SlideShare a Scribd company logo

Zed Attack Proxy (ZAP)

JAINAM KAPADIYA
JAINAM KAPADIYA

The document provides an overview of the OWASP Zed Attack Proxy (ZAP), an open-source web application security scanner. It discusses how ZAP can be used to automatically find vulnerabilities during development and testing. The document covers how to install ZAP and use its features like passive scanning, spidering, active scanning, fuzzing and brute forcing to analyze vulnerabilities. It also discusses ZAP's advantages in identifying issues and providing solutions, and potential disadvantages like lack of authentication.

Software
1 of 16
Download to read offline
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 1 Case study on OWASP Zed Attack Proxy 1. Introduction The OWASP (Open Web Application Security Project) Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. OWASP ZAP (Zed Attack Proxy) is a open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It is one of the most active OWASP projects and has been given Flagship status. It is also fully internationalized and is being translated into over 25 languages. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https. It can also run in a ‘daemon’ mode which is then controlled via a REST Application programming interface. This cross-platform tool is written in Java and is available in all of the popular operating systems including Microsoft Windows, Linux and Mac OS X. ZAP was added to the ThoughtWorks Technology Radar in May 2015 in the Trial ring. • An easy to use webapp pentest tool • Completely free and open source • OWASP Flagship project • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Included in all major security distributions • ToolsWatch.org Top Security Tool of 2015 • Not a silver bullet!
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 2 1.1 ZAP Features • Swing based UI for desktop mode • Comprehensive REST(ish) API for daemon mode • Plug in architecture (add-ons) • Online ‘marketplace’ (all free:) • Release, beta and alpha quality add-ons • Traditional and ajax spiders • Passive and active scanning • Highly configurable, eg scan policies • Highly scriptable 1.2 ZAP Principles • Free, Open source • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Involvement actively encouraged • Reuse well regarded components
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 3 2. Installation of ZAP • Download Link: • http://code.google.com/p/zaproxy/downloads/list • https://github.com/zaproxy/zaproxy/wiki/Downloads • Zap runs on proxy. To set up the proxy in ZAP • go to TOOLS > OPTIONS > LOCAL PROXY in ZAP • Same configuration in the browser too Downloading and Installing ZAP Step 1: First step of course is to download ZAP, which can be downloaded from GitHub, here. Choose the right installer for your operating system.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 4 Step 2:Once you’ve started the executable file, the next installation screen will appear. At this point click on the Next button to continue. Step 3: Accept the License Agreement and click Next to continue.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 5 Step 4: Select the Standard installation option and click Next to continue. Step 5: To start the installation of ZAP, click Install.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 6 Step 6: After the installation is complete, click Finish.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 7 3. Implementation Step 1: Enter the attack URL in “URL to Attack” text box. Step 2: Now click on Attack button. Step 3: ZAP will automatically scans the web application and generate the alert report with list of possible vulnerabilities for your application.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 8 Step 4: After exploring any of the vulnerability from Alert tab, ZAP will provide details of that vulnerability and shows the affected area of the code by highlighting the code as shown in below. Step 5: It will also provide detail description of vulnerability and a solution for developer with reference website(s) to prevent that attack as shown in below screen shots.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 9 ZAP offers different functionalities to analyze application vulnerabilities with spider, passive and active approaches, fuzzer, brute force, and many others. 3.1 Passive Scan Passive scan can be used to analyze web applications and it allows you to assess the vulnerability by sniffing the normal network traffic then acting as a proxy between server and
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 10 browser. Passive scan does not attack or interfere with client and server but analyzes the request/response to and from the server to identify vulnerabilities. (List of vulnerabilities found by a passive analysis) 3.2 Spider Spider explores and creates, automatically, the structure of a web application with the list of all URL resources found. For each URL, ZAP creates a request to get the resource and then parses the response, discovering hyperlinks. To use the Spider is necessary to specify an initial URL or subgroup of URLs. (Spider analysis)
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 11 3.3 Active Scan Active scanning attempts to find security holes by simulating real known attacks against target web applications. Active scan should be used only with your own applications. With ZAP is possible to select a list of previously used resources and make active attacks on them in order to be aware of known vulnerabilities. Active scanning provides a wider list of vulnerabilities and, combined with spider and the passive scan, can show all the vulnerabilities ZAP can recognize, including high risk vulnerabilities: (List of some vulnerabilities found by passive and active analysis) 3.4 Fuzzer Fuzzer is a feature that allows you to send a range of invalid and unexpected random string in order to discover security holes in the target application. ZAP allows fuzzing any request using strings from a text file list that contain inputs. Users can add files manually or via the application to extend the range of strings available. (Fuzz testing)
