SlideShare a Scribd company logo
1 of 31
Download to read offline
The OWASP Foundation
http://www.owasp.org

OWASP
Zed Attack Proxy

Hackathon
Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Team
psiinon@gmail.com

Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The Plan
•
•
•
•
•

Overview of how to extend ZAP
Describe the topics I could talk about
Find out what you really want to know ;)
Agree topics to cover
For each topic:
– Talk for a bit, hack for a bit

• But its all up for grabs, so we can change anything
• And feel free to do your own thing!
• I'll help out during the hacking sections
2
How you can extend ZAP
• Without a dev environment:
– 3rd party tools
– Scripts
– Translations
– Documentation

• With a development environment
– Active & passive scan rules
– 'Full' extensions
What can you plug in?
•
•
•
•

Scripts
Script types
Active and Passive rules
UI elements – tabs, popups, toolbar buttons,
menus, right click options...

• API calls
• Request / Response views
• Breaking, Fuzzing, Searching
Topics I could talk about
•
•
•
•
•
•
•
•

The ZAP project structure
Setting up a ZAP development environment
ZAP documentation and internationalization
Implementing 'standard' scripts
Implementing Zest scripts
Implementing active and passive scan rules
Implementing Add-ons and extensions
Features and fixes to work on
More topics I could talk about
•
•
•
•
•
•
•
•

Key classes
Accessing core functionality and extensions
Internal events
The user interface
The API
The database
Request / Response views
Breaking, fuzzing, searching
Project Structure
• zaproxy
– http://code.google.com/p/zaproxy/
– The 'core' plus a lot more

• zap-test
– http://code.google.com/p/zaproxy-test/
– Unit tests

• zap-extensions
– http://code.google.com/p/zap-extensions/
– The add-ons
– Trunk, alpha and beta branches!
Project Structure
• zaproxy
– src

All the 'core' source code

• org/parosprozy

The 'old' Paros code

• org/zaproxy

The 'new' ZAP code

• help

Help files

• lang

Property files (UI)

– build

Build directory

– lib

Jar files

– scripts

Default script templates
Development Environment
•
•
•
•

Java 7
Eclipse (or your favorite Java IDE)
Subversive SVN (or equivalent)
Import ZAP projects via SVN
– https://zaproxy.googlecode.com/svn/trunk/
– https://zaproxy-test.googlecode.com/svn/trunk/
– https://zap-extensions.googlecode.com/svn/trunk/
– https://zap-extensions.googlecode.com/svn/branches/alpha/
– https://zap-extensions.googlecode.com/svn/branches/beta/

• Add 'lib' jars to build path
• Run org.zaproxy.zap.ZAP.java
Creating the Projects
•
•
•
•
•
•
•
•

File / New / Other...
SVN / Project from SVN
Create a new repository location
URL, e.g. https://zaproxy.googlecode.com/svn/
Select Resource, e.g. trunk
Check out .. using the New Project Wizard
Select a wizard: Java / Java Project
Add all lib/*.jar files to the build path
Dev Rules and Guidelines
•

http://code.google.com/p/zaproxy/wiki/DevGuidelines

•
•
•
•
•
•
•
•

Ease of use and consistency are key
All UI string must in internationalized
Comment all changes to orp.parosproxy.paros
All functionality should have help pages
Keep a clean split between functionality and UI
Check in code cleaner that you checked out
Write unit tests
Extensions should expose functionality, not UI
elements (older ones still do)
Documentation and i18n
• ZAP Help file
– src/help
– {addon}/resource/help
– http://code.google.com/p/zaproxy/wiki/HelpIntro

• Home pages
– https://www.owasp.org/index.php/ZAP
• 'Official' home page, 'outward' facing?
– http://code.google.com/p/zaproxy/
• More details, 'internal' facing?

