SlideShare a Scribd company logo

2017 DevSecCon ZAP Scripting Workshop

Download as ODP, PDF
Simon Bennetts
Simon Bennetts

Slides from my ZAP Scripting Workshop at DevSecCon in 2017: http://www.devseccon.com/london-2017/session/zap-workshop/

Technology
1 of 40
Join the conversation #DevSecCon By Simon Bennetts Scripting OWASP ZAP
● Session 1 : 2pm – Introduction – Standard Scripts (JavaScript, Python, Ruby) – Proxy and Http Sender Scripts – Passive and Active Scan rule Scripts ● Session 2 : 3pm – Zest Scripts – Standalone and Targeted Scripts The Plan
● Session 3 : 4pm – How to use scripts in automation – How to add scripting support in add-ons (overview) – Authentication Scripts – More chance to write any or all of the above types ● Session 4 : 5pm – Optional – keep writing scripts, ask more questions... The Plan
● We want more script examples ● Submit PRs to https://github.com/zaproxy/community-scripts ● Can be anything useful – eg copies of existing scripts in different languages :) ● Anything useful will earn a ZAP Contributor sticker (max one per person) ● Lots of useful scripts will earn a ZAP T-shirt! ● Only valid for this workshop Competition Time!
● Advantages: – Quick to write and test – Full access to ZAP classes and data structures – No need for separate development environment ● Disadvantages – Documentation could be (much) better – No auto complete – No sandbox – only run scripts you trust! Introduction – why do we need scripts?
● JavaScript – built in ● Python – optional add-on ● Ruby – optional add-on ● Zest – built in, macro language on steroids ● JSR 223 languages relatively easy to add ● Beanshell – optional, no longer really maintained Introduction – What languages are supported?
● Stand Alone – Run manually ● Targeted – Run manually against a specified requests ● Proxy – Change proxied browser requests on the fly ● HTTP Sender – Change any request on the fly (proxy, spider, active scanner ...) Script types (built in)
● Passive Scan Rule – Detect potential issues just by looking ● Active Scan Rule – Detect potential issues by attacking ● Authentication – Automatically login to sites ● Script Input Vector – Define exactly what ZAP will attack Script types (built in)
● Fuzzer HTTP Processor – Called before and after HTTP messages are fuzzed ● Fuzzer Websocket Processor – Called before and after Websocket messages are fuzzed ● Payload Generator – Generate attacks to be used in the fuzzer ● Payload Processor – Change fuzzer payloads before they are used ● Sequence – Define sequences of requests to be attacked (alpha) Script types (add-ons)
● All roughly equivalent ● All have good Java integration ● JavaScript (ECMAScript) – Java 7 – Rhino – Java 8 – Nashhorn – Can write to local filestore via Java classes – Use load("nashorn:mozilla_compat.js"); for Rhino scripts in Nashorn ● JavaScript Nashhorn – supports loading scripts from files – https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions ● Python – supports modules path ‘Standard’ Script languages
● Scripts group: https://groups.google.com/group/zaproxy-scripts ● Dev group: https://groups.google.com/group/zaproxy-develop ● Community Scripts: https://github.com/zaproxy/community-scripts ● JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0 Useful links
● Fire up ZAP ● Check for Updates (Help / Check for Updates...) ● Update everything ● Install Community Scripts ● Optionally install Python / Ruby Scripting ● Demo: “Hello world” Getting started
● Scripts tab – Shows all of the scripts an templates – Allows you to select, add, remove, duplicate, enable, disable and save scripts – Icons show state – enabled / disabled, error and not saved ● Script Console tab – Top pane – edit scripts – Bottom pane – output and error messages – Run and Stop buttons – enabled when appropriate – Output pane buttons – control that pane – Right click for lots more options! The tabs
● Proxy Scripts – Only affect requests and responses proxied via a browser ● HTTP Sender Scripts – Affect all requests and responses (proxy active scan, spider …) – Initiator param gives the component that initiated the request – Provides helper to make new requests ● Both – Must enable scripts before they will take effect – Will be disabled on error Proxy and HTTP Sender scripts
● Key ZAP class: org/parosproxy/paros/network/HttpMessage.html ● Provides methods like – getRequestBody() – getRequestHeader() – getResponseBody() – getResponseHeader() ● See JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0 ● Or the code: https://github.com/zaproxy/zaproxy Script parameter: HttpMessage - msg
● Proxy Scripts – Replace in request or response body.js – Drop requests not in scope.js – Return fake response.js ● HTTP Sender Scripts – Alert in HTTP Response Code Errors.js – Alert on Unexpected Content Types.js – Capture and Replace Anti CSRF Token.js Proxy and HTTP Sender scripts - examples
Suggestions: ● Replace headers ● Auto redirect from one page to another ● Do different things based on content, eg: – Replace different content – Redirect to different pages Exercise – write Proxy &/ HTTP Sender scripts
● Passive Rule Scripts – Can only view requests and responses (should not change anything) ● Active Rule Scripts – Attack nodes or specific parameters – Can do pretty much anything you like :) – Must Enable Script Input Vectors ● Both – Can raise alerts – Must enable scripts before they will take effect – Will be disabled on error Passive and Active Rule scripts
