The document discusses the advanced features of OWASP ZAP, an open source web application penetration testing tool. It provides an overview of ZAP's main features like its intercepting proxy, scanners, spiders, and add-ons marketplace. It then describes some advanced features in more depth, including contexts for organizing tests, advanced scanning options, scripting with languages like Zest, and the Plug-n-Hack framework for deeper browser integration. The document concludes by noting various work-in-progress projects and encouraging involvement in ZAP's ongoing development.

1. The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
ZAP
Advanced Features
Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Team
psiinon@gmail.com
OWASP AppSec EU
Cambridge 2014

2. 2
What is ZAP?
• An easy to use webapp pentest tool
• Completely free and open source
• Ideal for beginners
• But also used by professionals
• Ideal for devs, esp. for automated security tests
• Becoming a framework for advanced testing
• Included in all major security distributions
• ToolsWatch.org Top Security Tool of 2013
• Not a silver bullet!

3. 3
ZAP Principles
• Free, Open source
• Involvement actively encouraged
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Work well with other tools
• Reuse well regarded components

4. 4
Statistics
• Released September 2010, fork of Paros
• V 2.3.1 released in May 2014
• V 2.3.1 downloaded > 20K times
• Translated into 20+ languages
• Over 90 translators
• Mostly used by Professional Pentesters?
• Paros code: ~20% ZAP Code: ~80%

5. 5
Ohloh Statistics
• Very High Activity
• The most active OWASP Project
• 29 active contributors
• 278 years of effort
Source: http://www.ohloh.net/p/zaproxy

6. 6
The Main Features
All the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Traditional and Ajax Spiders
• WebSockets support
• Forced Browsing (using OWASP DirBuster
code)
• Fuzzing (using fuzzdb & OWASP JBroFuzz)
• Online Add-ons Marketplace

7. 7
Some Additional Features
• Auto tagging
• Port scanner
• Script Console
• Report generation
• Smart card support
• Contexts and scope
• Session management
• Invoke external apps
• Dynamic SSL Certificates

8. The Advanced Stuff :)
• Contexts
• Advanced Scanning
• Scripts
• Zest
• Plug-n-Hack

9. Contexts
• Assign characteristics to groups of URLs
• Like an application:
– Per site:
• http://www.example.com
– Site subtree:
• http://www.example.com/app1
– Multiple sites:
• http://www.example1.com
• http://www.example2.com

10. Contexts
• Allows you to define:
– Scope
– Session handling
– Authentication
– Users
– 'Forced user'
– Structure
– with more coming soon

11. Advanced Scanning
• Accessed from:
– Right click Attack menu
– Tools menu
– Key board shortcut (default Ctrl-Alt-A)
• Gives you fine grained control over:
– Scope
– Input Vectors
– Custom Vectors
– Policy

12. Scripting
• Different types of scripts
– Stand alone Run when you say
– Targeted Specify URLs to run against
– Active Run in Active scanner
– Passive Run in Passive scanner
– Proxy Run 'inline'
– Authentication Complex logins
– Input Vector Define what to attack

13. Scripting
• Full access to ZAP internals
• Support all JSR 223 languages, inc
– JavaScript
– Jython
– JRuby
– Zest :)

14. Zest - Overview
• An experimental scripting language
• Developed by Mozilla Security Team
• Free and open source (of course)
• Format: JSON – designed to be
represented visually in security tools
• Tool independent – can be used in open
and closed, free or commercial software
• Is included by default in ZAP from 2.2.0
• Replaces filters

15. Zest – Use cases
• Reporting vulnerabilities to companies
• Reporting vulnerabilities to developers
• Defining tool independent active and
passive scan rules
• Deep integration with security tools

16. Plug-n-Hack – Phase 1
• Allow browsers and security tools to
integrate more easily
• Allows security tools to expose
functionality to browsers
• “Proposed standard”
• Developed by Mozilla Security Team
• Browser and security tool independent

17. Plug-n-Hack – Phase 2
• Allows browsers to to expose
functionality to security tools
• This phase doesn't need browser plugin
• Inject javascript into 'monitored pages'
• Heartbeat shows which pages are alive
• Intercept and change postMessages
• Fuzz postMessages
• DOM XSS oracle

18. Plug-n-Hack – Phase 3
• Support more client side events..
• .. which enables client side Zest
recording
• Work in progress!

19. Work In Progress
• GSoC – Advanced Fuzzing – Sebastian
• GSoC – Advanced AC testing – Cosmin
• GSoC – SOAP Service Scanning – Alberto
• Sequence scanning – Lars and Stefan
• Sequence abuse – Avinash
• GSoC – OWFT Zest + ZAP integration – Deep
• GSoC (Mozilla) – Firefox Zest add-on – Sunny
• .. and more behind the scenes ;)

20. The Source Code
• Currently on Google Code
• Will probably move to GitHub when time
allows
• Hacking ZAP blog series:
https://code.google.com/p/zaproxy/wiki/Development
• ZAP Internals:
https://code.google.com/p/zaproxy/wiki/InternalDetails
• ZAP Dev Group:
http://groups.google.com/group/zaproxy-develop

21. Conclusion
• ZAP is changing rapidly
• It is the most active OWASP project
• It is the most active open source web app
security project
• Its great for people new to AppSec ..
• .. and also for Security Pros
• Its a community based tool – get involved!

22. Questions?
http://www.owasp.org/index.php/ZAP