• http://crowdin.net/project/owasp-zap
Scripting
•
•
•
•
•
•
•

Passive Rules

Passive scanner

Active Rules

Active Scanner

Proxy

Inline

Stand Alone

User controlled

Targeted

Right click invoke

Library

Work in progress ;)

Plugable

Register at runtime
'Standard' Scripts
•
•
•
•

No IDE required :)
JavaScript (and Zest) built in
Python and Ruby download from Marketplace
All other JSR 223 scripts supported with no
templates

• Templates give basic structure
• But you still need some idea of ZAP internals
– http://code.google.com/p/zaproxy/wiki/InternalDetails
– http://code.google.com/p/zaproxy/wiki/JavaDocs
Zest Scripts
•
•
•
•
•
•
•

Built in, same script types
But they are graphical
Implement JSR 223
And very new
Effectively ZAP's macro language
Right click everywhere!
https://developer.mozilla.org/en-US/docs/zest
Add-ons
•
•
•
•

Available from the ZAP Marketplace
Name format: id-status-version.zap
Status: alpha, beta, release
Standard ZIP file, containing:
– ZapAddOn.xml
– Active scan rules
– Passive scan rules
– Extensions
– Files
ZapAddOn.xml
<zapaddon>
<name>Short text name (no HTML)</name>
<version></version>
<description>Longer description</description>
<author>Author (no HTML)</author>
<url/>
<changes/>
<dependson>
<zapaddonid/>
</dependson>
<extensions>
<extension/>
</extensions>
ZapAddOn.xml
<ascanrules>
<ascanrule/>
</ascanrules>
<pscanrules>
<pscanrule/>
</pscanrules>
<filters>
<!-- not currently supported? -->
<filter/>
</filters>
<files>
<file/>
</files>
<not-before-version/>
<not-from-version/>
</zapaddon>
Add-on file structure
• Package: org.zaproxy.zap.extension.name
files
resource
help
icons
lib

•
•
•
•

Will be included as files
Help files
Images
Jars (will be expanded)

Classes and sub packages
Message.properties
Message_locale.properties
ZapAddOn.xml
Building Add-ons
•
•
•
•

zap-entensions/build/build.xml
zap-extensions/branches/alpha/build/build.xml
zap-extensions/branches/beta/build/build.xml
Typically just need to add your add-on to targets:
– build-all
– deploy-addon-id
– deploy-all

• Everything will be handled if you stick to the
standard file structure
Passive Scan Rules
• Extend org.zaproxy.zap.extension.pscan.
PluginPassiveScanner

•
•
•
•
•
•

Called for every request and response
Run in background thread
Cant change anything – look but dont touch ;)
Receive HttpMessage and DOM Source
Use PassiveScanThread.raiseAlert(..)
Lots of examples (trunk, beta, alpha?)
Active Scan Rules
• Extend org.parosproxy.paros.core.scanner.
AbstractPlugin

• AbstractAppPlugin
–AbstractAppParamPlugin
• AbstractHostPlugin

Every node
Every param
Hosts/1 node
st

• Can change anything – make new request etc
• AbstractPlugin – lots of utility methods
• Lots of examples (trunk, beta, alpha?)
Extensions
• Extend org.parosproxy.paros.extension.Extension
• Can do anything – much of the 'core' is really
extensions

• Should have their own language files
• Lots of examples – pick one that does something
vaguely similar?
Features and Fixes
•
•
•
•
•
•
•
•

Scripts, in Javascript, Python, Ruby, Zest
New script templates – Groovy, Scala ...
Active and passive scan rules
http://code.google.com/p/zaproxy/wiki/Projects
http://code.google.com/p/zaproxy/issues/list
'IdealFirstBug' tag
Wrap / port another tool (retire.js, ..)
Whatever you want to do!
Extension Hooks
•
•
•
•
•
•
•
•

OptionsChangedListener
ProxyListener
SessionChangedListener
SiteMapListener
PersistentConnectionListener
AddonFilesChangedListener
CommandLineListener
Key Classes
•
•
•
•
•
•
•
•
•
•

ZAP

main class

Model

singleton

View

singleton

Control

singleton

Session

access via Model

SiteMap

access via Session

SiteNode

a SiteMap node

HttpMessage

full request/response

HistoryReference

subset of HttpMessage

Alert

a vulnerability
Accessing Extensions
• Core Extensions (ie included by default)
ExtensionXXX extXXX =
Control.getSingleton().
GetExtensionLoader().getExtension(
ExtensionXXX.NAME);
if (extXXX != null) {
// Now you can use it...
extXXX.someFunction();
}

