+ All Categories
Home > Technology > Zap attack proxy

Zap attack proxy

Date post: 19-May-2015
Category:

Technology
Upload: artem-vasilenko
View: 425 times
Download: 15 times
Download Report this document
Share this document with a friend
Description:
Small slide deck, about 1st steps within Security Testing and OWASP ZAP tool.
Popular Tags:
zap proxystart testing
platformsetup zap
stepsdownload zap
security vulnerabilities
cases st process
ci pipeline process
active scanruns number
passive scan smoke test
9
Security Testing Security testing is a process to determine that an information system protects data and maintains functionality as intended.
Transcript
Page 1: Zap attack proxy

Security Testing

Security testing is a process to determine that an information system protects data and maintains functionality as intended.

Page 2: Zap attack proxy

Challenges

Skill set – for better results requires practice in this wide area

Effort – on going process which may require separate team

Tools – most likely are third party services or require deep understanding

Budget – for license or a team / third party

Automation – in most cases ST process requires Intelligence investigation

Page 3: Zap attack proxy

Introduction

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience:

Developers

Functional Testers

Security Specialists

Those who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually

Page 4: Zap attack proxy

1st Steps

Download ZAP for your platform

Setup ZAP to use custom proxy

Setup your browser to use ZAP proxy

Start Testing right away

Page 5: Zap attack proxy

Passive Scan

Logs all found on the fly as you test within your Browser

Finds Small and Medium issues in Web context (cookies, headers e.t.c)

Provides solution to fix

Provides Reports in number of formats

Candidate for CI pipeline process

Page 6: Zap attack proxy

Active Scan

Runs number of test against given URL

Goes through all possible vulnerabilities

Dynamically inserts URL parameters trying to inject Site under test

Reports and highlight areas for further analysis

Page 7: Zap attack proxy

Automation

Stands in the middle analyzing traffic

Can be integrated in CI

Automation Testing framework - agnostic

Can be tuned for decision making

Good candidate for 'Passive Scan' smoke test

Page 8: Zap attack proxy

Conclusion

Cross-platform – easy to setup and start

Open source and actively develops

Doesn't require any special skills from the start

Continuous Integration - friendly

Supports automation at some levels

REST API friendly

Page 9: Zap attack proxy

Materials Used

Alan Parkinson Conference talks http://lanyrd.com/profile/alan_parkinson/

OWASP ZAP Home Page

http://bit.ly/1fjloVy


Recommended
Security Testing - OWASP ZED Attack Proxy Version: 1.0 16 ...infogen-labs.com/imgs/qa-qc-document/Security...OWASP Zed Attack Proxy OWASP ZAP is an easy to use integrated penetration

Security Testing - OWASP ZED Attack Proxy Version: 1.0 16 ...infogen-labs.com/imgs/qa-qc-document/Security...OWASP Zed Attack Proxy OWASP ZAP is an easy to use integrated penetration

Documents

ZAP @FOSSASIA2015

ZAP @FOSSASIA2015

Presentations & Public Speaking

Arachni & OWASP Zed Attack Proxy - ISWAT · 1| 2 1 Arachni & OWASP Zed Attack Proxy Course: Sicurezza delle reti e dei sistemi software AA: 2016/2017

Arachni & OWASP Zed Attack Proxy - ISWAT · 1| 2 1 Arachni & OWASP Zed Attack Proxy Course: Sicurezza delle reti e dei sistemi software AA: 2016/2017

Documents

OWASP Zed Attack ProxyZed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com OWASP Romania 2014. 2 What is ZAP? •An easy to use webapp pentest

OWASP Zed Attack ProxyZed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team [email protected] OWASP Romania 2014. 2 What is ZAP? •An easy to use webapp pentest

Documents

OWASP ZAP Screenshots - University of PennsylvaniaQuestions and Solutions as screenshots : OWASP ZAP 1. Setting ZAP as an Intercepting proxy server : In options menu on home page of

OWASP ZAP Screenshots - University of PennsylvaniaQuestions and Solutions as screenshots : OWASP ZAP 1. Setting ZAP as an Intercepting proxy server : In options menu on home page of

Documents

Practical Identification of SQL Injection Vulnerabilities · 2017-09-04 · ZAP proxy listening on port 8080, as illustrated in Figure 1. Figure1:Configuring browser for ZAP proxy.

Practical Identification of SQL Injection Vulnerabilities · 2017-09-04 · ZAP proxy listening on port 8080, as illustrated in Figure 1. Figure1:Configuring browser for ZAP proxy.

Documents

The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web

The Secure SDLC Panel Real answers from real experience€¦ · • Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web

Documents

Uni-ZAP XR Vector Kit and Uni-ZAP XR Gigapack Cloning Kits · Uni-ZAP XR Gigapack Cloning Kits ... Uni-ZAP XR Vector Kit and Uni-ZAP XR Gigapack Cloning Kits Catalog #237211 ... umuC::Tn5

Uni-ZAP XR Vector Kit and Uni-ZAP XR Gigapack Cloning Kits · Uni-ZAP XR Gigapack Cloning Kits ... Uni-ZAP XR Vector Kit and Uni-ZAP XR Gigapack Cloning Kits Catalog #237211 ... umuC::Tn5

Documents

ZAP Express Predigested Vector Kit and ZAP Express Predigested ...

ZAP Express Predigested Vector Kit and ZAP Express Predigested ...

Documents

Multi-Post XSRF Web App Exploitation · •The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

Multi-Post XSRF Web App Exploitation · •The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

Documents

Zap Vs Zap - how to stay motivated when you most need it

Zap Vs Zap - how to stay motivated when you most need it

Documents

A Generic Model For Proxy-Protected Anonymous Proxy ......A General Model for Proxy Cryptography and Attack Model Two Concrete Examples Acknowledgement A Generic Model Attack Model

A Generic Model For Proxy-Protected Anonymous Proxy ......A General Model for Proxy Cryptography and Attack Model Two Concrete Examples Acknowledgement A Generic Model Attack Model

Documents

Zap! and Zap! Extra Brochure 2014

Zap! and Zap! Extra Brochure 2014

Documents

Security Project 2014 ANNUAL REPORT - Meetupfiles.meetup.com/2461862/OWASP-2014-Annual-Report.compressed.pdf · OWASP iGoat v2.2 Zed Attack Proxy (Zap) v3.0 Security Shepherd Project

Security Project 2014 ANNUAL REPORT - Meetupfiles.meetup.com/2461862/OWASP-2014-Annual-Report.compressed.pdf · OWASP iGoat v2.2 Zed Attack Proxy (Zap) v3.0 Security Shepherd Project

Documents

Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the

Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the

Documents

How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal

How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal

Documents

NEW PACK MODEL : ZAP-5S +ZAP-5SÃs LJ LJ Q) Format U …

NEW PACK MODEL : ZAP-5S +ZAP-5SÃs LJ LJ Q) Format U …

Documents

Zap Fatigue

Zap Fatigue

Documents