If you can't read please download the document
Upload
simon-bennetts
View
2.810
Download
0
Embed Size (px)
Citation preview
Presentation Title
OWASPCanberra 2014
OWASP ZAP
Workshop 1:
Getting started
Simon Bennetts
OWASP ZAP Project LeadMozilla Security Team
The plan
Introduction
The main bit
Demo feature
Let you play with feature
Answer any questions
Repeat
Plans for the future sessions
What is ZAP?
An easy to use webapp pentest tool
Completely free and open source
Ideal for beginners
But also used by professionals
Ideal for devs, esp. for automated security tests
Becoming a framework for advanced testing
Included in all major security distributions
ToolsWatch.org Top Security Tool of 2013
Not a silver bullet!
ZAP Principles
Free, Open source
Involvement actively encouraged
Cross platform
Easy to use
Easy to install
Internationalized
Fully documented
Work well with other tools
Reuse well regarded components
Statistics
Released September 2010, fork of Paros
V 2.3.1 released in May 2014
V 2.3.1 downloaded > 35K times
Translated into 20+ languages
Over 90 translators
Mostly used by Professional Pentesters?
Paros code: ~20% ZAP Code: ~80%
Open HUB Statistics
Very High Activity
The most active OWASP Project
31 active contributors
327 years of effort
Source: https://www.openhub.net/p/zaproxy
Some ZAP use cases
Point and shoot the Quick Start tab
Proxying via ZAP, and then scanning
Manual pentesting
Automated security regression tests
Debugging
Part of a larger security program
The BodgeIt Store
A simple vulnerable web app
Easy to install, minimal dependencies
In memory db
Scoring page how well can you do?
The ZAP UI
Top level menu
Top level toolbar
Tree window
Workspace window
Information window
Footer
Quick Start - Attack
Specify one URL
ZAP will spider that URL
Then perform an Active Scan
And display the results
Simple and effective
Little control & cant handle authentication
Proxying via ZAP
Plug-n-Hack easiest option, if using Firefox
Otherwise manually configure your browser to proxy via ZAP
And import the ZAP root CA
Requests made via your browser should appear in the Sites & History tabs
IE dont Bypass proxy for local addresses
Practical 1
Try out the Quick Start Attack
Configure your browser to proxy via ZAP
Manually explore your target application
The Spiders
Traditional SpiderFast
Cant handle JavaScript very well
AJAX SpiderLaunches a browser
Slower
Can handle Java Script
Practical 2
Use the 'traditional' spider on your target application
Use the AJAX spider on your target application
If you're using BodgeIt can you find the 'hidden' content?
Active and Passive Scanning
Passive Scanning is safe
Active Scanning in NOT safeOnly use on apps you have permission to test
Launch via tab or 'attack' right click menu
Effectiveness depends on how well you explored your app
Practical 3
Review the Passive issues already found
Run the Active Scanner on your target application
If you're using BodgeIt Can you login as user1 or admin?
Can you get an XSS popup?
Intercepting and changing
Break on all requestsBreak on all responsesSubmit and stepSubmit and continueBin the request or responseAdd a custom HTTP break point
Practical 4
Intercept and change requests and responses
Use custom break points just on a specific page
If you're using BodgeIt can you make some money via the basket?
Some final pointers
Generating reports
Save sessions at the start
Right click everywhere
Play with the UI options
Explore the ZAP Marketplace
F1: The User Guide
Menu: Online / ZAP User Group
Future Sessions?
Fuzzing
Advanced Active Scanning
Contexts
Authentication
Scripts
Zest
The API
Websockets
What do you want??
K:\Docs\security\owasp\images\future.png
Any Questions?
http://www.owasp.org/index.php/ZAP
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.