• For Extensions not included by default you must
use a String name and access functions via
reflection
API
• org.zaproxy.zap.extension.api.API - singleton
• api.registerApiImplementor (ApiImplementor impl)
• ApiElement
– ApiView- return structured info - ApiResponse
– ApiAction - make changes (return structured info)
– ApiOther - return raw data

• API generators
– JavaAPIGenerator
– PythonAPIGenerator
– WikiAPIGenerator
Database
•

http://code.google.com/p/zaproxy/wiki/InternalDatabase

• HSQLDB – can access directly via SQL tools
• Package: org.parosproxy.paros.db
• Shouldnt typically access the db directly – use the
extension that 'owns' the data

• Add-ons can create new tables – see websockets
• The schema must be backwards compatible
between releases
Pluggable HttpPanels
•
•
•
•

org.zaproxy.zap.extension.httppanel
Request and Response display options
Good examples – websockets & plugnhack (?)
httppanel
component
XxxComponent
models
extend Abstract*HttpPanelViewModel
views
extend HttpPanelTextArea...
Feedback?

More Related Content

What's hot

JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroSimon Bennetts
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting WorkshopSimon Bennetts
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..Simon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroSimon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroSimon Bennetts
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerSimon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014gmaran23
 
2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP AutomationSimon Bennetts
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineScripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineSherif Mansour
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
 
2020 OWASP Thailand - ZAP intro
2020 OWASP Thailand - ZAP intro2020 OWASP Thailand - ZAP intro
2020 OWASP Thailand - ZAP introSimon Bennetts
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 

What's hot (20)

JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP Intro
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
 
2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineScripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
 
2020 OWASP Thailand - ZAP intro
2020 OWASP Thailand - ZAP intro2020 OWASP Thailand - ZAP intro
2020 OWASP Thailand - ZAP intro
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 

Similar to OWASP 2013 APPSEC USA ZAP Hackathon

Spring Roo Add-On Development & Distribution
Spring Roo Add-On Development & DistributionSpring Roo Add-On Development & Distribution
Spring Roo Add-On Development & DistributionStefan Schmidt
 
Artifacts management with DevOps
Artifacts management with DevOpsArtifacts management with DevOps
Artifacts management with DevOpsChen-Tien Tsai
 
Frequently asked questions answered frequently - but now for the last time
Frequently asked questions answered frequently - but now for the last timeFrequently asked questions answered frequently - but now for the last time
Frequently asked questions answered frequently - but now for the last timeAndreas Jung
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP DevSecCon
 
OSMC 2009 | Nagios Plugins: New features and future projects by Thomas Guyot-...
OSMC 2009 | Nagios Plugins: New features and future projects by Thomas Guyot-...OSMC 2009 | Nagios Plugins: New features and future projects by Thomas Guyot-...
OSMC 2009 | Nagios Plugins: New features and future projects by Thomas Guyot-...NETWAYS
 
Qcon beijing 2010
Qcon beijing 2010Qcon beijing 2010
Qcon beijing 2010Vonbo
 
Gr8conf - Griffon Update
Gr8conf - Griffon UpdateGr8conf - Griffon Update
Gr8conf - Griffon UpdateAndres Almiray
 
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20Michael Lihs
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
Tuenti Release Workflow
Tuenti Release WorkflowTuenti Release Workflow
Tuenti Release WorkflowTuenti
 
DevSecCon London 2017: zap scripting workshop by Simon Bennetts
DevSecCon London 2017: zap scripting workshop by Simon BennettsDevSecCon London 2017: zap scripting workshop by Simon Bennetts
DevSecCon London 2017: zap scripting workshop by Simon BennettsDevSecCon
 
Trend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache BigtopTrend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache BigtopEvans Ye
 
20120524 english lt2_pythontoolsfortesting
20120524 english lt2_pythontoolsfortesting20120524 english lt2_pythontoolsfortesting
20120524 english lt2_pythontoolsfortestingKazuhiro Oinuma
 
Automated Acceptance Testing from Scratch
Automated Acceptance Testing from ScratchAutomated Acceptance Testing from Scratch
Automated Acceptance Testing from ScratchExcella
 
