The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP Canberra 2014 OWASP ZAP Workshop 1: Getting started Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team

The plan Introduction The main bit Demo feature Let you play with feature Answer any questions Repeat Plans for the future sessions 2

3 What is ZAP? An easy to use webapp pentest tool Completely free and open source Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions ToolsWatch.org Top Security Tool of 2013 Not a silver bullet!

4 ZAP Principles Free, Open source Involvement actively encouraged Cross platform Easy to use Easy to install Internationalized Fully documented Work well with other tools Reuse well regarded components

5 Statistics Released September 2010, fork of Paros V released in May 2014 V downloaded > 35K times Translated into 20+ languages Over 90 translators Mostly used by Professional Pentesters? Paros code: ~20% ZAP Code: ~80%

6 Open HUB Statistics Very High Activity The most active OWASP Project 31 active contributors 327 years of effort Source:

Some ZAP use cases Point and shoot – the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests Debugging Part of a larger security program 7

The BodgeIt Store A simple vulnerable web app Easy to install, minimal dependencies In memory db Scoring page – how well can you do? 8

The ZAP UI Top level menu Top level toolbar Tree window Workspace window Information window Footer 9

Quick Start - Attack Specify one URL ZAP will spider that URL Then perform an Active Scan And display the results Simple and effective Little control & cant handle authentication 10

Proxying via ZAP Plug-n-Hack easiest option, if using Firefox Otherwise manually configure your browser to proxy via ZAP And import the ZAP root CA Requests made via your browser should appear in the Sites & History tabs IE – dont “Bypass proxy for local addresses” 11

ZAP PnH

Manual ZAP config

Practical 1 Try out the Quick Start – Attack Configure your browser to proxy via ZAP Manually explore your target application 18

The Spiders Traditional Spider Fast Cant handle JavaScript very well AJAX Spider Launches a browser Slower Can handle Java Script 19

Practical 2 Use the 'traditional' spider on your target application Use the AJAX spider on your target application If you're using BodgeIt – can you find the 'hidden' content? 20

Answer: Hidden content

Active and Passive Scanning Passive Scanning is safe Active Scanning in NOT safe Only use on apps you have permission to test Launch via tab or 'attack' right click menu Effectiveness depends on how well you explored your app 22

Practical 3 Review the Passive issues already found Run the Active Scanner on your target application If you're using BodgeIt – Can you login as user1 or admin? Can you get an “XSS” popup? 23

Answer: Login as… Password guessing password SQL Injection or ‘1’=‘1 or ‘1’=‘1

Answer: XSS popup Search function Append alert(“XSS”)

Intercepting and changing Break on all requests Break on all responses Submit and step Submit and continue Bin the request or response Add a custom HTTP break point 26

Practical 4 Intercept and change requests and responses Use custom break points just on a specific page If you're using BodgeIt – can you make some money via the basket? 27

Answer: Make money Your Basket page Change quantity to negative number quantity_26=-5&update=Update+ Basket

Some final pointers Generating reports Save sessions at the start Right click everywhere Play with the UI options Explore the ZAP Marketplace F1: The User Guide Menu: Online / ZAP User Group 29

30 Future Sessions? Fuzzing Advanced Active Scanning Contexts Authentication Scripts Zest The API Websockets What do you want??

Any Questions?