Date post: | 27-Jul-2015 |
Category: |
Presentations & Public Speaking |
Upload: | sumanth-damarla |
View: | 47 times |
Download: | 4 times |
The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
FOSSASIA2015
An Introduction to ZAP
OWASPZed Attack Proxy
Sumanth Damarla
Mozilla Winter of Security
Mozilla Rep
2
What is ZAP?•An easy to use webapp pentest tool
•Completely free and open source
•An OWASP flagship project
•Ideal for beginners
•But also used by professionals
•Ideal for devs, esp. for automated security tests
•Becoming a framework for advanced testing
•Included in all major security distributions
•Not a silver bullet!
3
ZAP Principles• Free, Open source
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Involvement actively encouraged
• Reuse well regarded components
4
Statistics•Released September 2010, fork of Paros
•V 2.3.1 released in May 2014
•V 2.3.1 downloaded > 140K times
•Translated into 30 languages
•Over 120 translators
•Mostly used by Professional Pentesters?
•Paros code: ~20% ZAP Code: ~80%
5
Open HUB Statistics• Very High Activity
•The most active OWASP Project
•60 contributors, 30 active
•340 years of effort
•Source: https://www.openhub.net/p/zaproxy
7
The Main FeaturesAll the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Spider
• Report Generation
• Brute Force (using OWASP DirBuster code)
• Fuzzing (using OWASP JBroFuzz code)
8
Developer Features∙Quick start
∙REST API
∙Java and Python clients
∙Headless mode
∙Anti CSRF token handling
∙Authentication support
∙Session management
∙Auto updating
∙Modes
9
The Additional Features• Auto tagging
• Port scanner
• Smart card support
• Session comparison
• Invoke external apps
• BeanShell integration
• API + Headless mode
• Dynamic SSL Certificates
• Anti CSRF token handling
How can you use ZAP?
•Point and shoot – the Quick Start tab
•Proxying via ZAP, and then scanning
•Manual pentesting
•Automated security regression tests
•As a debugger
•As part of a larger security program
10
12
Version 2.4.0
∙UI Changes
∙Scan Dialogs
∙Scan Policies
∙Attack Mode
∙API Changes
∙Lots of minor enhancements and bug fixes!
2.4.0
14
The Future• Enhance scanners to detect more
vulnerabilities
• Extend API, better integration
• Fuzzing analysis
• Easier to use, better help
• More localization(all offers gratefully received!)
• Parameter analysis?
• Technology detection?
• What do you want?? ☺
Summary and Conclusion 1• ZAP is:
• Easy to use (for a web app pentest tool;)
• Ideal for appsec newcomers
• Ideal for training courses
• Being used by Professional Pen Testers
• Easy to contribute to (and please do!)
• Improving rapidly
15
Summary and Conclusion 2
• ZAP has:
• An active development community
• An international user base
• The potential to reach people new to OWASP and appsec, especially developers and functional testers
• ZAP is a key OWASP project16