ZAP may not be featured in movies as much as nmap, but is a real hacker tool! If you are a tester in a DevOps organization you know that security is everybody's job, so you MUST add this tool to your toolbox! Attend this talk to see ZAP in action and learn how to use ZAP to test your web applications and web services for OWASP Top 10 vulnerabilities.

1. Learn to Pen-test with ZAP
A quick introduction to
Web Application Pen-
testing using OWASP’s ZED
Attack Proxy

2. About Me

3. 3
About ZAP
• ZAP is the official Web Application Security testing
tool endorsed by OWASP (Flagship project)
• ZAP is free to use and modify, under an Apache 2
license (so customizations are possible)
• Link to download + docs:
https://www.owasp.org/index.php/OWASP_Zed_At
tack_Proxy_Project

4. 4
What does it do?
• ZAP can spider through a website and then list HTTP requests it
discovers.
– It may miss requests that require user interaction or logged-in state.
• ZAP can also intercept HTTP requests while a user interacts with a site.
This is done by configuring the browser to use ZAP as a proxy.
• ZAP can identify vulnerabilities on the HTTP requests that it spiders or
intercepts.
– Active mode: ZAP will act like a hacker and replace parameter values with attacks like
SQLi and XSS
– Passive mode: ZAP will observe issues in the responses from the site: certain headers
are missing or are misconfigured, information disclosure, cross domain issues.

5. 5
Quick Attack
• Simply put in the starting URL of a website you have
permission to test and hit Attack.
• This is point and shoot mode, is unauthenticated, will miss
pages

6. 6
Reviewing the Issues
• If security issues are
detected they will be
listed under the Alerts
tab.
• You can see the
vulnerable URL and the
HTTP request that was
sent and the validation
that was used.

7. 7
Intercepting Requests
• You can configure the default ZAP proxy port to be something other
than 8080 (e.g. 8888 so it doesn’t conflict with tomcat)
• Configure a FoxyProxy definition for ZAP so you can easily switch ZAP on
and off

8. 8
Intercepting Requests Cont.
• Once you have setup Firefox you can now see HTTP requests
flowing through ZAP

9. 9
SSL Configuration
• Browsing SSL sites through an
intercepting proxy can be
troublesome especially when
the site includes resources
stored on other domains.
• ZAP can dynamically generate
SSL Certs based on the host of
the request. The certs are
signed with ZAPs own CA
• You can import the ZAP CA as a
trusted CA in Firefox and all ZAP
traffic will be trusted.

10. 10
Session Management
• ZAP keeps track of session variables and can automatically detect or
allow you to configure them
• To enable session tracking go to Edit > Enable Session Tracking (Cookie)
• This will cause ZAP to update Cookies used in attack requests when you
record a new login.

11. 11
Manual Tests
• Sometimes you will want to take
a ZAP finding and modify it.
• For example you may want to
modify an XSS payload to
develop an exploit or fix a
JavaScript error.
• You can right click on any entry
under Alert or History and
choose “Resend”

12. 12
Setting Breakpoints
• During manual testing some requests will require repeating an action in a
browser.
– A request that is part of a sequence that cannot be broken.
– A response to a an application that is using ZAP as a proxy
• For those cases you can setup breakpoints by pressing the green record button.
• Turn on the breakpoints and browse the site to observe what happens.

13. 13
Request Replacements
• You may want to automate replacing strings
so you don’t have to keep using
breakpoints.
• The example setting replaces the word
“billybob” with a XSS payload: <img src=bla
onerror=alert(1)>
• Apply this setting and then search for
billybob on the Altoro site. What happens?
• Request replacements work great for
updating session transients like ANTI-CSRF
Headers

14. 14
Response Replacements
• Same concept applies to response body
• A great tool to detect Stored DOM Based XSS in
Rich Internet Applications
• Sometimes it won’t be easy to make a certain
string appear in a response, either because the
scenario is complex or unknown to the tester
• DOM Based XSS occurs when strings coming
from a JSON response are inserted into unsafe
HTML attributes such as innerHTML
• In order to avoid false positives you should
make sure that you only replace the string in
JSON contexts.

15. 15
ATTACK Mode
• ATTACK Mode will execute testing
while you’re browsing the site.
• The site must be added to a context
such as the Default Context or a
different in scope context
• There are limitations. If too many
requests are explored it will have
problems catching up
• Works great for small sequences of
requests.

16. 16
Fuzzing
• Fuzzing involves sending
many, sometimes random,
parameter values and
observing if the application
behavior changes.
• Applications of fuzzing
include:
– Password guessing
– Checking boundaries
– Buffer overflow testing
– Identifier guessing
– Forceful browsing

17. 17
Brute Forcing Passwords with ZAP
• The Fuzz feature allows you to try
brute force attacks using known
dictionaries of passwords.

18. 18
Custom Attacks with Fuzzing
• Other fuzz lists can be added simply by
pointing to a file containing the n
separated values.
• The Fuzz DB github project contains
numerous fuzz lists for various attack
types including XSS and SQL Injection
• Message processors allow you to tag
responses that contain a certain regex.
– You could create a regex that detects the
string root:* and call it /etc/passwd

19. Meetup
• Downtown Ottawa (Shopify, Elgin Street)
– Monthly
– 3rd Thursday (or Wednesday)
• Kanata
– Every couple of Months
– Lunchtime
– ThinkWrap (or Trend), March Road
https://www.meetup.com/OWASP-Ottawa/

20. Socialize
• Twitter @OWASP_Ottawa
• Slack (self-invite)
– https://owaspottawa.herokuapp.com/
• YouTube
– https://www.youtube.com/channel/UCxSU-
KvNmYusZEq6v4YK5Lw or
– https://bit.ly/2P8aakr

21. Q&A

22. THANK YOU!