● Passive Rule Scripts – Server Header Disclosure.js – Find emails.js ● Active Rule Scripts – User defined attacks.js – gof_lite.js ● Demo: testing passive and active rule scripts Passive and Active Rule scripts - examples
● Hacking ZAP Blog posts – https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html – https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html ● Java code – https://github.com/zaproxy/zap-extensions – master branch – org/zaproxy/zap/extension/ascanrules and pscanrules – beta branch – org/zaproxy/zap/extension/ascanrulesBeta and pscanrulesBeta – alpha branch – org/zaproxy/zap/extension/ascanrulesAlpha and pscanrulesAlpha Passive and Active Rule links
● Global Variables – Variables can be shared between all scripts org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name") ● Script Variables – Variables can be shared between separate invocations of the same script org.zaproxy.zap.extension.script.ScriptVars.setScriptVar( this.context, "var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getScriptVar( this.context, "var.name") Variables (all script types)
Suggestions: ● Rewrite existing java rules (see previous links) ● Alert on anything that ZAP doesn’t currently find :) Exercise – write Passive &/ Active Rule scripts
● Domain Specific Language (DSL) ● Its domain is security and automation ● Closer to a macro language .. on steroids :) ● Format – JSON :O ● Intended to be ‘written’ graphically ● Its tool independent (no access to ZAP internals) ● Demo: “Hello world” Zest Scripts
● Creating from templates ● Duplicating existing script ● Recording ● Selecting and adding requests ● Manually ● Demo: playing with BodgeIt Zest Scripts - creating
● Double click to edit nodes ● Right click: – Add and delete nodes – Delete nodes – Surround with loops, conditionals – Cut, copy and paste – Comment – Move up / down ● Drag and drop ● Selecting and adding requests Zest Scripts - editing
● Request – make requests (and make assertions) ● Action – scan, script, print, fail, sleep ● Assignment – assign things to variables ● Client – launch and control browsers ● Conditions – and, or, equals, length, etc ... ● Loop – though strings, files, integers, regexes, client elements ● Comment – comment :) ● Controls – return, break, next Zest Scripts – statement types
● Paste Zest variables (right click in Zest text boxes) ● Parameterize strings (right click in requests) ● Redact strings (right click in requests) ● Drag and drop ● Change prefix – applies to all requests ● Anti CSRF tokens – automatically handled ● Generate Zest script from alert Zest Scripts – hidden extras
● You have to start by launching a browser in Zest ● No record option at the moment :( ● Browser - View source / Inspect is your friend ● Demo: Persona video … Zest Scripts – client side
Suggestions: ● Passive script – alert on the presence of 2 strings ● Rewrite a script you’ve just written in another language ● Rewrite one of the existing a/pscan rules ● Record a script and start changing it Exercise – write Zest scripts
● Both run ‘on-demand’ only ● Standalone – run from the console ● Targeted – right click on requests ● Standard scripts (not Zest) – can access ZAP internals, eg: – Sites tree – History – Other extensions Standalone and Targeted scripts
● Standalone Scripts – loop through history table.js – traverse sites tree.js – domainFinder.js – window_creation_template.js ● Targeted Scripts – Resend as a GET request.zst – Find HTML comments.js Standalone and Targeted scripts - examples
Suggestions: ● Count number of static vs dynamic pages ● Detect authentication, registration and password changing? (1 2 and 3 password fields) Exercise – Standalone and Targeted scripts
-config script.scripts(0).name="Remove STS" -config script.scripts(0).engine="Mozilla Zest" -config script.scripts(0).type=proxy -config script.scripts(0).enabled=true -config script.scripts(0).file="/scripts/Remove STS.zst" -config script.scripts(1).name="Another one..." Scripts in Automation – set via cmd line
zap.script.load("Remove STS", “proxy”, "Mozilla Zest", "/scripts/Remove STS.zst") zap.script.enable("Remove STS") ● Pro Tip: Configure in the UI, look at whats set in config.xml ;) Scripts in Automation – set via API
● Implement a script interface ● Implement one or more templates / examples which implement the interface ● Register a new script type: ExtensionScript extensionScript = Control.getSingleton(). getExtensionLoader().getExtension(ExtensionScript.class); extensionScript.registerScriptType(new ScriptType( "newname", "i18nKey", icon, true, true)); Adding script support in add-ons
● Use the enabled scripts: ExtensionScript extensionScript = Control.getSingleton(). getExtensionLoader().getExtension(ExtensionScript.class); List<ScriptWrapper> scripts = extension.getScripts("newname"); for (ScriptWrapper script : scripts) { try { if (script.isEnabled()) { MyScript s = extension.getInterface( script, MyScript.class); // Do something with it... } Adding script support in add-ons
● For when simple form based auth isnt enough ● Need to configure context ● Demo: BodgeIt authentication ● https://github.com/zaproxy/zaproxy/wiki/FAQformauth - auth FAQ Authentication Scripts
Suggestions: ● Authenticate against any vulnerable app you have installed Exercise – Authentication scripts
Join the conversation #DevSecCon Many thanks PRs always appreciated ;)

