ZAP is an easy to use and completely free and open source web application penetration testing tool. It is ideal for beginners and professionals alike due to its user-friendly interface and powerful features. As an OWASP flagship project, ZAP has an active development community, is translated into many languages, and is improving rapidly to detect more vulnerabilities and integrate better with other tools and APIs.

1. The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
FOSSASIA
2015
An Introduction to ZAP
OWASP
Zed Attack Proxy
Sumanth Damarla
Mozilla Winter of Security
Mozilla Rep
damarla.sumanth@gmail.com

2. 2
What is ZAP?
•An easy to use webapp pentest tool
•Completely free and open source
•An OWASP flagship project
•Ideal for beginners
•But also used by professionals
•Ideal for devs, esp. for automated security tests
•Becoming a framework for advanced testing
•Included in all major security distributions
•Not a silver bullet!

3. 3
ZAP Principles
• Free, Open source
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Involvement actively
encouraged
• Reuse well regarded components

4. 4
Statistics
•Released September 2010, fork of Paros
•V 2.3.1 released in May 2014
•V 2.3.1 downloaded > 140K times
•Translated into 30 languages
•Over 120 translators
•Mostly used by Professional Pentesters?
•Paros code: ~20% ZAP Code: ~80%

5. 5
Open HUB Statistics
• Very High Activity
•The most active OWASP Project
•60 contributors, 30 active
•340 years of effort
•Source: https://www.openhub.net/p/zaproxy

6. 6

7. 7
The Main Features
All the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Spider
• Report Generation
• Brute Force (using OWASP DirBuster code)
• Fuzzing (using OWASP JBroFuzz code)

8. 8
Developer Features
∙Quick start
∙REST API
∙Java and Python clients
∙Headless mode
∙Anti CSRF token handling
∙Authentication support
∙Session management
∙Auto updating
∙Modes

9. 9
The Additional Features
• Auto tagging
• Port scanner
• Smart card support
• Session comparison
• Invoke external apps
• BeanShell integration
• API + Headless mode
• Dynamic SSL Certificates
• Anti CSRF token handling

10. How can you use ZAP?
•Point and shoot – the Quick Start tab
•Proxying via ZAP, and then scanning
•Manual pentesting
•Automated security regression tests
•As a debugger
•As part of a larger security program
10

11. 11
Regression Tests
http://code.google.com/p/zaproxy/wiki/SecRegTests
Security

12. 12
Version 2.4.0
∙UI Changes
∙Scan Dialogs
∙Scan Policies
∙Attack Mode
∙API Changes
∙Lots of minor enhancements and bug fixes!
2.4.0

13. 13
And some new alpha add-ons
∙Access Control Testing
∙Advanced fuzzer
∙Sequence scanning

14. 1
The Future
• Enhance scanners to detect more vulnerabilities
• Extend API, better integration
• Fuzzing analysis
• Easier to use, better help
• More localization
(all offers gratefully received!)
• Parameter analysis?
• Technology detection?
• What do you want?? ☺

15. Summary and Conclusion 1
• ZAP is:
• Easy to use (for a web app pentest tool;)
• Ideal for appsec newcomers
• Ideal for training courses
• Being used by Professional Pen Testers
• Easy to contribute to (and please do!)
• Improving rapidly
1

16. Summary and Conclusion 2
• ZAP has:
• An active development community
• An international user base
• The potential to reach people new to
OWASP and appsec, especially
developers and functional testers
• ZAP is a key OWASP project
1

17. Any Questions?
http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project