A 50 min talk at OWASP AppSec USA including demos Zest (a new security scripting language from Mozilla) and Plug-n-Hack (including fuzzing postMessages in the browser to find DOM XSS vulnerabilities). A video of this talk is available here: http://www.youtube.com/watch?v=pYFtLA2yTR8
A 50 min talk at OWASP AppSec USA including demos Zest (a new security scripting language from Mozilla) and Plug-n-Hack (including fuzzing postMessages in the browser to find DOM XSS vulnerabilities). A video of this talk is available here: http://www.youtube.com/watch?v=pYFtLA2yTR8
Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation as part of the 2013 OWASP EU Tour in Amsterdam.
For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation at AppSec Dublin 2012.
For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.
This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.
2020 ADDO Spring Break OWASP ZAP AutomationSimon Bennetts
A deep dive into OWASP ZAP Automation and Authentication. The slides are from a 3 hour workshop delivered as part of the All Day DevOps Spring Break conference help in April 2020
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineSherif Mansour
Code contributions to the OWASP ZAP Project. We agreed to focus on automation so that developers can run zap as part of their build tests.The code and instructions can be found here: https://github.com/zaproxy/community-scripts/tree/master/api/sdlc-integration
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017#tab=Conference_0101_talks
In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example.
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oct 15 2017
http://cybersecurity.withthebest.com
In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalore 2nd meet up on 21 Feb 2015
Watch the screen recording of this presentation at https://vimeo.com/120481276
Join us for this interactive event and get your hands dirty with some WildFly 9 hacking!
Our host Kabir Khan will explain how you can contribute to the WildFly project at many different levels, from properly reporting bugs in the forums and issue tracker, to actually being able to submit a pull request.
During this interactive event you will have a chance to play with WildFly 9 and try some of the following:
• Find a JIRA you want to work on.
• See how to check-out the code and setup your IDE.
• Build WildFly
• Code walkthrough - code organisation, jboss-modules etc.
• Debug something from a stack trace in a JIRA issue to nail down the problem.
• Try the testsuite
• And more!
Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation as part of the 2013 OWASP EU Tour in Amsterdam.
For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation at AppSec Dublin 2012.
For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.
This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.
2020 ADDO Spring Break OWASP ZAP AutomationSimon Bennetts
A deep dive into OWASP ZAP Automation and Authentication. The slides are from a 3 hour workshop delivered as part of the All Day DevOps Spring Break conference help in April 2020
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineSherif Mansour
Code contributions to the OWASP ZAP Project. We agreed to focus on automation so that developers can run zap as part of their build tests.The code and instructions can be found here: https://github.com/zaproxy/community-scripts/tree/master/api/sdlc-integration
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017#tab=Conference_0101_talks
In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example.
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oct 15 2017
http://cybersecurity.withthebest.com
In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalore 2nd meet up on 21 Feb 2015
Watch the screen recording of this presentation at https://vimeo.com/120481276
Join us for this interactive event and get your hands dirty with some WildFly 9 hacking!
Our host Kabir Khan will explain how you can contribute to the WildFly project at many different levels, from properly reporting bugs in the forums and issue tracker, to actually being able to submit a pull request.
During this interactive event you will have a chance to play with WildFly 9 and try some of the following:
• Find a JIRA you want to work on.
• See how to check-out the code and setup your IDE.
• Build WildFly
• Code walkthrough - code organisation, jboss-modules etc.
• Debug something from a stack trace in a JIRA issue to nail down the problem.
• Try the testsuite
• And more!
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. This talk by the ZAP project lead will focus on embedding ZAP in continuous integration / delivery pipelines in order to automate security tests. Simon will cover the range of integration options available and explain how ZAP is being integrated into the Mozilla Cloud Services CD pipeline. He will also explain and demonstrate how to drive the ZAP API, which gives complete control over the ZAP daemon.
OSMC 2009 | Nagios Plugins: New features and future projects by Thomas Guyot-...NETWAYS
Nagios-Plugins is the official plugin distribution for Nagios. It includes over 50 plugins written in C and Perl for most basic monitoring tasks. It is currently maintained mostly by volunteers; the current active developers are: Ton Voon (project lead), Holger Weiss, Matthias Elbe and Thomas Guyot-Sionnest.
In this talk Thomas will look into some noteworthy features added recently in the Nagios-Plugins distribution and show how they can be useful in real-life situations. He will especially emphasize on the extra-opts addition which allows moving plugin parameters to one or more .ini files. In a second part Thomas will introduce the current and upcoming projects for Nagios-Plugins.
Continuous Integration with Open Source Tools - PHPUgFfm 2014-11-20Michael Lihs
Presentation about open source tools to set up continuous integration and continuous deployment. Covers Git, Gitlab, Chef, Vagrant, Jenkins, Gatling, Dashing, TYPO3 Surf and some other tools. Shows some best practices for testing with Behat and Functional Testing.
