• Released September 2010, fork of Paros• V 1.4.0 downloaded 19,000 times• V 1.4.1 released in August• Downloaded ~ 5,000 times• Translated into 11 languages• Mostly used by Professional Pentesters?• Paros code: ~30% ZAP Code: ~70% 4
  5. 5. The Main FeaturesAll the essentials for web application testing• Intercepting Proxy• Active and Passive Scanners• Spider• Report Generation• Brute Force (using OWASP DirBuster code)• Fuzzing (using fuzzdb & OWASP JBroFuzz)• Extensibility 5
  6. 6. The Additional Features• Auto tagging• Port scanner• Smart card support• Session comparison• Invoke external apps• API + Headless mode• Dynamic SSL Certificates• Anti CSRF token handling 6
  7. 7. New in Version 1.4• Syntax highlighting• Fuzzdb integration• Parameter analysis• Enhanced XSS scanner• Plugable extensions• Reveal hidden fields• Some of the Watcher checks• Lots of bug fixes! 7
  8. 8. Extending ZAP• Invoking applications directly• REST API• Filters• Active Scan Rules• Passive Scan Rules• Full Extensions https://code.google.com/p/zap-extensions/ 8
  9. 9. SecurityRegression Testshttp://code.google.com/p/zaproxy/wiki/SecRegTests 9
  10. 10. Collaborations• Dradis – ZAP upload plugin• OWASP ModSecurity Core Rule Set script – SpiderLabs• ThreadFix – Denim Group• Ultimate Obsolete File Detection – Hacktics ASC, Ernst & Young• Grey-box plugin – BCC Risk Advisory 10
  11. 11. ZAP 2.0
  12. 12. ● New Spider plus Session awareness Cosmin Stefan
  13. 13. ● New Spider plus Session awareness Cosmin Stefan
  14. 14. ● New Spider plus Session awareness Cosmin Stefan● Ajax Spider via Crawljax Guifre Ruiz
  15. 15. ● New Spider plus Session awareness Cosmin Stefan● Ajax Spider via Crawljax Guifre Ruiz
  16. 16. ● New Spider plus Session awareness Cosmin Stefan● Ajax Spider via Crawljax Guifre Ruiz● WebSockets support Robert Kock
  17. 17. ● New Spider plus Session awareness Cosmin Stefan● Ajax Spider via Crawljax Guifre Ruiz● WebSockets support Robert Kock
  18. 18. MORE planned 2.0 features• Session Scope• Modes 21
  19. 19. MORE planned 2.0 features• Session Scope• Modes• Script Console 23
  20. 20. MORE planned 2.0 features• Session Scope• Modes• Script Console• Authentication management 25
  21. 21. MORE planned 2.0 features• Session Scope• Modes• Script Console• Authentication management• New / updated scanner rules• Fine grain rule controls?• Extension Marketplace?• Full Scripting support? 27
  22. 22. Any Questions?http://www.owasp.org/index.php/ZAP
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×