How and Why you can and should Participate in Open Source Projects (AMIS, Sof...
How and Why you can and should Participate in Open Source Projects (AMIS, Sof...How and Why you can and should Participate in Open Source Projects (AMIS, Sof...
How and Why you can and should Participate in Open Source Projects (AMIS, Sof...Lucas Jellema
 
Que nos espera a los ALM Dudes para el 2013?
Que nos espera a los ALM Dudes para el 2013?Que nos espera a los ALM Dudes para el 2013?
Que nos espera a los ALM Dudes para el 2013?Bruno Capuano
 
Testing API's: Tools & Tips & Tricks (Oh My!)
Testing API's: Tools & Tips & Tricks (Oh My!)Testing API's: Tools & Tips & Tricks (Oh My!)
Testing API's: Tools & Tips & Tricks (Oh My!)Ford Prior
 

Similar to OWASP 2013 APPSEC USA ZAP Hackathon (20)

Spring Roo Add-On Development & Distribution
Spring Roo Add-On Development & DistributionSpring Roo Add-On Development & Distribution
Spring Roo Add-On Development & Distribution
 
Hacking on WildFly 9
Hacking on WildFly 9Hacking on WildFly 9
Hacking on WildFly 9
 
Artifacts management with DevOps
Artifacts management with DevOpsArtifacts management with DevOps
Artifacts management with DevOps
 
Frequently asked questions answered frequently - but now for the last time
Frequently asked questions answered frequently - but now for the last timeFrequently asked questions answered frequently - but now for the last time
Frequently asked questions answered frequently - but now for the last time
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
 
OSMC 2009 | Nagios Plugins: New features and future projects by Thomas Guyot-...
OSMC 2009 | Nagios Plugins: New features and future projects by Thomas Guyot-...OSMC 2009 | Nagios Plugins: New features and future projects by Thomas Guyot-...
OSMC 2009 | Nagios Plugins: New features and future projects by Thomas Guyot-...
 
Qcon beijing 2010
Qcon beijing 2010Qcon beijing 2010
Qcon beijing 2010
 
Gr8conf - Griffon Update
Gr8conf - Griffon UpdateGr8conf - Griffon Update
Gr8conf - Griffon Update
 
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Tuenti Release Workflow
Tuenti Release WorkflowTuenti Release Workflow
Tuenti Release Workflow
 
DevSecCon London 2017: zap scripting workshop by Simon Bennetts
DevSecCon London 2017: zap scripting workshop by Simon BennettsDevSecCon London 2017: zap scripting workshop by Simon Bennetts
DevSecCon London 2017: zap scripting workshop by Simon Bennetts
 
Trend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache BigtopTrend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache Bigtop
 
20120524 english lt2_pythontoolsfortesting
20120524 english lt2_pythontoolsfortesting20120524 english lt2_pythontoolsfortesting
20120524 english lt2_pythontoolsfortesting
 
Automated Acceptance Testing from Scratch
Automated Acceptance Testing from ScratchAutomated Acceptance Testing from Scratch
Automated Acceptance Testing from Scratch
 
ZAP @FOSSASIA2015
ZAP @FOSSASIA2015ZAP @FOSSASIA2015
ZAP @FOSSASIA2015
 
How and Why you can and should Participate in Open Source Projects (AMIS, Sof...
How and Why you can and should Participate in Open Source Projects (AMIS, Sof...How and Why you can and should Participate in Open Source Projects (AMIS, Sof...
How and Why you can and should Participate in Open Source Projects (AMIS, Sof...
 
Que nos espera a los ALM Dudes para el 2013?
Que nos espera a los ALM Dudes para el 2013?Que nos espera a los ALM Dudes para el 2013?
Que nos espera a los ALM Dudes para el 2013?
 
Testing API's: Tools & Tips & Tricks (Oh My!)
Testing API's: Tools & Tips & Tricks (Oh My!)Testing API's: Tools & Tips & Tricks (Oh My!)
Testing API's: Tools & Tips & Tricks (Oh My!)
 

