Using the Zed Attack Proxy as a Web App testing tool

•

2 likes•993 views

The document discusses configuring the Firefox web browser to work with the OWASP Zed Attack Proxy (ZAP) tool in order to conduct quasi-man-in-the-middle attacks against web applications for security testing purposes. It provides instructions for setting ZAP as the proxy in Firefox's network settings and enabling the ZAP plug-in to allow manual testing of vulnerabilities like SQL injection. The results of such security tests run with ZAP are then compiled.

Technology

Dave Sweigert, CISSP, CISA, PMP, Security+
OWASP (Zed Attack Proxy)
Securing Web Apps with a
quasi-man-in-the-middle (MitM) attack tool
11/25/2014 OWASP Zed Attack Proxy (ZAP) 1

Firefox configured to use proxy
11/25/2014 OWASP Zed Attack Proxy (ZAP) 2

FireFox Menu -- Tools – Options – Network -- Settings
Set the host to localhost and the port to 8080, these are the
default ZAP proxy ports. Use these settings for all protocols.
11/25/2014 OWASP Zed Attack Proxy (ZAP) 3

To enable
FireFox
Plug-in click
Plug-n-Hack
within the
Quick Start
Tab.
11/25/2014 OWASP Zed Attack Proxy (ZAP) 4

Configure automatic plug-in within FireFox
11/25/2014 OWASP Zed Attack Proxy (ZAP) 5

MANUAL intervention (using a Plug-N-Hack web page in
the FireFox browser) allows manual testing of web
services (e.g. SQL injection, etc.).
These are manual tests typically run by a “human”
penetration tester or software quality assurance (SQA)
tester.
11/25/2014 OWASP Zed Attack Proxy (ZAP) 6

Test Results Compiled
11/25/2014 OWASP Zed Attack Proxy (ZAP) 7

References:
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
11/25/2014 OWASP Zed Attack Proxy (ZAP) 8

Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/ The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode. This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.

https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017#tab=Conference_0101_talks In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges. This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example.

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP

Michael Coates

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...

gmaran23

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...

gmaran23

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oct 15 2017 http://cybersecurity.withthebest.com In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.

BlackHat 2014 OWASP ZAP Turbo Talk

Simon Bennetts

BSides Manchester 2014 ZAP Advanced Features

Simon Bennetts

OWASP 2012 AppSec Dublin ZAP Intro

Simon Bennetts

2014 ZAP Workshop 2: Contexts and Fuzzing

Simon Bennetts

2017 Codemotion OWASP ZAP in CI/CD

Simon Bennetts

2020 ADDO Spring Break OWASP ZAP Automation

Simon Bennetts

OWASP 2013 APPSEC USA Talk - OWASP ZAP

Simon Bennetts

OWASP 2014 AppSec EU ZAP Advanced Features

Simon Bennetts

2017 DevSecCon ZAP Scripting Workshop

Simon Bennetts

OWASP 2013 Limerick - ZAP: Whats even newer

Simon Bennetts

AllDayDevOps ZAP automation in CI

Simon Bennetts

2021 ZAP Automation in CI/CD

Simon Bennetts

OWASP 2013 EU Tour Amsterdam ZAP Intro

Simon Bennetts

Zap vs burp

Tomasz Fajks

Scripts that automate OWASP ZAP as part of a continuous delivery pipeline

Sherif Mansour

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...

gmaran23

Web Application Security Testing: Kali Linux Is the Way to Go

Coveros, Inc.

Many free security testing tools are available, but finding ones that meet your needs and work in your environment can involve substantial time and effort. Especially when you are just starting out with security testing, finding reputable tools that do what you need is not easy. And installing them correctly just to evaluate them can be prohibitively time consuming. Kali Linux is a free Linux distribution with hundreds of security testing and auditing tools installed. Gene Gotimer gives an overview of Kali Linux, ways to effectively use it, and a survey of the tools available. Although Kali Linux is primarily intended for professional penetration testers, it provides great convenience and value to developers and software testers who may be getting started in security testing. Gene demonstrates some of the simplest tools to help jumpstart your web application security testing practices.

What's hot

Zed Attack Proxy (ZAP)

JAINAM KAPADIYA

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...

gmaran23

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP

Michael Coates

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...

gmaran23

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...

gmaran23

BlackHat 2014 OWASP ZAP Turbo Talk

Simon Bennetts

BSides Manchester 2014 ZAP Advanced Features

Simon Bennetts

OWASP 2012 AppSec Dublin ZAP Intro

Simon Bennetts

2014 ZAP Workshop 2: Contexts and Fuzzing

Simon Bennetts

2017 Codemotion OWASP ZAP in CI/CD

Simon Bennetts

2020 ADDO Spring Break OWASP ZAP Automation

Simon Bennetts

OWASP 2013 APPSEC USA Talk - OWASP ZAP

Simon Bennetts

OWASP 2014 AppSec EU ZAP Advanced Features

Simon Bennetts

2017 DevSecCon ZAP Scripting Workshop

Simon Bennetts

OWASP 2013 Limerick - ZAP: Whats even newer

Simon Bennetts

AllDayDevOps ZAP automation in CI

Simon Bennetts

2021 ZAP Automation in CI/CD

Simon Bennetts

OWASP 2013 EU Tour Amsterdam ZAP Intro

Simon Bennetts

Zap vs burp

Tomasz Fajks

Scripts that automate OWASP ZAP as part of a continuous delivery pipeline

Sherif Mansour

What's hot (20)

Zed Attack Proxy (ZAP)

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...