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 12 3.5 Brute Force The Brute Force feature is not used for brute force attacks on authentication fields, but aids in finding files or directories of the target application. ZAP contains huge files with lists of files and directories names and uses these names to try to access resources directly, rather than relying on finding links to them. A brute force attack only requires knowledge of the target web application and the associated file with the list of names. Other functionalities, not explored in this brief introduction, are HttpSession, Param, WebSockets, and many others.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 13 4. Advantages & Disadvantages Advantages  List out all possible vulnerabilities from your application.  Provide a solution to developer for preventing vulnerabilities within an application with reference website(s).  Scan all the pages and highlight the affected area of the code by vulnerability.  Provide facility to generate report of vulnerabilities in various formats.  ZAP security tool is very time consuming. Disadvantages  lack of proper authentication with backend systems  lack of access control over connections to backend systems  lack of proper validation and encoding of data sent to and received from backend systems  lack of proper error handling surrounding backend connections  lack of centralization in security mechanisms
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 14 5. Applications Software testing tool  The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.  It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.  ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Automated Security Testing of web applications using OWASP Zed Attack Proxy  Penetration testing web applications is not an easy task, no matter if you are a Java, PHP, Ruby or C# developer. Often development teams use web frameworks to develop their application and rely on build-in security features without understanding possible attack scenarios. Other times developers rely on the operation team when it comes to securing the web application.  Recently I came across a tool that solves this problem, the Zed Attack Proxy (ZAP). This open-source tool was developed at the Open Web Application Security Project (OWASP). Its main goal is to allow easy penetration testing to find vulnerabilities in web applications. It is ideal for developers and functional testers as well as security experts. ZAP Penetration Testing: to Detect Vulnerabilities  Penetration testing (otherwise known as pen testing, or the more general security testing) is the process of testing your applications for vulnerabilities, and answering a simple question: “What could a hacker do to harm my application, or organization, out in the real world?”  Recently I came across a tool, Zed Attack Proxy (ZAP). Its main goal is to allow easy penetration testing to find vulnerabilities in web applications. It is ideal for developers and functional testers as well as security experts. Let’s check out how ZAP penetration testing works.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 15 Conclusion • ZAP is a free, open-source community developed tool aimed at making the online world more secure • Some of the ideals that have driven ZAP are listed below • Help users develop and apply application security skills • Build a competitive, open source, and community oriented platform • Provide an extensible platform for testing • Designed to be easy to use • Raise the bar for other security tools Future of ZAP: • Enhance scanners to detect more vulnerabilities • Extend API, better integration • Fuzzing analysis • Easier to use, better help
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 16 References • Open Web Application Security Project • https://www.owasp.org/index.php/Main_Page • OWASP Top Ten Project • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Cross-site Scripting (XSS) • https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • OWASP Zed Attack Proxy Project • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • Zaproxy : • https://code.google.com/p/zaproxy/ • ZAP Blog: • http://zaproxy.blogspot.co.uk/ • Penetration Testing For Developers • http://pentest4devs.blogspot.in/2010/09/exploring-web-application-with- zap.html • Setting Up Web Security Learning Lab • http://people.mozilla.org/~mcoates/WebSecurityLab.html • Webgoat: • https://www.owasp.org/index.php/OWASP_WebGoat_Project

Recommended

The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
penetration Tester
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 

Recommended

The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
penetration Tester
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Metasploit
MetasploitMetasploit
Metasploit
Parth Sahu
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suite
Utkarsh Bhargava
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
n|u - The Open Security Community
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
Marco Morana
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
What is Software Testing | Edureka
What is Software Testing | EdurekaWhat is Software Testing | Edureka
What is Software Testing | Edureka
Edureka!
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
Agile Testing Alliance
 