Recently uploaded

Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 

Recently uploaded (20)

Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 

OWASP 2013 APPSEC USA ZAP Hackathon

  • 1. The OWASP Foundation http://www.owasp.org OWASP Zed Attack Proxy Hackathon Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 2. The Plan • • • • • Overview of how to extend ZAP Describe the topics I could talk about Find out what you really want to know ;) Agree topics to cover For each topic: – Talk for a bit, hack for a bit • But its all up for grabs, so we can change anything • And feel free to do your own thing! • I'll help out during the hacking sections 2
  • 3. How you can extend ZAP • Without a dev environment: – 3rd party tools – Scripts – Translations – Documentation • With a development environment – Active & passive scan rules – 'Full' extensions
  • 4. What can you plug in? • • • • Scripts Script types Active and Passive rules UI elements – tabs, popups, toolbar buttons, menus, right click options... • API calls • Request / Response views • Breaking, Fuzzing, Searching
  • 5. Topics I could talk about • • • • • • • • The ZAP project structure Setting up a ZAP development environment ZAP documentation and internationalization Implementing 'standard' scripts Implementing Zest scripts Implementing active and passive scan rules Implementing Add-ons and extensions Features and fixes to work on
  • 6. More topics I could talk about • • • • • • • • Key classes Accessing core functionality and extensions Internal events The user interface The API The database Request / Response views Breaking, fuzzing, searching
  • 7. Project Structure • zaproxy – http://code.google.com/p/zaproxy/ – The 'core' plus a lot more • zap-test – http://code.google.com/p/zaproxy-test/ – Unit tests • zap-extensions – http://code.google.com/p/zap-extensions/ – The add-ons – Trunk, alpha and beta branches!
  • 8. Project Structure • zaproxy – src All the 'core' source code • org/parosprozy The 'old' Paros code • org/zaproxy The 'new' ZAP code • help Help files • lang Property files (UI) – build Build directory – lib Jar files – scripts Default script templates
  • 9. Development Environment • • • • Java 7 Eclipse (or your favorite Java IDE) Subversive SVN (or equivalent) Import ZAP projects via SVN – https://zaproxy.googlecode.com/svn/trunk/ – https://zaproxy-test.googlecode.com/svn/trunk/ – https://zap-extensions.googlecode.com/svn/trunk/ – https://zap-extensions.googlecode.com/svn/branches/alpha/ – https://zap-extensions.googlecode.com/svn/branches/beta/ • Add 'lib' jars to build path • Run org.zaproxy.zap.ZAP.java
  • 10. Creating the Projects • • • • • • • • File / New / Other... SVN / Project from SVN Create a new repository location URL, e.g. https://zaproxy.googlecode.com/svn/ Select Resource, e.g. trunk Check out .. using the New Project Wizard Select a wizard: Java / Java Project Add all lib/*.jar files to the build path
  • 11. Dev Rules and Guidelines • http://code.google.com/p/zaproxy/wiki/DevGuidelines • • • • • • • • Ease of use and consistency are key All UI string must in internationalized Comment all changes to orp.parosproxy.paros All functionality should have help pages Keep a clean split between functionality and UI Check in code cleaner that you checked out Write unit tests Extensions should expose functionality, not UI elements (older ones still do)
  • 12. Documentation and i18n • ZAP Help file – src/help – {addon}/resource/help – http://code.google.com/p/zaproxy/wiki/HelpIntro • Home pages – https://www.owasp.org/index.php/ZAP • 'Official' home page, 'outward' facing? – http://code.google.com/p/zaproxy/ • More details, 'internal' facing? • http://crowdin.net/project/owasp-zap
  • 13. Scripting • • • • • • • Passive Rules Passive scanner Active Rules Active Scanner Proxy Inline Stand Alone User controlled Targeted Right click invoke Library Work in progress ;) Plugable Register at runtime
  • 14. 'Standard' Scripts • • • • No IDE required :) JavaScript (and Zest) built in Python and Ruby download from Marketplace All other JSR 223 scripts supported with no templates • Templates give basic structure • But you still need some idea of ZAP internals – http://code.google.com/p/zaproxy/wiki/InternalDetails – http://code.google.com/p/zaproxy/wiki/JavaDocs
