Presentation Title

OWASPCanberra 2014

OWASP ZAP
Workshop 1:
Getting started

Simon Bennetts

OWASP ZAP Project LeadMozilla Security Team

psiinon@gmail.com

The plan

Introduction

The main bit

Demo feature

Let you play with feature

Answer any questions

Repeat

Plans for the future sessions

What is ZAP?

An easy to use webapp pentest tool

Completely free and open source

Ideal for beginners

But also used by professionals

Ideal for devs, esp. for automated security tests

Becoming a framework for advanced testing

Included in all major security distributions

ToolsWatch.org Top Security Tool of 2013

Not a silver bullet!

ZAP Principles

Free, Open source

Involvement actively encouraged

Cross platform

Easy to use

Easy to install

Internationalized

Fully documented

Work well with other tools

Reuse well regarded components

Statistics

Released September 2010, fork of Paros

V 2.3.1 released in May 2014

V 2.3.1 downloaded > 35K times

Translated into 20+ languages

Over 90 translators

Mostly used by Professional Pentesters?

Paros code: ~20% ZAP Code: ~80%

Open HUB Statistics

Very High Activity

The most active OWASP Project

31 active contributors

327 years of effort

Source: https://www.openhub.net/p/zaproxy

Some ZAP use cases

Point and shoot the Quick Start tab

Proxying via ZAP, and then scanning

Manual pentesting

Automated security regression tests

Debugging

Part of a larger security program

The BodgeIt Store

A simple vulnerable web app

Easy to install, minimal dependencies

In memory db

Scoring page how well can you do?

The ZAP UI

Top level menu

Top level toolbar

Tree window

Workspace window

Information window

Footer

Quick Start - Attack

Specify one URL

ZAP will spider that URL

Then perform an Active Scan

And display the results

Simple and effective

Little control & cant handle authentication

Proxying via ZAP

Plug-n-Hack easiest option, if using Firefox

Otherwise manually configure your browser to proxy via ZAP

And import the ZAP root CA

Requests made via your browser should appear in the Sites & History tabs

IE dont Bypass proxy for local addresses

Practical 1

Try out the Quick Start Attack

Configure your browser to proxy via ZAP

Manually explore your target application

The Spiders

Traditional SpiderFast

Cant handle JavaScript very well

AJAX SpiderLaunches a browser

Slower

Can handle Java Script

Practical 2

Use the 'traditional' spider on your target application

Use the AJAX spider on your target application

If you're using BodgeIt can you find the 'hidden' content?

Active and Passive Scanning

Passive Scanning is safe

Active Scanning in NOT safeOnly use on apps you have permission to test

Launch via tab or 'attack' right click menu

Effectiveness depends on how well you explored your app

Practical 3

Review the Passive issues already found

Run the Active Scanner on your target application

If you're using BodgeIt Can you login as user1 or admin?

Can you get an XSS popup?

Intercepting and changing

Break on all requestsBreak on all responsesSubmit and stepSubmit and continueBin the request or responseAdd a custom HTTP break point

Practical 4

Intercept and change requests and responses

Use custom break points just on a specific page

If you're using BodgeIt can you make some money via the basket?

Some final pointers

Generating reports

Save sessions at the start

Right click everywhere

Play with the UI options

Explore the ZAP Marketplace

F1: The User Guide

Menu: Online / ZAP User Group

Future Sessions?

Fuzzing

Advanced Active Scanning

Contexts

Authentication

Scripts

Zest

The API

Websockets

What do you want??

K:\Docs\security\owasp\images\future.png

Any Questions?


http://www.owasp.org/index.php/ZAP

The OWASP Foundationhttp://www.owasp.org

Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.