Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security  Automation  Using  ZAP
About  us
• Vaibhav  Gupta
– Loves  to  be  both,  a  defender  and  attacker  J
– Security  Researcher  @  Adobe  (For  ...
About  Adobe
Twitter:  @VaibhavGupta_1 3
CONTENT DATA
Creative Cloud Document Cloud Marketing Cloud
Community Marketplace ...
Agenda
• What  is  ZAP
• Quick  run  through  of  ZAP  GUI
• Understanding  what  can  be  automated
• Automating  ZAP
• F...
What  is  ZAP
• Zed  Attack  Proxy
• Automated  Web  Application  Security  Scanner
• An  OWASP  Project
• Voted  as  No. ...
Quick  run  through  of  ZAP  GUI
• Contexts
• Request/Response
• Options
• Spider
• Scan  Alerts
• Scan  policy  manager
...
Understanding  what  can  be  automated
• Configuration
• Spidering
• Passive  Scan
• Active  Scan
• Authentication
• Many...
Automating  ZAP
• ZAP  APIs  (http://zap/UI/)
• pip  install  python-­owasp-­zap-­v2.4
• Example  1:  Initializing  ZAP  i...
Example  1:  Initializing  ZAP  in  python
from  zapv2  import  ZAPv2
zap  =  ZAPv2()
or
zap =  ZAPv2(proxies={'http':  'h...
Example  2:  Spidering  web  application
zap.spider.scan(input_target,  apikey =  API_Key)
while  (int(zap.spider.status()...
Example  3:  Passive  scanning
zap.pscan.disable_all_scanners(apikey =  API_Key)
zap.pscan.enable_scanners(ids  =  10040, ...
Example  4:  Active  scanning
zap.ascan.scan(target,  apikey =  API_Key)
while  (int(zap.ascan.status())  <  100):        ...
Example  5:  Simple  authenticated  scanning
zap.ascan.scan_as_user(url =  input_target,  contextid =  1,  
userid =  4,  ...
Example  6:  Some  other  important  APIs
• http://zap/UI/spider/action/setOptionMaxDepth/
• http://zap/UI/context/action/...
Few  considerations/hacks
• Ajax  spidering
• Importing  contexts/configs
• Random  sleeps
• Scan  output  for  a  particu...
Lets  Discuss  few  Use  Cases
• Scanning  at  scale
• Integration  with  CI/CD  systems  like  Jenkins
• Custom  authenti...
ZAP  Resources
• Getting  Started  Guide  (pdf) -­ an  introductory  guide
• Tutorial  Videos
• User  Guide -­ online  ver...
Thank  you!  J
18
Vaibhav	
  Gupta
Vaibhav.Gupta@owasp.org
Twitter:	
  @VaibhavGupta_1
Blog:	
  www.exploits.work
-­‐-­‐-...
Upcoming SlideShare
Loading in …5
×

Security Automation using ZAP

705 views

Published on

These are the slides from my lightning talk at OWASP AppSec Europe 2016. The session broadly consisted of:

- Quick run through of ZAP GUI
- Understanding what can be automated
- How to integrate ZAP with automation scripts
- Example scripts/Hands-on
- Some delicate considerations

Code: https://github.com/r3ver53r/AppSecEU_2016

Download: https://2016.appsec.eu/wp-content/uploads/2016/07/OWASP_AppSec_EU2016-Security_Automation_Using_ZAP_v1.3.pdf

