Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2014 ZAP Workshop 2: Contexts and Fuzzing

1,745 views

Published on

The second of a series of workshops on OWASP ZAP delivered remotely to OWASP Canberra.

Published in: Internet
  • Be the first to comment

2014 ZAP Workshop 2: Contexts and Fuzzing

  1. 1. The OWASP Foundation http://www.owasp.org OWASP ZAP Workshop 2: Contexts and Fuzzing Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation OWASP Canberra 2014 Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  2. 2. The plan • The main bit • Demo feature • Let you play with feature • Answer any questions • Repeat • Plans for the future sessions 2
  3. 3. Contexts • Assign characteristics to groups of URLs • Like an application: – Per site: • http://www.example.com – Site subtree: • http://www.example.com/app1 – Multiple sites: • http://www.example1.com • http://www.example2.com
  4. 4. Practical 1 • Create and edit a Context definition • Add and remove context to scope • Try using ZAP with different modes and scopes 4
  5. 5. Contexts • Allow you to define: – Scope – Session handling – Authentication – Users – 'Forced user' – Structure – with more coming soon
  6. 6. Practical 2 • Define a context for an app with authentication • Configure the authentication method, logged in/out indicator and 1+ users(s) • Spider / scan using the Forced User mode 6
  7. 7. Basic Fuzzing • Current 'basic' fuzzing: – Sending attack vectors at 1 selected target – Just supports files of attack vectors – JbroFuzz files included by default – FuzzDb and SVN Digger files on Marketplace – You can add your own files – Handles anti CSRF tokens – Results can be searched
  8. 8. Practical 3 • Fuzz input fields • Fuzz input fields in forms with an anti CRSF token • Search fuzzing results • Download and use FuzzDb and SVN Digger files 8
  9. 9. Advanced Fuzzing • 'MultiFuzz' on the Marketplace: – Sending attack vectors at multiple selected targets – Range of attack vectors, not just files – Supports graphing of results – Google Summer of Code Project – Alpha quality
  10. 10. Practical 4 • Download MultiFuzz • Try out all of its features • Provide feedback :) 10
  11. 11. Advanced Scanning • Accessed from: – Right click Attack menu – Tools menu – Key board shortcut (default Ctrl-Alt-A) • Gives you fine grained control over: – Scope – Input Vectors – Custom Vectors – Policy
  12. 12. Practical 5 • Scan one URL with one scan rule • Play with the thresholds and strengths • Scan custom input vectors • Create, save and load Policies 12
  13. 13. 13 Future Sessions? • Scripts • Zest • The API • Websockets • Marketplace add-ons • Intro to the source code? • What do you want?? 
  14. 14. Any Questions? http://www.owasp.org/index.php/ZAP

×