At Tuenti, we do two code pushes per week, sometimes modifying thousands of files and running thousands of automated tests and build operations before, to ensure not only that the code works but also that proper localization is applied, bundles are generated and files get deployed to hundreds of servers as fast and reliable as possible.
We use opensource tools like Mercurial, MySQL, Jenkins, Selenium, PHPUnit and Rsync among our own in-house ones, and have different development, testing, staging and production environments.
We had to fight with problems like statics bundling and versioning, syntax errors and of course the fact that we have +100 engineers working on the codebase, sometimes merging and releasing more than a dozen branches the same day. We also switched from Subversion to Mercurial to obtain more flexibility and faster branching operations.
With this talk we will explain the process of how code changes in ourcode repository end up in live code, detailing some practices and tips that we apply.
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
How and Why you can and should Participate in Open Source Projects (AMIS, Sof...Lucas Jellema
For a long time I have been reluctant to actively contribute to an open source project. I thought it would be rather complicated and demanding – and that I didn't have the knowledge or skills for it or at the very least that they (the project team) weren't waiting for me.
In December 2021, I decided to have a serious input into the Dapr.io project – and now finally to determine how it works and whether it is really that complicated. In this session I want to tell you about my experiences. How Fork, Clone, Branch, Push (and PR) is the rhythm of contributing to an open source project and how you do that (these are all Git actions against GitHub repositories). How to learn how such a project functions and how to connect to it; which tools are needed, which communication channels are used. I tell how the standards of the project – largely automatically enforced – help me to become a better software engineer, with an eye for readability and testability of the code.
How the review process is quite exciting once you have offered your contribution. And how the final "merge to master" of my contribution and then the actual release (Dapr 1.6 contains my first contribution) are nice milestones.
I hope to motivate participants in this session to also take the step yourself and contribute to an open source project in the form of issues or samples, documentation or code. It's valuable to the community and the specific project and I think it's definitely a valuable experience for the "contributer". I looked up to it and now that I've done it gives me confidence – and it tastes like more (I could still use some help with the work on Dapr.io, by the way).
A super enjoyable and entertaining walk through API memory lane, then a primer on how to test API's from a unit, integration, and monitoring standpoint. Then a demo on a CI/CD implementation I created at Snagajob.
Similar to OWASP 2013 APPSEC USA ZAP Hackathon (20)
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
2. The Plan
•
•
•
•
•
Overview of how to extend ZAP
Describe the topics I could talk about
Find out what you really want to know ;)
Agree topics to cover
For each topic:
– Talk for a bit, hack for a bit
• But its all up for grabs, so we can change anything
• And feel free to do your own thing!
• I'll help out during the hacking sections
2
3. How you can extend ZAP
• Without a dev environment:
– 3rd party tools
– Scripts
– Translations
– Documentation
• With a development environment
– Active & passive scan rules
– 'Full' extensions
4. What can you plug in?
•
•
•
•
Scripts
Script types
Active and Passive rules
UI elements – tabs, popups, toolbar buttons,
menus, right click options...
• API calls
• Request / Response views
• Breaking, Fuzzing, Searching
5. Topics I could talk about
•
•
•
•
•
•
•
•
The ZAP project structure
Setting up a ZAP development environment
ZAP documentation and internationalization
Implementing 'standard' scripts
Implementing Zest scripts
Implementing active and passive scan rules
Implementing Add-ons and extensions
Features and fixes to work on
6. More topics I could talk about
•
•
•
•
•
•
•
•
Key classes
Accessing core functionality and extensions
Internal events
The user interface
The API
The database
Request / Response views
Breaking, fuzzing, searching
7. Project Structure
• zaproxy
– http://code.google.com/p/zaproxy/
– The 'core' plus a lot more
• zap-test
– http://code.google.com/p/zaproxy-test/
– Unit tests
• zap-extensions
– http://code.google.com/p/zap-extensions/
– The add-ons
– Trunk, alpha and beta branches!
8. Project Structure
• zaproxy
– src
All the 'core' source code
• org/parosprozy
The 'old' Paros code
• org/zaproxy
The 'new' ZAP code
• help
Help files
• lang
Property files (UI)
– build
Build directory
– lib
Jar files
– scripts
Default script templates
9. Development Environment
•
•
•
•
Java 7
Eclipse (or your favorite Java IDE)
Subversive SVN (or equivalent)
Import ZAP projects via SVN
– https://zaproxy.googlecode.com/svn/trunk/
– https://zaproxy-test.googlecode.com/svn/trunk/
– https://zap-extensions.googlecode.com/svn/trunk/
– https://zap-extensions.googlecode.com/svn/branches/alpha/
– https://zap-extensions.googlecode.com/svn/branches/beta/
• Add 'lib' jars to build path
• Run org.zaproxy.zap.ZAP.java
10. Creating the Projects
•
•
•
•
•
•
•
•
File / New / Other...
