The document outlines an OWASP ZAP workshop on contexts and fuzzing. The plan is to demonstrate ZAP features, allow participants to experiment with them, and answer any questions. Contexts allow assigning characteristics like scope and authentication to groups of URLs. Practicals involve creating contexts, fuzzing input fields, using multi-fuzz tools, and advanced scanning options. Future sessions could cover other ZAP topics like scripts, Zest, the API, and marketplace add-ons.

1. The OWASP Foundation
http://www.owasp.org
OWASP ZAP
Workshop 2:
Contexts and Fuzzing
Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Team
psiinon@gmail.com
Copyright © The OWASP Foundation
OWASP
Canberra 2014
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

2. The plan
• The main bit
• Demo feature
• Let you play with feature
• Answer any questions
• Repeat
• Plans for the future sessions
2

3. Contexts
• Assign characteristics to groups of URLs
• Like an application:
– Per site:
• http://www.example.com
– Site subtree:
• http://www.example.com/app1
– Multiple sites:
• http://www.example1.com
• http://www.example2.com

4. Practical 1
• Create and edit a Context definition
• Add and remove context to scope
• Try using ZAP with different modes and
scopes
4

5. Contexts
• Allow you to define:
– Scope
– Session handling
– Authentication
– Users
– 'Forced user'
– Structure
– with more coming soon

6. Practical 2
• Define a context for an app with
authentication
• Configure the authentication method,
logged in/out indicator and 1+ users(s)
• Spider / scan using the Forced User
mode
6

7. Basic Fuzzing
• Current 'basic' fuzzing:
– Sending attack vectors at 1 selected target
– Just supports files of attack vectors
– JbroFuzz files included by default
– FuzzDb and SVN Digger files on Marketplace
– You can add your own files
– Handles anti CSRF tokens
– Results can be searched

8. Practical 3
• Fuzz input fields
• Fuzz input fields in forms with an anti
CRSF token
• Search fuzzing results
• Download and use FuzzDb and SVN Digger
files
8

9. Advanced Fuzzing
• 'MultiFuzz' on the Marketplace:
– Sending attack vectors at multiple selected
targets
– Range of attack vectors, not just files
– Supports graphing of results
– Google Summer of Code Project
– Alpha quality

10. Practical 4
• Download MultiFuzz
• Try out all of its features
• Provide feedback :)
10

11. Advanced Scanning
• Accessed from:
– Right click Attack menu
– Tools menu
– Key board shortcut (default Ctrl-Alt-A)
• Gives you fine grained control over:
– Scope
– Input Vectors
– Custom Vectors
– Policy

12. Practical 5
• Scan one URL with one scan rule
• Play with the thresholds and strengths
• Scan custom input vectors
• Create, save and load Policies
12

13. 13
Future Sessions?
• Scripts
• Zest
• The API
• Websockets
• Marketplace add-ons
• Intro to the source code?
• What do you want?? 

14. Any Questions?
http://www.owasp.org/index.php/ZAP