An Introduction to ZAP The OWASP Zed Attack Proxy

Slides:



Advertisements
Similar presentations
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
OWASP Xenotix XSS Exploit Framework
Penetration testing – W3AF Tool
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Introduction to Application Penetration Testing
COMPARISON STUDY BETWEEN AGILEFANT AND XPLANNER PLUS Professor Daniel Amyot Ruijun Fan Badr Alsubaihi Submitted to Professor Daniel Amyot.
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
Bacon A Penetration and Auditing Framework Hernan Gips
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 3. Computing System Fundamentals 3.1 Language Translators.
ARCH-4: The Presentation Layer in the OpenEdge® Reference Architecture Frank Beusenberg Senior Technical Consultant.
Introduction to Web AppBuilder for ArcGIS: JavaScript Apps Made Easy
The OWASP Foundation Where we are Where we are going Seba DeleersnyderEoin Keary OWASP Foundation Board.
Web Applications Testing By Jamie Rougvie Supported by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Automated Security Testing Using The ZAP API. About Me My name is Michael Haselhurst. I work for Sage as a Test Analyst. This is the first OWASP meeting.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
® IBM Software Group © 2003 IBM Corporation IBM WebSphere Studio V5.1.2: Making Java Development Easier May 2004.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Window Docking Made Easy!. What is Aqua Snap? AquaSnap is free software that greatly enhances desktop the way you can arrange windows on your Desktop.
FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.
XNAT 1.7: Getting Started 6 June, Introduction In this presentation we’ll discuss:  Features and functions in XNAT 1.7  Requirements  Installing.
INTRODUCTION CHARLES MUIRURI
Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.
Build Fundamentals and Continuous Integration
View & Data API platform
Don’t Forget Security When Delivering Software
Presented by Rob Carver
5/15/2018 5:43 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
An Introduction to the IVC Software Framework
^ About the.
Did your feature got in, out or planned?
Release Presentation – January 2017
Task Management System (TMS)
Web Application Penetration Testing
Myths About Web Application Security That You Need To Ignore.
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
Open Source Technologies
Tour of OWASP’s projects
Purge-it! USP's, pre-sales process & helping the customer to decide
Introduction to Problem Solving & Programming using Processing 2
Make Web Not War /Web Say(Hello); to the Microsoft Web Platform
Agenda About OWASP Upcoming Events
The role of the test organization in a Security Sensitive project
Introduction to Problem Solving & Programming using Processing 2
(c) 2011 Microsoft. All rights reserved.
NIEM Tool Strategy Next Steps for Movement
OWASP Joomla! (CMS) Vulnerability Scanner Project Flyer
Windows Forms in Visual Studio 2005: An in-depth look at key features
Introduction to Problem Solving & Programming using Processing 2
What is UiPATH? For more details visit this link online-training.
VoiceXML An investigation Author: Mya Anderson
Presentation transcript:

An Introduction to ZAP The OWASP Zed Attack Proxy OWASP AppSec USA 2011 An Introduction to ZAP The OWASP Zed Attack Proxy Question for audience: Devs or pentesters Used ZAP Work for Sage in UK, lead dev and security team ZAP not sponsored by Sage But Sage very supportive of my security work Plan: Background – does the world need another pentest tool? Functionality Demo Future Simon Bennetts Sage UK Ltd OWASP ZAP Project Lead psiinon@gmail.com

The Introduction The statement The problem The solution You cannot build secure web applications unless you know how to attack them The problem For many developers ‘penetration testing’ is a black art The solution Teach basic pentesting techniques to developers Thanks to Royston Robertson www.roystonrobertson.co.uk for permission to use his cartoon! Like trying to build castle in middle ages without knowledge of siege engines, sapping techniques.. You need to know what the bad guys will do In SW there are devs, QA and pentesters Pentesters often from another company Pentest story!

The Caveat This is in addition to: Teaching secure coding techniques Teaching about common vulnerabilities (e.g. OWASP top 10) Secure Development Software Lifecycle Static and dynamic source code analysis Code reviews Professional pentesting … Not a silver bullet, because they don’t exist One of the first questions – what tools should we use? Couldn’t find one that met my exacting requirements (more later) Closest was Paros, or my hacked version…

The Zed Attack Proxy Released September 2010 Ease of use a priority Comprehensive help pages Free, Open source Cross platform A fork of the well regarded Paros Proxy Involvement actively encouraged Adopted by OWASP October 2010

1 year later… Version 1.3.2 released mid August.. ..and downloaded 4000+ times 5 main coders, 15 contributors Fully internationalized Translated into 10 languages: Brazilian Portuguese, Chinese, Danish, French, German, Greek, Indonesian, Japanese, Polish, Spanish Mostly used by Professional Pentesters? Paros code: ~55% Zap Code: ~45%

ZAP Principles Free, Open source Cross platform Easy to use Easy to install Internationalized Fully documented Involvement actively encouraged Reuse well regarded components

Where is ZAP being used?

The Main Features All the essentials for web application testing Intercepting Proxy Active and Passive Scanners Spider Report Generation Brute Force (using OWASP DirBuster code) Fuzzing (using OWASP JBroFuzz code)

The Additional Features Auto tagging Port scanner Smart card support Session comparison Invoke external apps BeanShell integration API + Headless mode Dynamic SSL Certificates Anti CSRF token handling

The Demo Walkthrough Open bodgeit session Talk through tabs Run spider Run active scanner Talk about results Fuzzer View suitable page – which?? Fuzz – use new version? Cant unless req/resp page fixed  View page with anti CSRF toekn – which?? Fuzz showing token regeneration Sec reg tests Run reg tests, continuous integration, explain not be-all-and-end-all, still need QA etc Run sec tests, talk over.. Exactly the same tests (1 method overriden) Still need pentesting But find simple sec problems within hours Spider, active scan, save session, exactly same as before Stop ZAP Start ZAP UI, open saved session

The Future Enhance scanners to detect more vulnerabilities Extend API, Ant and Maven integration Easier to use, better help Improved stability Fuzzing analysis Session analysis Data Exchange Format support More localization (all offers gratefully received!) What do you want??  Priorities for 1.4

Summary and Conclusion 1 ZAP is: Easy to use (for a web app pentest tool;) Ideal for appsec newcomers Ideal for training courses Being used by Professional Pentesters Easy to contribute to (and please do!) Improving rapidly

Summary and Conclusion 2 ZAP has: An active development community An international user base The potential to reach people new to OWASP and appsec, especially developers and functional testers ZAP is a flagship OWASP project (provisionally)

Any Questions. http://www. owasp. org/index Eclipse font settings: Windows / Preferences / General / Appearances / Colors and Fonts Basic / Text Font