More Related Content

What's hot

Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Metasploit
MetasploitMetasploit
Metasploit
Parth Sahu
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suite
Utkarsh Bhargava
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
n|u - The Open Security Community
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
Marco Morana
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
What is Software Testing | Edureka
What is Software Testing | EdurekaWhat is Software Testing | Edureka
What is Software Testing | Edureka
Edureka!
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 

What's hot (20)

Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Metasploit
MetasploitMetasploit
Metasploit
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suite
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
What is Software Testing | Edureka
What is Software Testing | EdurekaWhat is Software Testing | Edureka
What is Software Testing | Edureka
 
Metasploit
MetasploitMetasploit
Metasploit
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 

Similar to Zed Attack Proxy (ZAP)

Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
Agile Testing Alliance
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
Bhagyashri Chalakh
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap it
vodqancr
 
Handy penetration testing tools
Handy penetration testing toolsHandy penetration testing tools
Handy penetration testing tools
Mindfire LLC
 
100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing
BugRaptors
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
The Dynamic Application Security Testing Process: A Step-by-Step Guide
The Dynamic Application Security Testing Process: A Step-by-Step GuideThe Dynamic Application Security Testing Process: A Step-by-Step Guide
The Dynamic Application Security Testing Process: A Step-by-Step Guide
Dev Software
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
Zoe Gilbert
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting tool
Bhagyashri Chalakh
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 

Similar to Zed Attack Proxy (ZAP) (20)

Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap it
 
Project Presentation
Project Presentation Project Presentation
Project Presentation
 
Handy penetration testing tools
Handy penetration testing toolsHandy penetration testing tools
Handy penetration testing tools
 
100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
The Dynamic Application Security Testing Process: A Step-by-Step Guide
The Dynamic Application Security Testing Process: A Step-by-Step GuideThe Dynamic Application Security Testing Process: A Step-by-Step Guide
The Dynamic Application Security Testing Process: A Step-by-Step Guide
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting tool
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 

More from JAINAM KAPADIYA

Method overloading, recursion, passing and returning objects from method, new...
Method overloading, recursion, passing and returning objects from method, new...Method overloading, recursion, passing and returning objects from method, new...
Method overloading, recursion, passing and returning objects from method, new...
JAINAM KAPADIYA
 
CLASSIFICATION OF DEBUGGERS
CLASSIFICATION OF DEBUGGERSCLASSIFICATION OF DEBUGGERS
CLASSIFICATION OF DEBUGGERS
JAINAM KAPADIYA
 
Clementine tool
Clementine toolClementine tool
Clementine tool
JAINAM KAPADIYA
 
Software Engineering Layered Technology Software Process Framework
Software Engineering Layered Technology Software Process FrameworkSoftware Engineering Layered Technology Software Process Framework
Software Engineering Layered Technology Software Process Framework
JAINAM KAPADIYA
 
Android Application Components
Android Application ComponentsAndroid Application Components
Android Application Components
JAINAM KAPADIYA
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
JAINAM KAPADIYA
 
Computer graphics practical(jainam)
Computer graphics practical(jainam)Computer graphics practical(jainam)
Computer graphics practical(jainam)
JAINAM KAPADIYA
 
Corruption in india
Corruption in indiaCorruption in india
Corruption in india
JAINAM KAPADIYA
 

More from JAINAM KAPADIYA (8)

Method overloading, recursion, passing and returning objects from method, new...
Method overloading, recursion, passing and returning objects from method, new...Method overloading, recursion, passing and returning objects from method, new...
Method overloading, recursion, passing and returning objects from method, new...
 