BlackHat 2014 OWASP ZAP Turbo Talk

BSides Manchester 2014 ZAP Advanced Features

OWASP 2012 AppSec Dublin ZAP Intro

2014 ZAP Workshop 2: Contexts and Fuzzing

2017 Codemotion OWASP ZAP in CI/CD

2020 ADDO Spring Break OWASP ZAP Automation

OWASP 2013 APPSEC USA Talk - OWASP ZAP

OWASP 2014 AppSec EU ZAP Advanced Features

2017 DevSecCon ZAP Scripting Workshop

OWASP 2013 Limerick - ZAP: Whats even newer

AllDayDevOps ZAP automation in CI

2021 ZAP Automation in CI/CD

OWASP 2013 EU Tour Amsterdam ZAP Intro

Zap vs burp

Scripts that automate OWASP ZAP as part of a continuous delivery pipeline

Similar to Using the Zed Attack Proxy as a Web App testing tool

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...

gmaran23

Web Application Security Testing: Kali Linux Is the Way to Go

Coveros, Inc.

Web Application Security Testing: Kali Linux Is the Way to Go

Gene Gotimer

SolarWinds Federal Webinar: Technical Update & Demo of New Features

SolarWinds

SolarWinds has released new versions of our products in the last few months, with more to come. Watch this Federal webinar to see the latest SolarWinds products and features of most interest to our Federal customers demonstrated by our Federal Sales Engineer team. During this webinar you will learn about: Log & Event Manager (LEM) 6.0, including the new File Integrity Monitor Track and alert on changes to Files and/or the Windows Registry Network Performance Monitor (NPM) 11.0 Featuring the brand new Deep Packet Inspection (DPI) technology New Free Tool: Response Time Viewer for Wireshark® To help understand the fundamental value of the NPM 11 DPI technology Engineer’s Toolset (ETS) 11.0 - New Orion Web Tools interface. That’s right, a web interface to 6 of the most popular tools is now included with ETS Network Configuration Manager (NCM) 7.3 Including the recently updated DISA STIG V8R16 and NIST FISMA templates on thwack DameWare 11.0 Featuring the new “central license management” server SNEAK PEEK of IP Address Manager v4.2 (IPAM) with new IPv6 features IPv6 Discovery, automated IPv6 assignment to defined IPv6 subnets, and IPv6 status with ICMPv6

OSCP Preparation Guide @ Infosectrain

InfosecTrain

"><h1>muthu</h1>

muthu muthu

Creating Complete Test Environments in the Cloud

Erika Barron

Web application penetration testing lab setup guide

Sudhanshu Chauhan

Intelligent adware blocker symantec

Pednekar Prajakta

Bug Bounty for - Beginners

Himanshu Kumar Das

Kali linux useful tools

milad mahdavi

Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...

Maksim Shudrak

Your Inner Sysadmin - MidwestPHP 2015

Chris Tankersley

One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like Puppet for server management, OSSEC for log management, different command line tools, and Nagios/Monit for system monitoring.

Backtrack

n|u - The Open Security Community

Intrusion Techniques

Festival Software Livre

Your Inner Sysadmin - LonestarPHP 2015

Chris Tankersley

One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like puppet for server management, OSSEC for log management, different command line tools, and nagios/monit for system monitoring.

[Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Cont...

Rakuten Group, Inc.

Portfolio Project PPT.pptx

AhmedPinger

nullcon 2010 - The evil karmetasploit upgrade

n|u - The Open Security Community

Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...

