This document provides an overview of some hidden features of the OWASP Zed Attack Proxy (ZAP). It discusses using the ZAP API to automate security scans. The ZAP API allows accessing ZAP programmatically. The document demonstrates authenticating scans through the API and using API clients like the Python client. It describes how to write scripts for ZAP, including passive and active scan rules. It shows a demo of finding AWS secret keys and detecting JWT vulnerabilities through active scan rules.

1. An overview of some of the hidden gems of the world’s favorite open source
security platform
OWASP ZAP - WHAT’S UNDER THE HOOD

2. Agenda
● Brief Overview of ZAP(Zed Attack Proxy)
● The ZAP API
○ Automating security scans with ZAP API
○ ZAP API Clients
○ Accessing ZAP via the API Client
● Scripting with ZAP
○ Why Scripting With ZAP?
○ Types of Scripts
○ Useful modules
○ Writing Passive Scan rules
■ Looking for AWS Secrets
○ Writing Active Scan rules
■ Looking for JWT Vulnerability

3. The Zed Attack Proxy
• Free and Open Source Web Application Scanner
• ZAP is a OWASP Flagship Project
• Community Support - Scripts, Plugins, Add-ons
• Extensive API and Highly Scriptable

4. Running ZAP
Daemon Mode User Interface

5. The ZAP API
• Well Defined and Documented REST API
• https://github.com/zaproxy/zaproxy/wiki/ApiDet
ails
• API can be accessed at:
• http://zap
• http://localhost:<proxy port>
• API can also be accessed through the client
implementations.

6. Authenticated Scan Through API
ZAP API
User Interface
or
Daemon Mode
Get context
Info
Perform
Authenticated
Actions
Saved Context
Authentication
information
List of URL
List of Users
admin
Low Priv
User
ZAP UI
Session

7. Authenticated Scan Through API - Demo
https://drive.google.com/open?id=16sUFIHcwxXDWKT2YW-Jdnkf7JdRsWPFv

8. DEMO - ZAP UI

9. ZAP API Clients

10. ZAP API Client
ZAP API Client Python - DEMO
https://pypi.org/project/python-owasp-zap-v2.4/
pip install python-owasp-zap-v2.4

11. ZAP Scripting
● Changes to the way ZAP works
● Develop Scripts Inside ZAP
● Access to all internal aspects

12. Types of scripts
● Stand alone
○ Independent scripts to run manually
● Targetted
○ Independent script that can be run on a specific target
● Proxy
○ Changing Request and Response at proxy
● HTTP sender
○ Running on all requests and response.

13. Types of scripts
● Passive Scan Rule
○ Rules tested as part of Passive scan
● Active Scan Rule
○ Rules tested as part of Active scan
● Authentication
○ To perform authentication for context

14. Useful Modules - ZAP Scripting with Python(Jython)
msg
#the message object that is acted upon to parse/manipulate
msg.getRequestHeader()
#Request Header Object
msg.getRequestHeader().getURI()
#fetches the URI from the request header
msg.getRequestBody()
#Fetches the request body from the request
msg.getResponseBody()
#Fetches the request body from the request
msg.setRequestBody()
#Sets a different request body from the one in the original request

15. Passive Scan Rule - Demo
Find AWS Secret Keys Exposed!
https://drive.google.com/open?id=15HroJFEYxOqZ6E1cLQK-bjBE3yatjzKN

16. Active Scan Rule - JWT Vulnerability
• Application allowing “none” algorithm in JWT tokens
• Attacker can create own token with any payload

17. Active Scan Rule - Demo
https://drive.google.com/open?id=1pqimonfm7Ue35QAvGpsFX-vEZY4VJs4C

18. Useful Links
Download ZAP : https://github.com/zaproxy/zaproxy/wiki/Downloads
ZAP Help : https://github.com/zaproxy/zap-core-help/wiki
Community Scripts: https://github.com/zaproxy/community-scripts

19. @praveen756
praveen.kumar@we45.com
www.we45.com/blog
Don’t be shy, get in touch!

20. Q & A