Published in: Engineering
  • Be the first to comment

Security Automation using ZAP

  1. 1. Security  Automation  Using  ZAP
  2. 2. About  us • Vaibhav  Gupta – Loves  to  be  both,  a  defender  and  attacker  J – Security  Researcher  @  Adobe  (For  bread,  butter  &  beer!) – Delhi  Chapter  Leader  – OWASP  &  Null   • Sandeep  Sigh  (Not  with  us  today  L) – Security  Engineer  @  ESSEL  Group – Delhi  Chapter  Leader  – OWASP  &  Null 2
  3. 3. About  Adobe Twitter:  @VaibhavGupta_1 3 CONTENT DATA Creative Cloud Document Cloud Marketing Cloud Community Marketplace Partners Developers
  4. 4. Agenda • What  is  ZAP • Quick  run  through  of  ZAP  GUI • Understanding  what  can  be  automated • Automating  ZAP • Few  considerations/hacks • Use  cases Twitter:  @VaibhavGupta_1 4
  5. 5. What  is  ZAP • Zed  Attack  Proxy • Automated  Web  Application  Security  Scanner • An  OWASP  Project • Voted  as  No.  1  Security  Tool  as  per  ToolsWatch Survey Ref:  https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Twitter:  @VaibhavGupta_1 5
  6. 6. Quick  run  through  of  ZAP  GUI • Contexts • Request/Response • Options • Spider • Scan  Alerts • Scan  policy  manager Twitter:  @VaibhavGupta_1 6
  7. 7. Understanding  what  can  be  automated • Configuration • Spidering • Passive  Scan • Active  Scan • Authentication • Many  additional  capabilities  J Twitter:  @VaibhavGupta_1 7
  8. 8. Automating  ZAP • ZAP  APIs  (http://zap/UI/) • pip  install  python-­owasp-­zap-­v2.4 • Example  1:  Initializing  ZAP  in  python • Example  2:  Spidering  web  application • Example  3:  Passive  scanning • Example  4:  Active  scanning • Example  5:  Simple  authenticated  scanning • Example  6:  Some  other  important  APIs Twitter:  @VaibhavGupta_1 8
  9. 9. Example  1:  Initializing  ZAP  in  python from  zapv2  import  ZAPv2 zap  =  ZAPv2() or zap =  ZAPv2(proxies={'http':  'http://x.x.x.x:yyyy',   'https':  'http://x.x.x.x:yyyy'}) Twitter:  @VaibhavGupta_1 9
  10. 10. Example  2:  Spidering  web  application zap.spider.scan(input_target,  apikey =  API_Key) while  (int(zap.spider.status())  <  100):         print  'Spider  progress  %:  '  +  zap.spider.status()         time.sleep(2) zap.ajaxSpider.scan(url =  input_target,  apikey =  API_Key) Twitter:  @VaibhavGupta_1 10
  11. 11. Example  3:  Passive  scanning zap.pscan.disable_all_scanners(apikey =  API_Key) zap.pscan.enable_scanners(ids  =  10040,  apikey =  API_Key) zap.pscan.enable_all_scanners(apikey =  API_Key) zap.pscan.set_enabled(enabled  =  True,  apikey =  API_Key) Ref:  http://zap/UI/pscan/view/scanners/ Twitter:  @VaibhavGupta_1 11
  12. 12. Example  4:  Active  scanning zap.ascan.scan(target,  apikey =  API_Key) while  (int(zap.ascan.status())  <  100):         print  'Scan  progress  %:  '  +  zap.ascan.status() zap.ascan.scan(input_target,  scanpolicyname =   input_policy,  apikey =  API_Key) Twitter:  @VaibhavGupta_1 12
  13. 13. Example  5:  Simple  authenticated  scanning zap.ascan.scan_as_user(url =  input_target,  contextid =  1,   userid =  4,  apikey =  API_Key) • http://zap/UI/context/view/context/ • http://zap/UI/users/view/usersList/ Twitter:  @VaibhavGupta_1 13
  14. 14. Example  6:  Some  other  important  APIs • http://zap/UI/spider/action/setOptionMaxDepth/ • http://zap/UI/context/action/importContext/ • http://zap/UI/context/action/includeInContext/ • http://zap/UI/context/action/newContext/ • http://zap/UI/core/other/xmlreport/ • http://zap/UI/core/action/shutdown/ Twitter:  @VaibhavGupta_1 14
  15. 15. Few  considerations/hacks • Ajax  spidering • Importing  contexts/configs • Random  sleeps • Scan  output  for  a  particular  context/scan • Documentation • Custom  scripting! Twitter:  @VaibhavGupta_1 15
  16. 16. Lets  Discuss  few  Use  Cases • Scanning  at  scale • Integration  with  CI/CD  systems  like  Jenkins • Custom  authentication • Unit  security  test  cases • Research  at  scale!   • The  list  is  endless…  J Twitter:  @VaibhavGupta_1 16
  17. 17. ZAP  Resources • Getting  Started  Guide  (pdf) -­ an  introductory  guide • Tutorial  Videos • User  Guide -­ online  version  of  the  ZAP’s  user  guide • User  Group -­ ask  questions  about  using  ZAP • Add-­ons -­ help  for  the  optional  add-­ons  you  can  install • StackOverflow -­ because  some  people  use  this  for  everything ;;-­) Twitter:  @VaibhavGupta_1 17
  18. 18. Thank  you!  J 18 Vaibhav  Gupta Vaibhav.Gupta@owasp.org Twitter:  @VaibhavGupta_1 Blog:  www.exploits.work -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐ Security  portal:  https://www.adobe.com/security Security  @Adobe  blog:  https://blogs.adobe.com/security Twitter:  @AdobeSecurity

×