OWASP 2013 APPSEC USA Talk - OWASP ZAP

  • 2,625 views
Uploaded on

A 50 min talk at OWASP AppSec USA including demos Zest (a new security scripting language from Mozilla) and Plug-n-Hack (including fuzzing postMessages in the browser to find DOM XSS vulnerabilities). …

A 50 min talk at OWASP AppSec USA including demos Zest (a new security scripting language from Mozilla) and Plug-n-Hack (including fuzzing postMessages in the browser to find DOM XSS vulnerabilities). A video of this talk is available here: http://www.youtube.com/watch?v=pYFtLA2yTR8

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,625
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
34
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The OWASP Foundation http://www.owasp.org ZAP Innovations OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 2. What is ZAP? • • • • • • • • • An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions Not a silver bullet! 2
  • 3. ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 3
  • 4. Statistics • Released September 2010, fork of Paros • V 2.2.2 released in Sept 2013 • V 2.1.0 downloaded > 25K times • Translated into 20+ languages • Over 50 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80% 4
  • 5. Ohloh Statistics • Very High Activity • The most active OWASP Project • 28 active contributors • 236 years of effort Source: http://www.ohloh.net/p/zaproxy 5
  • 6. User Questionnaire 6
  • 7. The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional and Ajax Spiders • WebSockets support • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Online Add-ons Marketplace 7
  • 8. Some Additional Features • Auto tagging • Port scanner • Script Console • Report generation • Smart card support • Contexts and scope • Session management • Invoke external apps • Dynamic SSL Certificates 8
  • 9. How can you use ZAP? • • • • • • Point and shoot – the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests As a debugger As part of a larger security program 9
  • 10. SecurityRegression Tests http://code.google.com/p/zaproxy/wiki/SecRegTests 10
  • 11. ZAP – Embedded ThreadFix – Denim Group Software vulnerability aggregation and management system Minion – Mozilla Security automation platform 11
  • 12.    New Spider plus Session awareness Cosmin Stefan Ajax Spider via Crawljax Guifre Ruiz WebSockets support Robert Kock All included since 2.1.0
  • 13. • Enhanced HTTP Session Handling Cosmin Stefan • SAML 2.0 Pulasthi Mahawithana • Advanced Reporting using BIRT Rauf Butt • CMS Scanner Abdelhadi Azouni • Dynamically Configurable Actions Alessandro Secco
  • 14. Enhanced Sessions • Student: Cosmin Stefan – Studying for MSc at University of Denmark • Mentor: Guifre Ruiz (GSoC student 2012) • Project: Plugable, fully integrated session and authentication, (semi) automation of access control testing, a platform to build on • Status: Committed into the trunk
  • 15. SAML 2.0 • Student: Pulasthi Mahawithana – Studying at University of Moratuwa, Sri Lanka • Mentors: Prasad Shenoy, Kevin Wall • Project: Detect, decode and fuzz SAML messages, simulate XSW attacks • Status: Alpha add-on available now
  • 16. Advanced Reporting • Student: Rauf Butt – Studying at Regent's College, London • Mentors: Johanna Curiel • Project: Flexible, plugable and highly configurable BIRT generated reports • Status: Code committed, add-on available soon?
  • 17. CMS Scanner • Student: Abdelhadi Azouni – Studying at High School of Computer Science, Algiers • Mentors: Mennouchi Islam Azedine • Project: Fingerprint CMS software and versions, enumerate vulnerabilities in core, plugins or templates • Status: Code committed, add-on available soon?
  • 18. Dynamic actions • Student: Alessandro Secco, studying at University Padua, Italy • Mentors: Simon Bennetts • Project: Provide a very simple and flexible way to extend ZAP, replace old Paros Filters • Status: Code committed, add-on included in 2.2.0
  • 19. More new stuff • New add-ons: – Technology detection using Wappalyzer – HTTPS Info • New / updated Scan rules: – Command injection – Code injection – Xpath injection – SQL injection (inc a port of SQLMap core) 19
  • 20. Even more new stuff • New active scan targets and formats – HTTP headers + Cookies – Multipart Forms – XML – JSON – Google Web Toolkit – OData 20
  • 21. Demo Time 21
  • 22. Plug-n-Hack – Phase 1 • Allow browsers and security tools to integrate more easily • Allows security tools to expose functionality to browsers • “Proposed standard” • Developed by Mozilla Security Team • Browser and security tool independent
  • 23. Plug-n-Hack Tools signed up: – Firefox (via an add-on) – ZAP (ditto) – Minion – Burp Suite – OWASP OWTF – Kali
  • 24. Scripting • Previously just supported 'run now' scripts • Scripting is now embedded into ZAP • Different types of scripts – Stand alone As now – Targeted Specify URLs to run against – Active Run in Active scanner – Passive Run in Passive scanner – Proxy Run 'inline'
  • 25. Zest - Overview • • • • An experimental scripting language Developed by Mozilla Security Team Free and open source (of course) Format: JSON – designed to be represented visually in security tools • Tool independent – can be used in open and closed, free or commercial software • Is included by default in ZAP from 2.2.0 • Will replace filters – Alessandro's project
  • 26. Zest – Use cases • Reporting vulnerabilities to companies • Reporting vulnerabilities to developers • Defining tool independent active and passive scan rules • Deep integration with security tools
  • 27. Zest – Passive Scan Rule
  • 28. Zest - Statements • • • • • • • HTTP(S) Requests Assertions Conditionals Assignments Actions Loops More to come …
  • 29. Zest - Runtime • Java runtime: reference implementation, used by ZAP, but ZAP independent • Runtimes also being developed: – Javascript – Python • Want to implement another one? We'll help you :)
  • 30. Plug-n-Hack – Phase 2 • Allows browsers to to expose functionality to security tools • • • • • • • This phase doesn't need browser plugins Work in progress! Inject javascript into 'monitored pages' Heartbeat shows which pages are alive Intercept and change postMessages Fuzz postMessages DOM XSS oracle
  • 31. ZAP Hackathon! • Tomorrow – Thursday 21 9am - 1pm • Learn how to work on ZAP: st – Active/Passive scan rules – Scripts – Add-ons – Localization – Documentation • Will include demos plus plenty of time to work on ZAP
  • 32. Conclusion • ZAP is changing rapidly • New features are being introduced which exceed the capabilities of other tools • We're implementing functionality so that it can be reused in other tools • Its a community based tool – get involved! • We want feedback - fill in the Questionnaire! (linked of ZAP homepage) • Come along to the Hackathon tomorrow :)
  • 33. Questions? http://www.owasp.org/index.php/ZAP