This document discusses using the OWASP Zed Attack Proxy (ZAP) tool to find vulnerabilities in web applications. ZAP is a free and open-source web application penetration testing tool that can be used to conduct both automated and manual testing of applications. The document provides an overview of ZAP's features, how to install and configure it, how to test applications for vulnerabilities using both automated and direct methods, and how to integrate ZAP with other tools.

1. Using OWASP ZAP to find
vulnerabilities in your web apps
David Epler
Security Architect
depler@aboutweb.com

2. About Me
• Primarily an Application Developer
• Contributor to Learn CF In a Week
• Created Unofficial Updater 2 to patch
Adobe ColdFusion 8.0.1 & 9.0.x
• OWASP Individual Member
• OWASP ZAP Evangelist

3. What is OWASP
Zed Attack Proxy (ZAP)?
• An easy to use web application
penetration testing tool
• Completely free and Open Source
• no paid PRO version
• OWASP flagship project
• Included in major security distributions
• Kali, Samurai WTF, etc.

4. Brief ZAP History
• Fork of Paros Proxy by Simon Bennetts
• Code: Paros ~20%, ZAP ~80%
• 1st Release September 2010
• Adopted by OWASP October 2010
• Now at 2.3.0, with roadmap to 2.4.0+
• Best Security Tool of 2013 as Voted by
ToolsWatch.org Readers

5. Why use ZAP?
• Ideal for beginners, developers
• also used by professional pen testers
• Point and shoot via Quick Start Tab
• Manual penetration testing
• As a debugger
• As part of larger security program
• Automated security regression tests

6. Main ZAP Features
• Intercepting Proxy
• Active and Passive Scanners
• Traditional and AJAX spiders
• Forced browsing
• using OWASP DirBuster
• Fuzzing
• using fuzzdb and OWASP JBroFuzz
• Cross Platform
• built on Java (requires 1.7)

7. More ZAP Features
• WebSockets support
• Authentication and session support
• Smart card and client digital certificate support
• Anti CSRF token handling
• Report generation
• Port scanner
• Invoke external applications
• Support for wide range of scripting
• JavaScript, Zest, Python, Groovy
• Online Add-ons Marketplace
• Translated into 20+ languages

8. Intercepting Proxy
Website

9. Intercepting Proxy
Website

10. Installing and
Configuring ZAP
• Download and Install
• https://code.google.com/p/zaproxy/
wiki/Downloads
• Configure browser to use ZAP as proxy
• FoxyProxy Standard plugin for Firefox
• Import OWASP ZAP Root CA
• needed for testing HTTPS sites/apps

11. Installing and
Configuring ZAP
Demo Time

12. Plug-n-Hack
• Configuring browser to work with security tool can be
difficult
• Proposed standard developed by Mozilla Security
Team
• Allows browsers and security tools to integrate more
easily
• Allows security tools to expose functionality to
browser
• Requires Firefox 24+ and plugin
• Other tools to support it
• Burp Suite, Kali

13. A Few Tips
• Can use Linux install on Windows, if don’t
have rights to install
• Don’t forget to import certificate
• If you get the following when trying HTTPS
• ZAP Error: handshake alert:
unrecognized_name
• Add to zap.sh/zap.bat
• !Djsse.enableSNIExtension=false

14. Testing for vulnerabilities
• Automated Testing
• Quick Start
• Active Scan

15. Testing for vulnerabilities
• Directed Testing
• Manual, using browser walk through
web app
• ZAP capturing responses then, testing
further by manipulating requests

16. Testing for vulnerabilities
Demo Time

17. Integrating ZAP
with other tools
• Run external applications
• Nikto
• sqlmap

18. Integrating ZAP
with other tools
• Generate ModSecurity virtual patching
rules from ZAP XML results
• zap2modsec.pl

19. Integrating ZAP
with other tools
Demo Time

20. • Please be sure to fill out evaluations
• Blog: http://www.dcepler.net
• Email: depler@aboutweb.com
• Twitter: @dcepler
Q&A - Thanks

21. • OWASP Zed Attack Proxy Project
• Plug-n-Hack
• Issue 704: ZAP Error: handshake alert:
unrecognized_name
• ModSecurity Advanced Topic of the
Week: Automated Virtual Patching using
OWASP Zed Attack Proxy
Resources