Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP)...

Preview:

Click to see full reader

Citation preview

Web Testing with OWASP ZED Application Proxy (ZAP)

@MikeLandeck

CactusCon 2014

How ZAP Works

Tester enters input

Browser directs

input to ZAP

ZAP proxies to web server

Tester views

response in ZAP

ZAP proxies to Browser

Web Server

Responds

Launch Ice Weasel

Or you can simply type “iceweasel” at the command prompt

ZAP Set-up

1. From Iceweasel, open the Preferences console by clicking Edit Preferences

2. Click the Network Tab3. Click Settings

Configure the Proxy

1. Select “Manual proxy configurations”2. HTTP Proxy = 127.0.0.13. Port = 8080

Open ZAP

Applications Kali Linux Web Applications Web Application Proxies owasp-zap

Or you can just type “zap” at the command line

ZAP Demo’s

1. Options Menu1. Active Scan Settings2. Authentication

2. Manual Inspection1. Sites2. Alerts

3. Encode/Decode4. Active Scan5. Forced Browse6. Save7. Report

ZAP Report

Rule Out False Positives

You may not be able to rule all the false positives yourself.

As a tester, it is completely acceptable to request a developer, architect, system admin or application admin to help you make sense of a finding.

Recommended

Meetup Welcome to the OWASP Toronto Hello, and happy 2018! · awesomeness) OWASP Zed Attack Proxy (ZAP) Burp Suite Community Edition Kali Linux (+ forensics mode) Learn about the
Documents
N different strategies to automate OWASP ZAP different strategies to automate OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor @gmaran23 ... The app sec
Documents
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Technology
CIS 700/002 : Special Topics : OWASP ZED (ZAP)– Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user
Documents
OWASP 2013 APPSEC USA ZAP Hackathon
Technology
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Internet
Introduction to OWASP ZAP Overview ZAP.secure.expertsmind.com/attn_files/1357_Lab-Introduction_to_owasp_… · Introduction to OWASP ZAP Overview This lab walks you through using
Documents
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Technology
OWASP Zed Attack ProxyZed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com OWASP Romania 2014. 2 What is ZAP? •An easy to use webapp pentest
Documents
Building OWASP ZAP Using Eclipse IDE for Java… Pen … · Building OWASP ZAP Using Eclipse IDE for Java… Pen-Testers Author: Raul Siles (raul @ taddong.com) Taddong – Version:
Documents
An Introduction to ZAP - OWASP · • Proxying via ZAP, and then scanning • Manual pentesting
Documents
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Technology
Building OWASP ZAP Using Eclipse IDE for Java …...This brief guide details the process required to build the OWASP Zed Attack Proxy (ZAP) code using the Eclipse IDE for Java Developers
Documents
OWASP 2014 AppSec EU ZAP Advanced Features
Technology
Security Project 2014 ANNUAL REPORT - Meetupfiles.meetup.com/2461862/OWASP-2014-Annual-Report.compressed.pdf · OWASP iGoat v2.2 Zed Attack Proxy (Zap) v3.0 Security Shepherd Project
Documents
Creating OWASP ZAP Extensions and Add-ons · Creating OWASP ZAP Extensions 17th July 2013 – Version 1.0 – OWASP ZAP version 2.1.0 4 | P a g e Step 1: Download source code and
Documents
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond
Internet
OWASP Zed Attack Proxy
Technology
OWASP ZAP – Zed Attack Proxy - holisticinfosec.orgholisticinfosec.org/toolsmith/pdf/november2011.pdfOWASP ZAP – Zed Attack Proxy ... with an anti CSRF-token in it, ZAP can regenerate
Documents
OWASP 2013 EU Tour Amsterdam ZAP Intro
Technology