Recommended

Protocol Buffers
Protocol BuffersProtocol Buffers
Protocol Buffers
Knoldus Inc.
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
gRPC Overview
gRPC OverviewgRPC Overview
gRPC Overview
Varun Talwar
 
Protocol Buffers
Protocol BuffersProtocol Buffers
Protocol Buffers
Software Infrastructure
 
gRPC - RPC rebirth?
gRPC - RPC rebirth?gRPC - RPC rebirth?
gRPC - RPC rebirth?
Luís Barbosa
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
Continuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIContinuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CI
David Hahn
 

Recommended

Protocol Buffers
Protocol BuffersProtocol Buffers
Protocol Buffers
Knoldus Inc.
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
gRPC Overview
gRPC OverviewgRPC Overview
gRPC Overview
Varun Talwar
 
Protocol Buffers
Protocol BuffersProtocol Buffers
Protocol Buffers
Software Infrastructure
 
gRPC - RPC rebirth?
gRPC - RPC rebirth?gRPC - RPC rebirth?
gRPC - RPC rebirth?
Luís Barbosa
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
Continuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIContinuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CI
David Hahn
 
gRPC in Go
gRPC in GogRPC in Go
gRPC in Go
Almog Baku
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React native
Dhaval Barot
 
B4USolution_API-Testing
B4USolution_API-TestingB4USolution_API-Testing
B4USolution_API-Testing
b4usolution .
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golang
Bo-Yi Wu
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
KrakenD API Gateway
KrakenD API GatewayKrakenD API Gateway
KrakenD API Gateway
Albert Lombarte
 
API TESTING
API TESTINGAPI TESTING
API TESTING
Sijan Bhandari
 
Attacking GraphQL
Attacking GraphQLAttacking GraphQL
Attacking GraphQL
KavishaSheth1
 