Jeremiah Grossman

Identifying Web Servers: A First-look Into the Future of Web Server Fingerprinting Jeremiah Grossman, Founder & Chairman of WhiteHat Security, Inc. Many diligent security professionals take active steps to limit the amount of system specific information a publicly available system may yield to a remote user. These preventative measures may take the form of modifying service banners, firewalls, web site information, etc. Software utilities such as NMap have given the security community an excellent resource to discover what type of Operating System and version is listening on a particular IP. This process is achieved by mapping subtle, yet, distinguishable nuances unique to each OS. But, this is normally where the fun ends, as NMap does not enable we user's to determine what version of services are listening. This is up to us to guess or to find out through other various exploits. This is where we start our talk, fingerprinting Web Servers. These incredibly diverse and useful widespread services notoriously found listening on port 80 and 443 just waiting to be explored. Many web servers by default will readily give up the type and version of the web server via the "Server" HTTP response header. However, many administrators aware of this fact have become increasingly clever in recent months by removing or altering any and all traces of this telltale information. These countermeasures lead us to the obvious question; could it STILL possible to determine a web servers platform and version even after all known methods of information leakage prevention have been exhausted (either by hack or configuration)? The simple answer is "yes"; it is VERY possible to still identify the web server. But, the even more interesting question is; just how much specific information can we obtain remotely? Are we able to determine? * Supported HTTP Request Methods. * Current Service Pack. * Patch Levels. * Configuarations. * If an Apache Server suffers from a "chunked" vulnerability. Is really possible to determine this specific information using a few simple HTTP requests? Again, the simple answer is yes, the possibility exists. Proof of concept tools and command line examples will be demonstrated throughout the talk to illustrate these new ideas and techniques. Various countermeasures will also be explored to protect your IIS or Apache web server from various fingerprinting techniques. Prerequisites: General understanding of Web Server technology and HTTP.

Similar to Using the Zed Attack Proxy as a Web App testing tool (20)

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...

Web Application Security Testing: Kali Linux Is the Way to Go

SolarWinds Federal Webinar: Technical Update & Demo of New Features

OSCP Preparation Guide @ Infosectrain

"><h1>muthu</h1>

Creating Complete Test Environments in the Cloud

Web application penetration testing lab setup guide

Intelligent adware blocker symantec

Bug Bounty for - Beginners

Kali linux useful tools

Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...

Your Inner Sysadmin - MidwestPHP 2015

Backtrack

Intrusion Techniques

Your Inner Sysadmin - LonestarPHP 2015

[Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Cont...

Portfolio Project PPT.pptx

nullcon 2010 - The evil karmetasploit upgrade

Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...

Recently uploaded

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Product School

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Connector Corner: Automate dynamic content and events by pushing a button

DianaGray10

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

Accelerate your Kubernetes clusters with Varnish Caching

Thijs Feryn

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

The Future of Platform Engineering

Jemma Hussein Allen

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

Generating a custom Ruby SDK for your web service or Rails API using Smithy

g2nightmarescribd

Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

Bits & Pixels using AI for Good.........

Alison B. Lowndes

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

JMeter webinar - integration with InfluxDB and Grafana

RTTS

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

Recently uploaded (20)

Leading Change strategies and insights for effective change management pdf 1.pdf

Elevating Tactical DDD Patterns Through Object Calisthenics

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Assuring Contact Center Experiences for Your Customers With ThousandEyes

DevOps and Testing slides at DASA Connect

Connector Corner: Automate dynamic content and events by pushing a button

Accelerate your Kubernetes clusters with Varnish Caching

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

The Future of Platform Engineering

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

The Art of the Pitch: WordPress Relationships and Sales

Generating a custom Ruby SDK for your web service or Rails API using Smithy

When stars align: studies in data quality, knowledge graphs, and machine lear...

Bits & Pixels using AI for Good.........

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

JMeter webinar - integration with InfluxDB and Grafana

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Using the Zed Attack Proxy as a Web App testing tool

1. Dave Sweigert, CISSP, CISA, PMP, Security+ OWASP (Zed Attack Proxy) Securing Web Apps with a quasi-man-in-the-middle (MitM) attack tool 11/25/2014 OWASP Zed Attack Proxy (ZAP) 1

2. Firefox configured to use proxy 11/25/2014 OWASP Zed Attack Proxy (ZAP) 2

3. FireFox Menu -- Tools – Options – Network -- Settings Set the host to localhost and the port to 8080, these are the default ZAP proxy ports. Use these settings for all protocols. 11/25/2014 OWASP Zed Attack Proxy (ZAP) 3

4. To enable FireFox Plug-in click Plug-n-Hack within the Quick Start Tab. 11/25/2014 OWASP Zed Attack Proxy (ZAP) 4

5. Configure automatic plug-in within FireFox 11/25/2014 OWASP Zed Attack Proxy (ZAP) 5

6. MANUAL intervention (using a Plug-N-Hack web page in the FireFox browser) allows manual testing of web services (e.g. SQL injection, etc.). These are manual tests typically run by a “human” penetration tester or software quality assurance (SQA) tester. 11/25/2014 OWASP Zed Attack Proxy (ZAP) 6

7. Test Results Compiled 11/25/2014 OWASP Zed Attack Proxy (ZAP) 7

8. References: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 11/25/2014 OWASP Zed Attack Proxy (ZAP) 8

Using the Zed Attack Proxy as a Web App testing tool

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Using the Zed Attack Proxy as a Web App testing tool

Similar to Using the Zed Attack Proxy as a Web App testing tool (20)

More from David Sweigert

More from David Sweigert (20)

Recently uploaded

Recently uploaded (20)

Using the Zed Attack Proxy as a Web App testing tool