Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20

2,394 views

Published on

Talk by Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Team
@ Tabara de Testare Cluj Napoca, Romania

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,394
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20

  1. 1. Tabara de Testare 2013 The OWASP Foundation http://www.owasp.org ZAP Quick Intro OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  2. 2. What is ZAP? • • • • • • • • • An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions Not a silver bullet! 2
  3. 3. ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 3
  4. 4. Statistics • Released September 2010, fork of Paros • V 2.2.2 released in Sept 2013 • V 2.1.0 downloaded > 25K times • Translated into 20+ languages • Over 50 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80% 4
  5. 5. The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional and Ajax Spiders • WebSockets support • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Online Add-ons Marketplace 5
  6. 6. Some Additional Features • Auto tagging • Port scanner • Script Console • Report generation • Smart card support • Contexts and scope • Session management • Invoke external apps • Dynamic SSL Certificates 6
  7. 7. How can you use ZAP? • • • • • • Point and shoot – the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests As a debugger As part of a larger security program 7
  8. 8. SecurityRegression Tests http://code.google.com/p/zaproxy/wiki/SecRegTests 8
  9. 9. Questions? http://www.owasp.org/index.php/ZAP
  10. 10. Questions? http://www.owasp.org/index.php/ZAP

×