DevOps Culture
DevOps CultureDevOps Culture
DevOps Culture
rouanw
 
gRPC and Microservices
gRPC and MicroservicesgRPC and Microservices
gRPC and Microservices
Jonathan Gomez
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...
Athens Big Data
 
AManaging Kong API Gateway with Terraform
AManaging Kong API Gateway with TerraformAManaging Kong API Gateway with Terraform
AManaging Kong API Gateway with Terraform
Byungjin Park
 
SOLID Design Principles for Test Automaion
SOLID Design Principles for Test AutomaionSOLID Design Principles for Test Automaion
SOLID Design Principles for Test Automaion
Knoldus Inc.
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
HostedbyConfluent
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
Kong Inc.
 
API Testing for everyone.pptx
API Testing for everyone.pptxAPI Testing for everyone.pptx
API Testing for everyone.pptx
Pricilla Bilavendran
 
gRPC
gRPCgRPC
gRPC
Majid Alaeinia
 
Real Life Clean Architecture
Real Life Clean ArchitectureReal Life Clean Architecture
Real Life Clean Architecture
Mattia Battiston
 
PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development Tools
Antony Abramchenko
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 

More Related Content

What's hot

gRPC in Go
gRPC in GogRPC in Go
gRPC in Go
Almog Baku
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React native
Dhaval Barot
 
B4USolution_API-Testing
B4USolution_API-TestingB4USolution_API-Testing
B4USolution_API-Testing
b4usolution .
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golang
Bo-Yi Wu
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
KrakenD API Gateway
KrakenD API GatewayKrakenD API Gateway
KrakenD API Gateway
Albert Lombarte
 
API TESTING
API TESTINGAPI TESTING
API TESTING
Sijan Bhandari
 
Attacking GraphQL
Attacking GraphQLAttacking GraphQL
Attacking GraphQL
KavishaSheth1
 
DevOps Culture
DevOps CultureDevOps Culture
DevOps Culture
rouanw
 
gRPC and Microservices
gRPC and MicroservicesgRPC and Microservices
gRPC and Microservices
Jonathan Gomez
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...
Athens Big Data
 
AManaging Kong API Gateway with Terraform
AManaging Kong API Gateway with TerraformAManaging Kong API Gateway with Terraform
AManaging Kong API Gateway with Terraform
Byungjin Park
 
SOLID Design Principles for Test Automaion
SOLID Design Principles for Test AutomaionSOLID Design Principles for Test Automaion
SOLID Design Principles for Test Automaion
Knoldus Inc.
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
HostedbyConfluent
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
Kong Inc.
 
API Testing for everyone.pptx
API Testing for everyone.pptxAPI Testing for everyone.pptx
API Testing for everyone.pptx
Pricilla Bilavendran
 
gRPC
gRPCgRPC
gRPC
Majid Alaeinia
 
Real Life Clean Architecture
Real Life Clean ArchitectureReal Life Clean Architecture
Real Life Clean Architecture
Mattia Battiston
 

What's hot (20)

gRPC in Go
gRPC in GogRPC in Go
gRPC in Go
 
Introduction to React native
Introduction to React nativeIntroduction to React native
Introduction to React native
 
B4USolution_API-Testing
B4USolution_API-TestingB4USolution_API-Testing
B4USolution_API-Testing
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golang
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAP
 
KrakenD API Gateway
KrakenD API GatewayKrakenD API Gateway
KrakenD API Gateway
 
API TESTING
API TESTINGAPI TESTING
API TESTING
 
Attacking GraphQL
Attacking GraphQLAttacking GraphQL
Attacking GraphQL
 
DevOps Culture
DevOps CultureDevOps Culture
DevOps Culture
 
gRPC and Microservices
gRPC and MicroservicesgRPC and Microservices
gRPC and Microservices
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
 
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...
 