CLASSIFICATION OF DEBUGGERS
CLASSIFICATION OF DEBUGGERSCLASSIFICATION OF DEBUGGERS
CLASSIFICATION OF DEBUGGERS
 
Clementine tool
Clementine toolClementine tool
Clementine tool
 
Software Engineering Layered Technology Software Process Framework
Software Engineering Layered Technology Software Process FrameworkSoftware Engineering Layered Technology Software Process Framework
Software Engineering Layered Technology Software Process Framework
 
Android Application Components
Android Application ComponentsAndroid Application Components
Android Application Components
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
 
Computer graphics practical(jainam)
Computer graphics practical(jainam)Computer graphics practical(jainam)
Computer graphics practical(jainam)
 
Corruption in india
Corruption in indiaCorruption in india
Corruption in india
 

Recently uploaded

How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 

Recently uploaded (20)

How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 

Zed Attack Proxy (ZAP)

  • 1. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 1 Case study on OWASP Zed Attack Proxy 1. Introduction The OWASP (Open Web Application Security Project) Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. OWASP ZAP (Zed Attack Proxy) is a open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It is one of the most active OWASP projects and has been given Flagship status. It is also fully internationalized and is being translated into over 25 languages. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https. It can also run in a ‘daemon’ mode which is then controlled via a REST Application programming interface. This cross-platform tool is written in Java and is available in all of the popular operating systems including Microsoft Windows, Linux and Mac OS X. ZAP was added to the ThoughtWorks Technology Radar in May 2015 in the Trial ring. • An easy to use webapp pentest tool • Completely free and open source • OWASP Flagship project • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Included in all major security distributions • ToolsWatch.org Top Security Tool of 2015 • Not a silver bullet!
  • 2. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 2 1.1 ZAP Features • Swing based UI for desktop mode • Comprehensive REST(ish) API for daemon mode • Plug in architecture (add-ons) • Online ‘marketplace’ (all free:) • Release, beta and alpha quality add-ons • Traditional and ajax spiders • Passive and active scanning • Highly configurable, eg scan policies • Highly scriptable 1.2 ZAP Principles • Free, Open source • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Involvement actively encouraged • Reuse well regarded components
  • 3. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 3 2. Installation of ZAP • Download Link: • http://code.google.com/p/zaproxy/downloads/list • https://github.com/zaproxy/zaproxy/wiki/Downloads • Zap runs on proxy. To set up the proxy in ZAP • go to TOOLS > OPTIONS > LOCAL PROXY in ZAP • Same configuration in the browser too Downloading and Installing ZAP Step 1: First step of course is to download ZAP, which can be downloaded from GitHub, here. Choose the right installer for your operating system.
  • 4. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 4 Step 2:Once you’ve started the executable file, the next installation screen will appear. At this point click on the Next button to continue. Step 3: Accept the License Agreement and click Next to continue.
  • 5. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 5 Step 4: Select the Standard installation option and click Next to continue. Step 5: To start the installation of ZAP, click Install.
  • 6. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 6 Step 6: After the installation is complete, click Finish.
  • 7. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 7 3. Implementation Step 1: Enter the attack URL in “URL to Attack” text box. Step 2: Now click on Attack button. Step 3: ZAP will automatically scans the web application and generate the alert report with list of possible vulnerabilities for your application.
  • 8. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 8 Step 4: After exploring any of the vulnerability from Alert tab, ZAP will provide details of that vulnerability and shows the affected area of the code by highlighting the code as shown in below. Step 5: It will also provide detail description of vulnerability and a solution for developer with reference website(s) to prevent that attack as shown in below screen shots.
  • 9. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 9 ZAP offers different functionalities to analyze application vulnerabilities with spider, passive and active approaches, fuzzer, brute force, and many others. 3.1 Passive Scan Passive scan can be used to analyze web applications and it allows you to assess the vulnerability by sniffing the normal network traffic then acting as a proxy between server and
  • 10. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 10 browser. Passive scan does not attack or interfere with client and server but analyzes the request/response to and from the server to identify vulnerabilities. (List of vulnerabilities found by a passive analysis) 3.2 Spider Spider explores and creates, automatically, the structure of a web application with the list of all URL resources found. For each URL, ZAP creates a request to get the resource and then parses the response, discovering hyperlinks. To use the Spider is necessary to specify an initial URL or subgroup of URLs. (Spider analysis)