SVN / Project from SVN
Create a new repository location
URL, e.g. https://zaproxy.googlecode.com/svn/
Select Resource, e.g. trunk
Check out .. using the New Project Wizard
Select a wizard: Java / Java Project
Add all lib/*.jar files to the build path
11. Dev Rules and Guidelines
•
http://code.google.com/p/zaproxy/wiki/DevGuidelines
•
•
•
•
•
•
•
•
Ease of use and consistency are key
All UI string must in internationalized
Comment all changes to orp.parosproxy.paros
All functionality should have help pages
Keep a clean split between functionality and UI
Check in code cleaner that you checked out
Write unit tests
Extensions should expose functionality, not UI
elements (older ones still do)
12. Documentation and i18n
• ZAP Help file
– src/help
– {addon}/resource/help
– http://code.google.com/p/zaproxy/wiki/HelpIntro
• Home pages
– https://www.owasp.org/index.php/ZAP
• 'Official' home page, 'outward' facing?
– http://code.google.com/p/zaproxy/
• More details, 'internal' facing?
• http://crowdin.net/project/owasp-zap
14. 'Standard' Scripts
•
•
•
•
No IDE required :)
JavaScript (and Zest) built in
Python and Ruby download from Marketplace
All other JSR 223 scripts supported with no
templates
• Templates give basic structure
• But you still need some idea of ZAP internals
– http://code.google.com/p/zaproxy/wiki/InternalDetails
– http://code.google.com/p/zaproxy/wiki/JavaDocs
15. Zest Scripts
•
•
•
•
•
•
•
Built in, same script types
But they are graphical
Implement JSR 223
And very new
Effectively ZAP's macro language
Right click everywhere!
https://developer.mozilla.org/en-US/docs/zest
16. Add-ons
•
•
•
•
Available from the ZAP Marketplace
Name format: id-status-version.zap
Status: alpha, beta, release
Standard ZIP file, containing:
– ZapAddOn.xml
– Active scan rules
– Passive scan rules
– Extensions
– Files
17. ZapAddOn.xml
<zapaddon>
<name>Short text name (no HTML)</name>
<version></version>
<description>Longer description</description>
<author>Author (no HTML)</author>
<url/>
<changes/>
<dependson>
<zapaddonid/>
</dependson>
<extensions>
<extension/>
</extensions>
19. Add-on file structure
• Package: org.zaproxy.zap.extension.name
files
resource
help
icons
lib
•
•
•
•
Will be included as files
Help files
Images
Jars (will be expanded)
Classes and sub packages
Message.properties
Message_locale.properties
ZapAddOn.xml
21. Passive Scan Rules
• Extend org.zaproxy.zap.extension.pscan.
PluginPassiveScanner
•
•
•
•
•
•
Called for every request and response
Run in background thread
Cant change anything – look but dont touch ;)
Receive HttpMessage and DOM Source
Use PassiveScanThread.raiseAlert(..)
Lots of examples (trunk, beta, alpha?)
22. Active Scan Rules
• Extend org.parosproxy.paros.core.scanner.
AbstractPlugin
• AbstractAppPlugin
–AbstractAppParamPlugin
• AbstractHostPlugin
Every node
Every param
Hosts/1 node
st
• Can change anything – make new request etc
• AbstractPlugin – lots of utility methods
• Lots of examples (trunk, beta, alpha?)
24. Features and Fixes
•
•
•
•
•
•
•
•
Scripts, in Javascript, Python, Ruby, Zest
New script templates – Groovy, Scala ...
Active and passive scan rules
http://code.google.com/p/zaproxy/wiki/Projects
http://code.google.com/p/zaproxy/issues/list
'IdealFirstBug' tag
Wrap / port another tool (retire.js, ..)
Whatever you want to do!
27. Accessing Extensions
• Core Extensions (ie included by default)
ExtensionXXX extXXX =
Control.getSingleton().
GetExtensionLoader().getExtension(
ExtensionXXX.NAME);
if (extXXX != null) {
// Now you can use it...
extXXX.someFunction();
}
• For Extensions not included by default you must
use a String name and access functions via
reflection
28. API
• org.zaproxy.zap.extension.api.API - singleton
• api.registerApiImplementor (ApiImplementor impl)
• ApiElement
– ApiView- return structured info - ApiResponse
– ApiAction - make changes (return structured info)
– ApiOther - return raw data
• API generators
– JavaAPIGenerator
– PythonAPIGenerator
– WikiAPIGenerator
29. Database
•
http://code.google.com/p/zaproxy/wiki/InternalDatabase
• HSQLDB – can access directly via SQL tools
• Package: org.parosproxy.paros.db
• Shouldnt typically access the db directly – use the
extension that 'owns' the data
• Add-ons can create new tables – see websockets
• The schema must be backwards compatible
between releases