AManaging Kong API Gateway with Terraform
AManaging Kong API Gateway with TerraformAManaging Kong API Gateway with Terraform
AManaging Kong API Gateway with Terraform
 
SOLID Design Principles for Test Automaion
SOLID Design Principles for Test AutomaionSOLID Design Principles for Test Automaion
SOLID Design Principles for Test Automaion
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
Apicurio Registry: Event-driven APIs & Schema governance for Apache Kafka | F...
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
 
API Testing for everyone.pptx
API Testing for everyone.pptxAPI Testing for everyone.pptx
API Testing for everyone.pptx
 
gRPC
gRPCgRPC
gRPC
 
Real Life Clean Architecture
Real Life Clean ArchitectureReal Life Clean Architecture
Real Life Clean Architecture
 

Similar to 2017 DevSecCon ZAP Scripting Workshop

PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development Tools
Antony Abramchenko
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
ContextualContinuous Profilng
ContextualContinuous ProfilngContextualContinuous Profilng
ContextualContinuous Profilng
Jaroslav Bachorik
 
Flow
FlowFlow
Flow
zupzup.org
 
Zap api and scripting - @iprav33nk
Zap api and scripting - @iprav33nkZap api and scripting - @iprav33nk
Zap api and scripting - @iprav33nk
Praveen Kumar
 
RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.
Rainer Gerhards
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
OpenShift Origin
 
Java ScriptingJava Scripting: One VM, Many Languages
Java ScriptingJava Scripting: One VM, Many LanguagesJava ScriptingJava Scripting: One VM, Many Languages
Java ScriptingJava Scripting: One VM, Many Languageselliando dias
 
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)goccy
 
"Building Modern PHP Applications" - Jackson Murtha, South Dakota Code Camp 2012
"Building Modern PHP Applications" - Jackson Murtha, South Dakota Code Camp 2012"Building Modern PHP Applications" - Jackson Murtha, South Dakota Code Camp 2012
"Building Modern PHP Applications" - Jackson Murtha, South Dakota Code Camp 2012
Blend Interactive
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
Ratpack Web Framework
Ratpack Web FrameworkRatpack Web Framework
Ratpack Web Framework
Daniel Woods
 
Scalable Web Apps
Scalable Web AppsScalable Web Apps
Scalable Web Apps
Piotr Pelczar
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
Expert JavaScript Programming
Expert JavaScript ProgrammingExpert JavaScript Programming
Expert JavaScript Programming
Yoshiki Shibukawa
 
Open Source Flash 2010
Open Source Flash 2010Open Source Flash 2010
Open Source Flash 2010
Gaurav Saxena
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
Andrew Petukhov
 

Similar to 2017 DevSecCon ZAP Scripting Workshop (20)

PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development Tools
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
 
ContextualContinuous Profilng
ContextualContinuous ProfilngContextualContinuous Profilng
ContextualContinuous Profilng
 
Flow
FlowFlow
Flow
 
Zap api and scripting - @iprav33nk
Zap api and scripting - @iprav33nkZap api and scripting - @iprav33nk
Zap api and scripting - @iprav33nk
 
RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
 
Java ScriptingJava Scripting: One VM, Many Languages
Java ScriptingJava Scripting: One VM, Many LanguagesJava ScriptingJava Scripting: One VM, Many Languages
Java ScriptingJava Scripting: One VM, Many Languages
 
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)これからのPerlプロダクトのかたち(YAPC::Asia 2013)
これからのPerlプロダクトのかたち(YAPC::Asia 2013)
 
"Building Modern PHP Applications" - Jackson Murtha, South Dakota Code Camp 2012
"Building Modern PHP Applications" - Jackson Murtha, South Dakota Code Camp 2012"Building Modern PHP Applications" - Jackson Murtha, South Dakota Code Camp 2012
"Building Modern PHP Applications" - Jackson Murtha, South Dakota Code Camp 2012
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
 
Ratpack Web Framework
Ratpack Web FrameworkRatpack Web Framework
Ratpack Web Framework
 
Scalable Web Apps
Scalable Web AppsScalable Web Apps
Scalable Web Apps
 
Composer Helpdesk
Composer HelpdeskComposer Helpdesk
Composer Helpdesk
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
 
