OWASP 2014 AppSec EU ZAP Advanced Features

2,855 views

Published on

Slide from my OWASP AppSec EU on June 26 2014 in Cambridge about ZAP Advanced Features

Published in: Technology

OWASP 2014 AppSec EU ZAP Advanced Features

  1. 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. ZAP Advanced Features Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com OWASP AppSec EU Cambridge 2014
  2. 2. 2 What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Becoming a framework for advanced testing • Included in all major security distributions • ToolsWatch.org Top Security Tool of 2013 • Not a silver bullet!
  3. 3. 3 ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components
  4. 4. 4 Statistics • Released September 2010, fork of Paros • V 2.3.1 released in May 2014 • V 2.3.1 downloaded > 20K times • Translated into 20+ languages • Over 90 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80%
  5. 5. 5 Ohloh Statistics • Very High Activity • The most active OWASP Project • 29 active contributors • 278 years of effort Source: http://www.ohloh.net/p/zaproxy
  6. 6. 6 The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional and Ajax Spiders • WebSockets support • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Online Add-ons Marketplace
  7. 7. 7 Some Additional Features • Auto tagging • Port scanner • Script Console • Report generation • Smart card support • Contexts and scope • Session management • Invoke external apps • Dynamic SSL Certificates
  8. 8. The Advanced Stuff :) • Contexts • Advanced Scanning • Scripts • Zest • Plug-n-Hack
  9. 9. Contexts • Assign characteristics to groups of URLs • Like an application: – Per site: • http://www.example.com – Site subtree: • http://www.example.com/app1 – Multiple sites: • http://www.example1.com • http://www.example2.com
  10. 10. Contexts • Allows you to define: – Scope – Session handling – Authentication – Users – 'Forced user' – Structure – with more coming soon
  11. 11. Advanced Scanning • Accessed from: – Right click Attack menu – Tools menu – Key board shortcut (default Ctrl-Alt-A) • Gives you fine grained control over: – Scope – Input Vectors – Custom Vectors – Policy
  12. 12. Scripting • Different types of scripts – Stand alone Run when you say – Targeted Specify URLs to run against – Active Run in Active scanner – Passive Run in Passive scanner – Proxy Run 'inline' – Authentication Complex logins – Input Vector Define what to attack
  13. 13. Scripting • Full access to ZAP internals • Support all JSR 223 languages, inc – JavaScript – Jython – JRuby – Zest :)
  14. 14. Zest - Overview • An experimental scripting language • Developed by Mozilla Security Team • Free and open source (of course) • Format: JSON – designed to be represented visually in security tools • Tool independent – can be used in open and closed, free or commercial software • Is included by default in ZAP from 2.2.0 • Replaces filters
  15. 15. Zest – Use cases • Reporting vulnerabilities to companies • Reporting vulnerabilities to developers • Defining tool independent active and passive scan rules • Deep integration with security tools
  16. 16. Plug-n-Hack – Phase 1 • Allow browsers and security tools to integrate more easily • Allows security tools to expose functionality to browsers • “Proposed standard” • Developed by Mozilla Security Team • Browser and security tool independent
  17. 17. Plug-n-Hack – Phase 2 • Allows browsers to to expose functionality to security tools • This phase doesn't need browser plugin • Inject javascript into 'monitored pages' • Heartbeat shows which pages are alive • Intercept and change postMessages • Fuzz postMessages • DOM XSS oracle
  18. 18. Plug-n-Hack – Phase 3 • Support more client side events.. • .. which enables client side Zest recording • Work in progress!
  19. 19. Work In Progress • GSoC – Advanced Fuzzing – Sebastian • GSoC – Advanced AC testing – Cosmin • GSoC – SOAP Service Scanning – Alberto • Sequence scanning – Lars and Stefan • Sequence abuse – Avinash • GSoC – OWFT Zest + ZAP integration – Deep • GSoC (Mozilla) – Firefox Zest add-on – Sunny • .. and more behind the scenes ;)
  20. 20. The Source Code • Currently on Google Code • Will probably move to GitHub when time allows • Hacking ZAP blog series: https://code.google.com/p/zaproxy/wiki/Development • ZAP Internals: https://code.google.com/p/zaproxy/wiki/InternalDetails • ZAP Dev Group: http://groups.google.com/group/zaproxy-develop
  21. 21. Conclusion • ZAP is changing rapidly • It is the most active OWASP project • It is the most active open source web app security project • Its great for people new to AppSec .. • .. and also for Security Pros • Its a community based tool – get involved!
  22. 22. Questions? http://www.owasp.org/index.php/ZAP

×