  • 15. Zest Scripts • • • • • • • Built in, same script types But they are graphical Implement JSR 223 And very new Effectively ZAP's macro language Right click everywhere! https://developer.mozilla.org/en-US/docs/zest
  • 16. Add-ons • • • • Available from the ZAP Marketplace Name format: id-status-version.zap Status: alpha, beta, release Standard ZIP file, containing: – ZapAddOn.xml – Active scan rules – Passive scan rules – Extensions – Files
  • 17. ZapAddOn.xml <zapaddon> <name>Short text name (no HTML)</name> <version></version> <description>Longer description</description> <author>Author (no HTML)</author> <url/> <changes/> <dependson> <zapaddonid/> </dependson> <extensions> <extension/> </extensions>
  • 18. ZapAddOn.xml <ascanrules> <ascanrule/> </ascanrules> <pscanrules> <pscanrule/> </pscanrules> <filters> <!-- not currently supported? --> <filter/> </filters> <files> <file/> </files> <not-before-version/> <not-from-version/> </zapaddon>
  • 19. Add-on file structure • Package: org.zaproxy.zap.extension.name files resource help icons lib • • • • Will be included as files Help files Images Jars (will be expanded) Classes and sub packages Message.properties Message_locale.properties ZapAddOn.xml
  • 20. Building Add-ons • • • • zap-entensions/build/build.xml zap-extensions/branches/alpha/build/build.xml zap-extensions/branches/beta/build/build.xml Typically just need to add your add-on to targets: – build-all – deploy-addon-id – deploy-all • Everything will be handled if you stick to the standard file structure
  • 21. Passive Scan Rules • Extend org.zaproxy.zap.extension.pscan. PluginPassiveScanner • • • • • • Called for every request and response Run in background thread Cant change anything – look but dont touch ;) Receive HttpMessage and DOM Source Use PassiveScanThread.raiseAlert(..) Lots of examples (trunk, beta, alpha?)
  • 22. Active Scan Rules • Extend org.parosproxy.paros.core.scanner. AbstractPlugin • AbstractAppPlugin –AbstractAppParamPlugin • AbstractHostPlugin Every node Every param Hosts/1 node st • Can change anything – make new request etc • AbstractPlugin – lots of utility methods • Lots of examples (trunk, beta, alpha?)
  • 23. Extensions • Extend org.parosproxy.paros.extension.Extension • Can do anything – much of the 'core' is really extensions • Should have their own language files • Lots of examples – pick one that does something vaguely similar?
  • 24. Features and Fixes • • • • • • • • Scripts, in Javascript, Python, Ruby, Zest New script templates – Groovy, Scala ... Active and passive scan rules http://code.google.com/p/zaproxy/wiki/Projects http://code.google.com/p/zaproxy/issues/list 'IdealFirstBug' tag Wrap / port another tool (retire.js, ..) Whatever you want to do!
  • 26. Key Classes • • • • • • • • • • ZAP main class Model singleton View singleton Control singleton Session access via Model SiteMap access via Session SiteNode a SiteMap node HttpMessage full request/response HistoryReference subset of HttpMessage Alert a vulnerability
  • 27. Accessing Extensions • Core Extensions (ie included by default) ExtensionXXX extXXX = Control.getSingleton(). GetExtensionLoader().getExtension( ExtensionXXX.NAME); if (extXXX != null) { // Now you can use it... extXXX.someFunction(); } • For Extensions not included by default you must use a String name and access functions via reflection
  • 28. API • org.zaproxy.zap.extension.api.API - singleton • api.registerApiImplementor (ApiImplementor impl) • ApiElement – ApiView- return structured info - ApiResponse – ApiAction - make changes (return structured info) – ApiOther - return raw data • API generators – JavaAPIGenerator – PythonAPIGenerator – WikiAPIGenerator
  • 29. Database • http://code.google.com/p/zaproxy/wiki/InternalDatabase • HSQLDB – can access directly via SQL tools • Package: org.parosproxy.paros.db • Shouldnt typically access the db directly – use the extension that 'owns' the data • Add-ons can create new tables – see websockets • The schema must be backwards compatible between releases
  • 30. Pluggable HttpPanels • • • • org.zaproxy.zap.extension.httppanel Request and Response display options Good examples – websockets & plugnhack (?) httppanel component XxxComponent models extend Abstract*HttpPanelViewModel views extend HttpPanelTextArea...