Expert JavaScript Programming
Expert JavaScript ProgrammingExpert JavaScript Programming
Expert JavaScript Programming
 
Open Source Flash 2010
Open Source Flash 2010Open Source Flash 2010
Open Source Flash 2010
 
Lightweight web frameworks
Lightweight web frameworksLightweight web frameworks
Lightweight web frameworks
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 

More from Simon Bennetts

2022 OWASP AppSec USA Keynote
2022 OWASP AppSec USA Keynote2022 OWASP AppSec USA Keynote
2022 OWASP AppSec USA Keynote
Simon Bennetts
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
2020 OWASP Thailand - ZAP intro
2020 OWASP Thailand - ZAP intro2020 OWASP Thailand - ZAP intro
2020 OWASP Thailand - ZAP intro
Simon Bennetts
 
2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation
Simon Bennetts
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 

More from Simon Bennetts (19)

2022 OWASP AppSec USA Keynote
2022 OWASP AppSec USA Keynote2022 OWASP AppSec USA Keynote
2022 OWASP AppSec USA Keynote
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 
2020 OWASP Thailand - ZAP intro
2020 OWASP Thailand - ZAP intro2020 OWASP Thailand - ZAP intro
2020 OWASP Thailand - ZAP intro
 
2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation2020 ADDO Spring Break OWASP ZAP Automation
2020 ADDO Spring Break OWASP ZAP Automation
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP Intro
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 

