Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP 2014 AppSec EU ZAP Advanced Features

3,174 views

Published on

Slide from my OWASP AppSec EU on June 26 2014 in Cambridge about ZAP Advanced Features

Published in: Technology

OWASP 2014 AppSec EU ZAP Advanced Features

  1. 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. ZAP Advanced Features Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com OWASP AppSec EU Cambridge 2014
  2. 2. 2 What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Becoming a framework for advanced testing • Included in all major security distributions • ToolsWatch.org Top Security Tool of 2013 • Not a silver bullet!
  3. 3. 3 ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components
  4. 4. 4 Statistics • Released September 2010, fork of Paros • V 2.3.1 released in May 2014 • V 2.3.1 downloaded > 20K times • Translated into 20+ languages • Over 90 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80%
  5. 5. 5 Ohloh Statistics • Very High Activity • The most active OWASP Project • 29 active contributors • 278 years of effort Source: http://www.ohloh.net/p/zaproxy
  6. 6. 6 The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional and Ajax Spiders • WebSockets support • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Online Add-ons Marketplace
  7. 7. 7 Some Additional Features • Auto tagging • Port scanner • Script Console • Report generation • Smart card support • Contexts and scope • Session management • Invoke external apps • Dynamic SSL Certificates
  8. 8. The Advanced Stuff :) • Contexts • Advanced Scanning • Scripts • Zest • Plug-n-Hack
  9. 9. Contexts • Assign characteristics to groups of URLs • Like an application: – Per site: • http://www.example.com – Site subtree: • http://www.example.com/app1 – Multiple sites: • http://www.example1.com • http://www.example2.com
  10. 10. Contexts • Allows you to define: – Scope – Session handling – Authentication – Users – 'Forced user' – Structure – with more coming soon
  11. 11. Advanced Scanning • Accessed from: – Right click Attack menu – Tools menu – Key board shortcut (default Ctrl-Alt-A) • Gives you fine grained control over: – Scope – Input Vectors – Custom Vectors – Policy
  12. 12. Scripting • Different types of scripts – Stand alone Run when you say – Targeted Specify URLs to run against – Active Run in Active scanner – Passive Run in Passive scanner – Proxy Run 'inline' – Authentication Complex logins – Input Vector Define what to attack
  13. 13. Scripting • Full access to ZAP internals • Support all JSR 223 languages, inc – JavaScript – Jython – JRuby – Zest :)
  14. 14. Zest - Overview • An experimental scripting language • Developed by Mozilla Security Team • Free and open source (of course) • Format: JSON – designed to be represented visually in security tools • Tool independent – can be used in open and closed, free or commercial software • Is included by default in ZAP from 2.2.0 • Replaces filters
  15. 15. Zest – Use cases • Reporting vulnerabilities to companies • Reporting vulnerabilities to developers • Defining tool independent active and passive scan rules • Deep integration with security tools
  16. 16. Plug-n-Hack – Phase 1 • Allow browsers and security tools to integrate more easily • Allows security tools to expose functionality to browsers • “Proposed standard” • Developed by Mozilla Security Team • Browser and security tool independent
  17. 17. Plug-n-Hack – Phase 2 • Allows browsers to to expose functionality to security tools • This phase doesn't need browser plugin • Inject javascript into 'monitored pages' • Heartbeat shows which pages are alive • Intercept and change postMessages • Fuzz postMessages • DOM XSS oracle
  18. 18. Plug-n-Hack – Phase 3 • Support more client side events.. • .. which enables client side Zest recording • Work in progress!
  19. 19. Work In Progress • GSoC – Advanced Fuzzing – Sebastian • GSoC – Advanced AC testing – Cosmin • GSoC – SOAP Service Scanning – Alberto • Sequence scanning – Lars and Stefan • Sequence abuse – Avinash • GSoC – OWFT Zest + ZAP integration – Deep • GSoC (Mozilla) – Firefox Zest add-on – Sunny • .. and more behind the scenes ;)
  20. 20. The Source Code • Currently on Google Code • Will probably move to GitHub when time allows • Hacking ZAP blog series: https://code.google.com/p/zaproxy/wiki/Development • ZAP Internals: https://code.google.com/p/zaproxy/wiki/InternalDetails • ZAP Dev Group: http://groups.google.com/group/zaproxy-develop
  21. 21. Conclusion • ZAP is changing rapidly • It is the most active OWASP project • It is the most active open source web app security project • Its great for people new to AppSec .. • .. and also for Security Pros • Its a community based tool – get involved!
  22. 22. Questions? http://www.owasp.org/index.php/ZAP

×