Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to ZAP The OWASP Zed Attack Proxy

Published byAnn-Christin Eriksson Modified over 5 years ago

Similar presentations

Presentation on theme: "An Introduction to ZAP The OWASP Zed Attack Proxy"— Presentation transcript:

1 An Introduction to ZAP The OWASP Zed Attack Proxy
OWASP AppSec USA 2011 An Introduction to ZAP The OWASP Zed Attack Proxy Question for audience: Devs or pentesters Used ZAP Work for Sage in UK, lead dev and security team ZAP not sponsored by Sage But Sage very supportive of my security work Plan: Background – does the world need another pentest tool? Functionality Demo Future Simon Bennetts Sage UK Ltd OWASP ZAP Project Lead

2 The Introduction The statement The problem The solution
You cannot build secure web applications unless you know how to attack them The problem For many developers ‘penetration testing’ is a black art The solution Teach basic pentesting techniques to developers Thanks to Royston Robertson for permission to use his cartoon! Like trying to build castle in middle ages without knowledge of siege engines, sapping techniques.. You need to know what the bad guys will do In SW there are devs, QA and pentesters Pentesters often from another company Pentest story!

3 The Caveat This is in addition to: Teaching secure coding techniques
Teaching about common vulnerabilities (e.g. OWASP top 10) Secure Development Software Lifecycle Static and dynamic source code analysis Code reviews Professional pentesting Not a silver bullet, because they don’t exist One of the first questions – what tools should we use? Couldn’t find one that met my exacting requirements (more later) Closest was Paros, or my hacked version…

4 The Zed Attack Proxy Released September 2010 Ease of use a priority
Comprehensive help pages Free, Open source Cross platform A fork of the well regarded Paros Proxy Involvement actively encouraged Adopted by OWASP October 2010

5 1 year later… Version 1.3.2 released mid August..
..and downloaded times 5 main coders, 15 contributors Fully internationalized Translated into 10 languages: Brazilian Portuguese, Chinese, Danish, French, German, Greek, Indonesian, Japanese, Polish, Spanish Mostly used by Professional Pentesters? Paros code: ~55% Zap Code: ~45%

6 ZAP Principles Free, Open source Cross platform Easy to use
Easy to install Internationalized Fully documented Involvement actively encouraged Reuse well regarded components

7 Where is ZAP being used?

8 The Main Features All the essentials for web application testing
Intercepting Proxy Active and Passive Scanners Spider Report Generation Brute Force (using OWASP DirBuster code) Fuzzing (using OWASP JBroFuzz code)

9 The Additional Features
Auto tagging Port scanner Smart card support Session comparison Invoke external apps BeanShell integration API + Headless mode Dynamic SSL Certificates Anti CSRF token handling

10 The Demo Walkthrough Open bodgeit session Talk through tabs Run spider
Run active scanner Talk about results Fuzzer View suitable page – which?? Fuzz – use new version? Cant unless req/resp page fixed  View page with anti CSRF toekn – which?? Fuzz showing token regeneration Sec reg tests Run reg tests, continuous integration, explain not be-all-and-end-all, still need QA etc Run sec tests, talk over.. Exactly the same tests (1 method overriden) Still need pentesting But find simple sec problems within hours Spider, active scan, save session, exactly same as before Stop ZAP Start ZAP UI, open saved session

11 The Future Enhance scanners to detect more vulnerabilities
Extend API, Ant and Maven integration Easier to use, better help Improved stability Fuzzing analysis Session analysis Data Exchange Format support More localization (all offers gratefully received!) What do you want??  Priorities for 1.4

12 Summary and Conclusion 1
ZAP is: Easy to use (for a web app pentest tool;) Ideal for appsec newcomers Ideal for training courses Being used by Professional Pentesters Easy to contribute to (and please do!) Improving rapidly

13 Summary and Conclusion 2
ZAP has: An active development community An international user base The potential to reach people new to OWASP and appsec, especially developers and functional testers ZAP is a flagship OWASP project (provisionally)

14 Any Questions. http://www. owasp. org/index
Eclipse font settings: Windows / Preferences / General / Appearances / Colors and Fonts Basic / Text Font

Download ppt "An Introduction to ZAP The OWASP Zed Attack Proxy"

Similar presentations

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder SAMM project co-leaders Pravir Chandra AppSec USA 2014 Project.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework
Penetration testing – W3AF Tool

Penetration testing – W3AF Tool
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.

OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
COMPARISON STUDY BETWEEN AGILEFANT AND XPLANNER PLUS Professor Daniel Amyot Ruijun Fan 6472462 Badr Alsubaihi 6208070 Submitted to Professor Daniel Amyot.

COMPARISON STUDY BETWEEN AGILEFANT AND XPLANNER PLUS Professor Daniel Amyot Ruijun Fan Badr Alsubaihi Submitted to Professor Daniel Amyot.
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden

April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
Bacon A Penetration and Auditing Framework Hernan Gips

Bacon A Penetration and Auditing Framework Hernan Gips

Similar presentations

Ads by Google