2017 DevSecCon ZAP Scripting Workshop

  • 1. Join the conversation #DevSecCon By Simon Bennetts Scripting OWASP ZAP
  • 2. ● Session 1 : 2pm – Introduction – Standard Scripts (JavaScript, Python, Ruby) – Proxy and Http Sender Scripts – Passive and Active Scan rule Scripts ● Session 2 : 3pm – Zest Scripts – Standalone and Targeted Scripts The Plan
  • 3. ● Session 3 : 4pm – How to use scripts in automation – How to add scripting support in add-ons (overview) – Authentication Scripts – More chance to write any or all of the above types ● Session 4 : 5pm – Optional – keep writing scripts, ask more questions... The Plan
  • 4. ● We want more script examples ● Submit PRs to https://github.com/zaproxy/community-scripts ● Can be anything useful – eg copies of existing scripts in different languages :) ● Anything useful will earn a ZAP Contributor sticker (max one per person) ● Lots of useful scripts will earn a ZAP T-shirt! ● Only valid for this workshop Competition Time!
  • 5. ● Advantages: – Quick to write and test – Full access to ZAP classes and data structures – No need for separate development environment ● Disadvantages – Documentation could be (much) better – No auto complete – No sandbox – only run scripts you trust! Introduction – why do we need scripts?
  • 6. ● JavaScript – built in ● Python – optional add-on ● Ruby – optional add-on ● Zest – built in, macro language on steroids ● JSR 223 languages relatively easy to add ● Beanshell – optional, no longer really maintained Introduction – What languages are supported?
  • 7. ● Stand Alone – Run manually ● Targeted – Run manually against a specified requests ● Proxy – Change proxied browser requests on the fly ● HTTP Sender – Change any request on the fly (proxy, spider, active scanner ...) Script types (built in)
  • 8. ● Passive Scan Rule – Detect potential issues just by looking ● Active Scan Rule – Detect potential issues by attacking ● Authentication – Automatically login to sites ● Script Input Vector – Define exactly what ZAP will attack Script types (built in)
  • 9. ● Fuzzer HTTP Processor – Called before and after HTTP messages are fuzzed ● Fuzzer Websocket Processor – Called before and after Websocket messages are fuzzed ● Payload Generator – Generate attacks to be used in the fuzzer ● Payload Processor – Change fuzzer payloads before they are used ● Sequence – Define sequences of requests to be attacked (alpha) Script types (add-ons)
  • 10. ● All roughly equivalent ● All have good Java integration ● JavaScript (ECMAScript) – Java 7 – Rhino – Java 8 – Nashhorn – Can write to local filestore via Java classes – Use load("nashorn:mozilla_compat.js"); for Rhino scripts in Nashorn ● JavaScript Nashhorn – supports loading scripts from files – https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions ● Python – supports modules path ‘Standard’ Script languages
  • 11. ● Scripts group: https://groups.google.com/group/zaproxy-scripts ● Dev group: https://groups.google.com/group/zaproxy-develop ● Community Scripts: https://github.com/zaproxy/community-scripts ● JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0 Useful links
  • 12. ● Fire up ZAP ● Check for Updates (Help / Check for Updates...) ● Update everything ● Install Community Scripts ● Optionally install Python / Ruby Scripting ● Demo: “Hello world” Getting started
  • 13. ● Scripts tab – Shows all of the scripts an templates – Allows you to select, add, remove, duplicate, enable, disable and save scripts – Icons show state – enabled / disabled, error and not saved ● Script Console tab – Top pane – edit scripts – Bottom pane – output and error messages – Run and Stop buttons – enabled when appropriate – Output pane buttons – control that pane – Right click for lots more options! The tabs
  • 14. ● Proxy Scripts – Only affect requests and responses proxied via a browser ● HTTP Sender Scripts – Affect all requests and responses (proxy active scan, spider …) – Initiator param gives the component that initiated the request – Provides helper to make new requests ● Both – Must enable scripts before they will take effect – Will be disabled on error Proxy and HTTP Sender scripts
  • 15. ● Key ZAP class: org/parosproxy/paros/network/HttpMessage.html ● Provides methods like – getRequestBody() – getRequestHeader() – getResponseBody() – getResponseHeader() ● See JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0 ● Or the code: https://github.com/zaproxy/zaproxy Script parameter: HttpMessage - msg
  • 16. ● Proxy Scripts – Replace in request or response body.js – Drop requests not in scope.js – Return fake response.js ● HTTP Sender Scripts – Alert in HTTP Response Code Errors.js – Alert on Unexpected Content Types.js – Capture and Replace Anti CSRF Token.js Proxy and HTTP Sender scripts - examples
  • 17. Suggestions: ● Replace headers ● Auto redirect from one page to another ● Do different things based on content, eg: – Replace different content – Redirect to different pages Exercise – write Proxy &/ HTTP Sender scripts
  • 18. ● Passive Rule Scripts – Can only view requests and responses (should not change anything) ● Active Rule Scripts – Attack nodes or specific parameters – Can do pretty much anything you like :) – Must Enable Script Input Vectors ● Both – Can raise alerts – Must enable scripts before they will take effect – Will be disabled on error Passive and Active Rule scripts
