Your SlideShare is downloading. ×
  • Like
JoinSEC 2013 London - ZAP Intro
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

JoinSEC 2013 London - ZAP Intro

  • 817 views
Published

Slides from my 'Introduction to ZAP' talk at JoinSEC London 2013

Slides from my 'Introduction to ZAP' talk at JoinSEC London 2013

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
817
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. J OIN SEC 2013 The OWASP Foundation http://www.owasp.org An Introduction to ZAP OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 2. What is ZAP? • • • • • • • • • An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions Not a silver bullet! 2
  • 3. ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 3
  • 4. Statistics • Released September 2010, fork of Paros • V 2.2.2 released in Sept 2013 • V 2.1.0 downloaded > 25K times • Translated into 20+ languages • Over 50 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80% 4
  • 5. Ohloh Statistics • Very High Activity • The most active OWASP Project • 28 active contributors • 236 years of effort Source: http://www.ohloh.net/p/zaproxy 5
  • 6. The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional Spider • Report Generation • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JbroFuzz) • Dynamic SSL certificates 6
  • 7. Developer Features • Quick start • REST API • Java and Python clients • Headless mode • Anti CSRF token handling • Authentication support • Session management • Auto updating • Modes 7
  • 8. Advanced Features • Ajax Spider • WebSockets support • Smart card support • Plug-n-Hack • Integrated Scripting – JS, Python, Ruby... • Zest Support – macro language on steroids • Online Add-ons Marketplace 8
  • 9. How can you use ZAP? • • • • • • Point and shoot – the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests As a debugger As part of a larger security program 9
  • 10. SecurityRegression Tests http://code.google.com/p/zaproxy/wiki/SecRegTests 10
  • 11. ZAP – Embedded • ThreadFix – Denim Group Software vulnerability aggregation and management system • Minion – Mozilla Security automation platform 11
  • 12. Any Questions? http://www.owasp.org/index.php/ZAP