Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Published byKaia Lorance Modified over 10 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP AppSec Asia-Pacific 2012 An Introduction to ZAP The OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead psiinon@gmail.com

2 2 What is ZAP? An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing

3 3 ZAP Principles Free, Open source Involvement actively encouraged Cross platform Easy to use Easy to install Internationalized Fully documented Work well with other tools Reuse well regarded components

4 4 Statistics Released September 2010, fork of Paros V 1.3.4 downloaded 15,000 times V 1.4 alpha just released Fully internationalized Translated into 11 languages: Brazilian Portuguese, Chinese, Danish, French, German, Greek, Indonesian, Japanese, Persian, Polish, Spanish Mostly used by Professional Pentesters? Paros code: ~40% Zap Code: ~60%

5 5 The Main Features All the essentials for web application testing Intercepting Proxy Active and Passive Scanners Spider Report Generation Brute Force (using OWASP DirBuster code) Fuzzing (using fuzzdb & OWASP JBroFuzz) Extensibility

6 6 The Additional Features Auto tagging Port scanner Smart card support Session comparison Invoke external apps BeanShell integration API + Headless mode Dynamic SSL Certificates Anti CSRF token handling

7 7 New in Version 1.4 Syntax highlighting

8 8

9 9 New in Version 1.4 Syntax highlighting Fuzzdb integration Parameter analysis

10 10

11 11 New in Version 1.4 Syntax highlighting Fuzzdb integration Parameter analysis Enhanced XSS scanner Plugable extensions Reveal hidden fields Some of the Watcher checks Lots of bug fixes!

12 Extending ZAP Invoking applications directly REST API Filters Active Scan Rules Passive Scan Rules Full Extensions https://code.google.com/p/zap-extensions/ 12

13 13 Regression Tests http://code.google.com/p/bodgeit/wiki/RegTests Security

14 Collaborations Dradis – ZAP upload plugin OWASP AJAX Crawling Tool OWASP ModSecurity Core Rule Set script – SpiderLabs ThreadFix – Denim Group Ultimate Obsolete File Detection – Hacktics ASC, Ernst & Young Grey-box plugin – BCC Risk Advisory 14

15 15 Work In Progress Enhance scanners to detect more vulnerabilities Extend API, Ant and Maven integration Easier to use, better help Improved stability Session analysis

16 16

17 17 Work In Progress Enhance scanners to detect more vulnerabilities Extend API, Ant and Maven integration Easier to use, better help Improved stability Session analysis

18 18 The Future Closer integration with OWASP AJAX Tool Support for SPDY and WebSockets Extensions marketplace Full scripting support Configurable Actions Fuzzing analysis What do you want??

19 Any Questions? http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Download ppt "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Copyright 2010 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2010 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
A framework to 0wn the Web Copyright 2008 CYBSEC. All rights reserved. Andrés Riancho OWASP Poland - 2009.

A framework to 0wn the Web Copyright 2008 CYBSEC. All rights reserved. Andrés Riancho OWASP Poland
Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Scienze dellInformazione Università di Bologna.

Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Scienze dellInformazione Università di Bologna.
Behzad Samin 0 An End-to-End Overview of a RESTful Web Service.

Behzad Samin 0 An End-to-End Overview of a RESTful Web Service.
SecuBat: An Automated Web Vulnerability Detection Framework

SecuBat: An Automated Web Vulnerability Detection Framework
AJDT 1.5.1 and AspectJ 1.5.4 Release Review | © 2007 by SpringSource, made available under the EPL v1.0 1 Release Review: AJDT 1.5.1 and AspectJ 1.5.4.

AJDT and AspectJ Release Review | © 2007 by SpringSource, made available under the EPL v1.0 1 Release Review: AJDT and AspectJ
0 - 0.

0 - 0.
Addition Facts 1 - 20.

Addition Facts
1 19-Jan-14 © Copyright: City Boy Salary : Simon Powers : 2014 Brown Bag – Behaviour Driven Development with Specflow Brown Bag – Behaviour Driven Development.

1 19-Jan-14 © Copyright: City Boy Salary : Simon Powers : 2014 Brown Bag – Behaviour Driven Development with Specflow Brown Bag – Behaviour Driven Development.
1 Scanshell.Net CSSN – Card Scanning Solutions THE ULTIMATE, ALL-IN-ONE CARD-SCANNING SOLUTION.

1 Scanshell.Net CSSN – Card Scanning Solutions THE ULTIMATE, ALL-IN-ONE CARD-SCANNING SOLUTION.
Mind Mapping Techniques to Create Proposals APMP Colorado Chapter March 6, 2012 James J. Franklin San Diego PMI Chapter PMI is a registered trade and service.

Mind Mapping Techniques to Create Proposals APMP Colorado Chapter March 6, 2012 James J. Franklin San Diego PMI Chapter PMI is a registered trade and service.
GETTING STARTED WITH WINDOWS COMMUNICATION FOUNDATION 4.5 Ed Jones & Grey Guindon.

GETTING STARTED WITH WINDOWS COMMUNICATION FOUNDATION 4.5 Ed Jones & Grey Guindon.
DPM ARCHITECT FOR XBRL XBRL taxonomy editor aimed at BUSINESS USERS Based on the DPM approach and DPM XBRL Architecture Currently on its last stage of.

DPM ARCHITECT FOR XBRL XBRL taxonomy editor aimed at BUSINESS USERS Based on the DPM approach and DPM XBRL Architecture Currently on its last stage of.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Introduction to Maven 2.0 An open source build tool for Enterprise Java projects Mahen Goonewardene.

Introduction to Maven 2.0 An open source build tool for Enterprise Java projects Mahen Goonewardene.
Past Tense Probe. Past Tense Probe Past Tense Probe – Practice 1.

Past Tense Probe. Past Tense Probe Past Tense Probe – Practice 1.
]po[ Docu Wiki.  ]project-opem[ 2008, Rollout Methodology / Frank Bergmann / 2 Types of Readers  Beginners – These users have just started using ]po[.

]po[ Docu Wiki.  ]project-opem[ 2008, Rollout Methodology / Frank Bergmann / 2 Types of Readers  Beginners – These users have just started using ]po[.

Similar presentations

Ads by Google