  • 19. ● Passive Rule Scripts – Server Header Disclosure.js – Find emails.js ● Active Rule Scripts – User defined attacks.js – gof_lite.js ● Demo: testing passive and active rule scripts Passive and Active Rule scripts - examples
  • 20. ● Hacking ZAP Blog posts – https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html – https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html ● Java code – https://github.com/zaproxy/zap-extensions – master branch – org/zaproxy/zap/extension/ascanrules and pscanrules – beta branch – org/zaproxy/zap/extension/ascanrulesBeta and pscanrulesBeta – alpha branch – org/zaproxy/zap/extension/ascanrulesAlpha and pscanrulesAlpha Passive and Active Rule links
  • 21. ● Global Variables – Variables can be shared between all scripts org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name") ● Script Variables – Variables can be shared between separate invocations of the same script org.zaproxy.zap.extension.script.ScriptVars.setScriptVar( this.context, "var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getScriptVar( this.context, "var.name") Variables (all script types)
  • 22. Suggestions: ● Rewrite existing java rules (see previous links) ● Alert on anything that ZAP doesn’t currently find :) Exercise – write Passive &/ Active Rule scripts
  • 23. ● Domain Specific Language (DSL) ● Its domain is security and automation ● Closer to a macro language .. on steroids :) ● Format – JSON :O ● Intended to be ‘written’ graphically ● Its tool independent (no access to ZAP internals) ● Demo: “Hello world” Zest Scripts
  • 24. ● Creating from templates ● Duplicating existing script ● Recording ● Selecting and adding requests ● Manually ● Demo: playing with BodgeIt Zest Scripts - creating
  • 25. ● Double click to edit nodes ● Right click: – Add and delete nodes – Delete nodes – Surround with loops, conditionals – Cut, copy and paste – Comment – Move up / down ● Drag and drop ● Selecting and adding requests Zest Scripts - editing
  • 26. ● Request – make requests (and make assertions) ● Action – scan, script, print, fail, sleep ● Assignment – assign things to variables ● Client – launch and control browsers ● Conditions – and, or, equals, length, etc ... ● Loop – though strings, files, integers, regexes, client elements ● Comment – comment :) ● Controls – return, break, next Zest Scripts – statement types
  • 27. ● Paste Zest variables (right click in Zest text boxes) ● Parameterize strings (right click in requests) ● Redact strings (right click in requests) ● Drag and drop ● Change prefix – applies to all requests ● Anti CSRF tokens – automatically handled ● Generate Zest script from alert Zest Scripts – hidden extras
  • 28. ● You have to start by launching a browser in Zest ● No record option at the moment :( ● Browser - View source / Inspect is your friend ● Demo: Persona video … Zest Scripts – client side
  • 29.
  • 30. Suggestions: ● Passive script – alert on the presence of 2 strings ● Rewrite a script you’ve just written in another language ● Rewrite one of the existing a/pscan rules ● Record a script and start changing it Exercise – write Zest scripts
  • 31. ● Both run ‘on-demand’ only ● Standalone – run from the console ● Targeted – right click on requests ● Standard scripts (not Zest) – can access ZAP internals, eg: – Sites tree – History – Other extensions Standalone and Targeted scripts
  • 32. ● Standalone Scripts – loop through history table.js – traverse sites tree.js – domainFinder.js – window_creation_template.js ● Targeted Scripts – Resend as a GET request.zst – Find HTML comments.js Standalone and Targeted scripts - examples
  • 33. Suggestions: ● Count number of static vs dynamic pages ● Detect authentication, registration and password changing? (1 2 and 3 password fields) Exercise – Standalone and Targeted scripts
  • 34. -config script.scripts(0).name="Remove STS" -config script.scripts(0).engine="Mozilla Zest" -config script.scripts(0).type=proxy -config script.scripts(0).enabled=true -config script.scripts(0).file="/scripts/Remove STS.zst" -config script.scripts(1).name="Another one..." Scripts in Automation – set via cmd line
  • 35. zap.script.load("Remove STS", “proxy”, "Mozilla Zest", "/scripts/Remove STS.zst") zap.script.enable("Remove STS") ● Pro Tip: Configure in the UI, look at whats set in config.xml ;) Scripts in Automation – set via API
  • 36. ● Implement a script interface ● Implement one or more templates / examples which implement the interface ● Register a new script type: ExtensionScript extensionScript = Control.getSingleton(). getExtensionLoader().getExtension(ExtensionScript.class); extensionScript.registerScriptType(new ScriptType( "newname", "i18nKey", icon, true, true)); Adding script support in add-ons
  • 37. ● Use the enabled scripts: ExtensionScript extensionScript = Control.getSingleton(). getExtensionLoader().getExtension(ExtensionScript.class); List<ScriptWrapper> scripts = extension.getScripts("newname"); for (ScriptWrapper script : scripts) { try { if (script.isEnabled()) { MyScript s = extension.getInterface( script, MyScript.class); // Do something with it... } Adding script support in add-ons
  • 38. ● For when simple form based auth isnt enough ● Need to configure context ● Demo: BodgeIt authentication ● https://github.com/zaproxy/zaproxy/wiki/FAQformauth - auth FAQ Authentication Scripts
  • 39. Suggestions: ● Authenticate against any vulnerable app you have installed Exercise – Authentication scripts
  • 40. Join the conversation #DevSecCon Many thanks PRs always appreciated ;)

Editor's Notes

  1. &amp;lt;number&amp;gt;