J OIN SEC
2013

The OWASP Foundation
http://www.owasp.org

An Introduction to ZAP
OWASP
Zed Attack Proxy
Simon Bennetts
OW...
What is ZAP?
•
•
•
•
•
•
•
•
•

An easy to use webapp pentest tool
Completely free and open source
An OWASP flagship proje...
ZAP Principles

•

Free, Open source

•

Involvement actively encouraged

•

Cross platform

•

Easy to use

•

Easy to in...
Statistics
• Released September 2010, fork of Paros
• V 2.2.2 released in Sept 2013
• V 2.1.0 downloaded > 25K times
• Tra...
Ohloh Statistics
•

Very High Activity

• The most active OWASP Project
• 28 active contributors
• 236 years of effort

So...
The Main Features
All the essentials for web application testing

• Intercepting Proxy
• Active and Passive Scanners
• Tra...
Developer Features
•

Quick start

•

REST API

•

Java and Python clients

•

Headless mode

•

Anti CSRF token handling
...
Advanced Features
• Ajax Spider
• WebSockets support
• Smart card support
• Plug-n-Hack
• Integrated Scripting – JS, Pytho...
How can you use ZAP?
•
•
•
•
•
•

Point and shoot – the Quick Start tab
Proxying via ZAP, and then scanning
Manual pentest...
SecurityRegression Tests

http://code.google.com/p/zaproxy/wiki/SecRegTests
10
ZAP – Embedded
•

ThreadFix – Denim Group
Software vulnerability aggregation and
management system

•

Minion – Mozilla
Se...
Any Questions?
http://www.owasp.org/index.php/ZAP
Upcoming SlideShare
Loading in...5
×

JoinSEC 2013 London - ZAP Intro

923

Published on

Slides from my 'Introduction to ZAP' talk at JoinSEC London 2013

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
923
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

JoinSEC 2013 London - ZAP Intro

  1. 1. J OIN SEC 2013 The OWASP Foundation http://www.owasp.org An Introduction to ZAP OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  2. 2. What is ZAP? • • • • • • • • • An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions Not a silver bullet! 2
  3. 3. ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 3
  4. 4. Statistics • Released September 2010, fork of Paros • V 2.2.2 released in Sept 2013 • V 2.1.0 downloaded > 25K times • Translated into 20+ languages • Over 50 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80% 4
  5. 5. Ohloh Statistics • Very High Activity • The most active OWASP Project • 28 active contributors • 236 years of effort Source: http://www.ohloh.net/p/zaproxy 5
  6. 6. The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional Spider • Report Generation • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JbroFuzz) • Dynamic SSL certificates 6
  7. 7. Developer Features • Quick start • REST API • Java and Python clients • Headless mode • Anti CSRF token handling • Authentication support • Session management • Auto updating • Modes 7
  8. 8. Advanced Features • Ajax Spider • WebSockets support • Smart card support • Plug-n-Hack • Integrated Scripting – JS, Python, Ruby... • Zest Support – macro language on steroids • Online Add-ons Marketplace 8
  9. 9. How can you use ZAP? • • • • • • Point and shoot – the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests As a debugger As part of a larger security program 9
  10. 10. SecurityRegression Tests http://code.google.com/p/zaproxy/wiki/SecRegTests 10
  11. 11. ZAP – Embedded • ThreadFix – Denim Group Software vulnerability aggregation and management system • Minion – Mozilla Security automation platform 11
  12. 12. Any Questions? http://www.owasp.org/index.php/ZAP
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×