• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
BSides Manchester 2014 ZAP Advanced Features
 

BSides Manchester 2014 ZAP Advanced Features

on

  • 350 views

Slide from my BSides Manchester talk on June 27 2014 about ZAP Advanced Features

Slide from my BSides Manchester talk on June 27 2014 about ZAP Advanced Features

Statistics

Views

Total Views
350
Views on SlideShare
325
Embed Views
25

Actions

Likes
4
Downloads
6
Comments
0

2 Embeds 25

https://twitter.com 24
https://tweetdeck.twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

BSides Manchester 2014 ZAP Advanced Features BSides Manchester 2014 ZAP Advanced Features Presentation Transcript

  • The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP ZAP Advanced Features Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com BSides Manchester 2014
  • 2 What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • Ideal for beginners • But also used by a lot of professionals • Ideal for devs, esp. for automated security tests • Becoming a framework for advanced testing • Included in all major security distributions • ToolsWatch.org Top Security Tool of 2013 • Not a silver bullet!
  • 3 ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components
  • 4 Statistics • Released September 2010, fork of Paros • V 2.3.1 released in May 2014 • V 2.3.1 downloaded > 20K times • Translated into 20+ languages • Over 90 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80%
  • 5 Ohloh Statistics • Very High Activity • The most active OWASP Project • 29 active contributors • 278 years of effort Source: http://www.ohloh.net/p/zaproxy
  • 6 The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional and Ajax Spiders • WebSockets support • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Online Add-ons Marketplace
  • 7 Some Additional Features • Auto tagging • Port scanner • Script Console • Report generation • Smart card support • Contexts and scope • Session management • Invoke external apps • Dynamic SSL Certificates
  • The Advanced Stuff :) • Contexts • Advanced Scanning • Scripts • Zest • Plug-n-Hack
  • Contexts • Assign characteristics to groups of URLs • Like an application: – Per site: • http://www.example.com – Site subtree: • http://www.example.com/app1 – Multiple sites: • http://www.example1.com • http://www.example2.com
  • Contexts • Allows you to define: – Scope – Session handling – Authentication – Users – 'Forced user' – Structure – with more coming soon
  • Advanced Scanning • Accessed from: – Right click Attack menu – Tools menu – Key board shortcut (default Ctrl-Alt-A) • Gives you fine grained control over: – Scope – Input Vectors – Custom Vectors – Policy
  • Scripting • Change ZAP on the fly • Full access to ZAP internals • Support all JSR 223 languages, inc – JavaScript – Jython – JRuby – Zest :)
  • Scripting • Different types of scripts – Stand alone Run when you say – Targeted Specify URLs to run against – Active Run in Active scanner – Passive Run in Passive scanner – Proxy Run 'inline' – Authentication Complex logins – Input Vector Define what to attack
  • Zest - Overview • An experimental scripting language • Developed by Mozilla Security Team • Free and open source (of course) • Format: JSON – designed to be represented visually in security tools • Tool independent – can be used in open and closed, free or commercial software • Is included by default in ZAP from 2.2.0 • Replaces filters
  • Zest – Use cases • Reporting vulnerabilities to companies • Reporting vulnerabilities to developers • Defining tool independent active and passive scan rules • Deep integration with security tools
  • Plug-n-Hack – Phase 1 • Allow browsers and security tools to integrate more easily • Allows security tools to expose functionality to browsers • “Proposed standard” • Developed by Mozilla Security Team • Browser and security tool independent
  • Plug-n-Hack – Phase 2 • Allows browsers to to expose functionality to security tools • This phase doesn't need browser plugin • Inject javascript into 'monitored pages' • Heartbeat shows which pages are alive • Intercept and change postMessages • Fuzz postMessages • DOM XSS oracle
  • Plug-n-Hack – Phase 3 • Support more client side events.. • .. which enables client side Zest recording • Work in progress!
  • Work In Progress • GSoC – Advanced Fuzzing – Sebastian • GSoC – Advanced AC testing – Cosmin • GSoC – SOAP Service Scanning – Alberto • Sequence scanning – Lars and Stefan • Sequence abuse – Avinash • GSoC – OWFT Zest + ZAP integration – Deep • GSoC (Mozilla) – Firefox Zest add-on – Sunny • .. and more behind the scenes ;)
  • The Source Code • Currently on Google Code • Will probably move to GitHub when time allows • Hacking ZAP blog series: https://code.google.com/p/zaproxy/wiki/Development • ZAP Internals: https://code.google.com/p/zaproxy/wiki/InternalDetails • ZAP Dev Group: http://groups.google.com/group/zaproxy-develop
  • Conclusion • ZAP is changing rapidly • It is the most active OWASP project • It is the most active open source web app security project • Its great for people new to AppSec .. • .. and also for Security Pros • Its a community based tool – get involved!
  • Questions? http://www.owasp.org/index.php/ZAP