  • 11. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 11 3.3 Active Scan Active scanning attempts to find security holes by simulating real known attacks against target web applications. Active scan should be used only with your own applications. With ZAP is possible to select a list of previously used resources and make active attacks on them in order to be aware of known vulnerabilities. Active scanning provides a wider list of vulnerabilities and, combined with spider and the passive scan, can show all the vulnerabilities ZAP can recognize, including high risk vulnerabilities: (List of some vulnerabilities found by passive and active analysis) 3.4 Fuzzer Fuzzer is a feature that allows you to send a range of invalid and unexpected random string in order to discover security holes in the target application. ZAP allows fuzzing any request using strings from a text file list that contain inputs. Users can add files manually or via the application to extend the range of strings available. (Fuzz testing)
  • 12. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 12 3.5 Brute Force The Brute Force feature is not used for brute force attacks on authentication fields, but aids in finding files or directories of the target application. ZAP contains huge files with lists of files and directories names and uses these names to try to access resources directly, rather than relying on finding links to them. A brute force attack only requires knowledge of the target web application and the associated file with the list of names. Other functionalities, not explored in this brief introduction, are HttpSession, Param, WebSockets, and many others.
  • 13. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 13 4. Advantages & Disadvantages Advantages  List out all possible vulnerabilities from your application.  Provide a solution to developer for preventing vulnerabilities within an application with reference website(s).  Scan all the pages and highlight the affected area of the code by vulnerability.  Provide facility to generate report of vulnerabilities in various formats.  ZAP security tool is very time consuming. Disadvantages  lack of proper authentication with backend systems  lack of access control over connections to backend systems  lack of proper validation and encoding of data sent to and received from backend systems  lack of proper error handling surrounding backend connections  lack of centralization in security mechanisms
  • 14. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 14 5. Applications Software testing tool  The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.  It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.  ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Automated Security Testing of web applications using OWASP Zed Attack Proxy  Penetration testing web applications is not an easy task, no matter if you are a Java, PHP, Ruby or C# developer. Often development teams use web frameworks to develop their application and rely on build-in security features without understanding possible attack scenarios. Other times developers rely on the operation team when it comes to securing the web application.  Recently I came across a tool that solves this problem, the Zed Attack Proxy (ZAP). This open-source tool was developed at the Open Web Application Security Project (OWASP). Its main goal is to allow easy penetration testing to find vulnerabilities in web applications. It is ideal for developers and functional testers as well as security experts. ZAP Penetration Testing: to Detect Vulnerabilities  Penetration testing (otherwise known as pen testing, or the more general security testing) is the process of testing your applications for vulnerabilities, and answering a simple question: “What could a hacker do to harm my application, or organization, out in the real world?”  Recently I came across a tool, Zed Attack Proxy (ZAP). Its main goal is to allow easy penetration testing to find vulnerabilities in web applications. It is ideal for developers and functional testers as well as security experts. Let’s check out how ZAP penetration testing works.
  • 15. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 15 Conclusion • ZAP is a free, open-source community developed tool aimed at making the online world more secure • Some of the ideals that have driven ZAP are listed below • Help users develop and apply application security skills • Build a competitive, open source, and community oriented platform • Provide an extensible platform for testing • Designed to be easy to use • Raise the bar for other security tools Future of ZAP: • Enhance scanners to detect more vulnerabilities • Extend API, better integration • Fuzzing analysis • Easier to use, better help
  • 16. OWASP Zed Attack Proxy Enrollment No:-150450116015 2017 16 References • Open Web Application Security Project • https://www.owasp.org/index.php/Main_Page • OWASP Top Ten Project • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • Cross-site Scripting (XSS) • https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • OWASP Zed Attack Proxy Project • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • Zaproxy : • https://code.google.com/p/zaproxy/ • ZAP Blog: • http://zaproxy.blogspot.co.uk/ • Penetration Testing For Developers • http://pentest4devs.blogspot.in/2010/09/exploring-web-application-with- zap.html • Setting Up Web Security Learning Lab • http://people.mozilla.org/~mcoates/WebSecurityLab.html • Webgoat: • https://www.owasp.org/index.php/OWASP_WebGoat_Project