The OWASP Foundation

http://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

FOSSASIA2015

An Introduction to ZAP

OWASPZed Attack Proxy

Sumanth Damarla

Mozilla Winter of Security

Mozilla Rep

damarla.sumanth@gmail.com

2

What is ZAP?•An easy to use webapp pentest tool

•Completely free and open source

•An OWASP flagship project

•Ideal for beginners

•But also used by professionals

•Ideal for devs, esp. for automated security tests

•Becoming a framework for advanced testing

•Included in all major security distributions

•Not a silver bullet!

3

ZAP Principles• Free, Open source

• Cross platform

• Easy to use

• Easy to install

• Internationalized

• Fully documented

• Involvement actively encouraged

• Reuse well regarded components

4

Statistics•Released September 2010, fork of Paros

•V 2.3.1 released in May 2014

•V 2.3.1 downloaded > 140K times

•Translated into 30 languages

•Over 120 translators

•Mostly used by Professional Pentesters?

•Paros code: ~20% ZAP Code: ~80%

5

Open HUB Statistics• Very High Activity

•The most active OWASP Project

•60 contributors, 30 active

•340 years of effort

•Source: https://www.openhub.net/p/zaproxy

6

7

The Main FeaturesAll the essentials for web application testing

• Intercepting Proxy

• Active and Passive Scanners

• Spider

• Report Generation

• Brute Force (using OWASP DirBuster code)

• Fuzzing (using OWASP JBroFuzz code)

8

Developer Features∙Quick start

∙REST API

∙Java and Python clients

∙Headless mode

∙Anti CSRF token handling

∙Authentication support

∙Session management

∙Auto updating

∙Modes

9

The Additional Features• Auto tagging

• Port scanner

• Smart card support

• Session comparison

• Invoke external apps

• BeanShell integration

• API + Headless mode

• Dynamic SSL Certificates

• Anti CSRF token handling

How can you use ZAP?

•Point and shoot – the Quick Start tab

•Proxying via ZAP, and then scanning

•Manual pentesting

•Automated security regression tests

•As a debugger

•As part of a larger security program

10

11

Regression Tests

http://code.google.com/

p/zaproxy/wiki/SecRegTests

Security

12

Version 2.4.0

∙UI Changes

∙Scan Dialogs

∙Scan Policies

∙Attack Mode

∙API Changes

∙Lots of minor enhancements and bug fixes!

2.4.0

13

And some new alpha add-ons∙Access Control Testing

∙Advanced fuzzer

∙Sequence scanning

14

The Future• Enhance scanners to detect more

vulnerabilities

• Extend API, better integration

• Fuzzing analysis

• Easier to use, better help

• More localization(all offers gratefully received!)

• Parameter analysis?

• Technology detection?

• What do you want?? ☺

Summary and Conclusion 1• ZAP is:

• Easy to use (for a web app pentest tool;)

• Ideal for appsec newcomers

• Ideal for training courses

• Being used by Professional Pen Testers

• Easy to contribute to (and please do!)

• Improving rapidly

15

Summary and Conclusion 2

• ZAP has:

• An active development community

• An international user base

• The potential to reach people new to OWASP and appsec, especially developers and functional testers

• ZAP is a key OWASP project16

Any Questions?http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_

Project