1. The OWASP Foundation http://www.owasp.org Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Dot Net Bangalore Bangalore 21 Feb 2015 Security Testing for Developers using OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor gmaran23@gmail.com Watch the screen recording of this presentation at https://vimeo.com/120481276 2. 2 Overview Why you should use ZAP Introduction Demo Quick Scan ZAP Use cases ZAP API Demo ZAP Script Demo ZAP Automation - Demo 3. 3 The problems Most developers know very little about security Most companies have very few application security folks External consultants cost $$$$$ Security testing is done late in the application development lifecycle (it at all is done) 4. 4 Part of the Solution Use a security tool like ZAP in development In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting 5. 5 What is ZAP? An easy to use webapp pentest tool Completely free and open source Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions ToolsWatch.org Top Security Tool of 2013 / 2014 Not a silver bullet! 6. 6 ZAP Principles Free, Open source (always) Involvement actively encouraged Cross platform (write once, run anywhere) Easy to use (point and shoot) Easy to install (unzip & run) Internationalized (speaks 20+ languages) Fully documented (publish a book) Work well with other tools Reuse well regarded components (JBroFuzz, fuzzdb, DirBuster, CrawlJax, SQLMap?) 7. 7 Ohloh Statistics Very High Activity The most active OWASP Project 29 active contributors 278 years of effort Source: http://www.ohloh.net/p/zaproxy 8. 8 Why use ZAP? Any application exposed to the internet will be attacked Who will find the vulnerabilities? You? A security researcher The bad guys Finding and fixing bugs early is the key Attacking apps makes you a better developer 9. 9 Point and Click Scan - Demo 10. 10 Face/off with John Travolta and Nicolas Cage 11. 11 Security Regression Testing Well, let me watch you here! 12. 12 Security Regression Testing Well, let me watch you here! 13. 13 ZAP API demo Headless attack! 14. 14 ZAP Scripting 15. 15 The Main Features All the essentials for web application testing Intercepting Proxy Active and Passive Scanners Traditional and Ajax Spiders WebSockets support Forced Browsing (using OWASP DirBuster code) Fuzzing (using fuzzdb & OWASP JBroFuzz) Online Add-ons Marketplace 16. 16 The Additional Features Auto tagging Port scanner Session comparison Invoke external apps API + Headless mode Dynamic SSL Certificates Anti CSRF token handling 17. 17 The Developer Features Quick start Intercepting proxy Web client monitoring WebSockets support Standard/Protected/Safe API + Headless mode Java, Python API clients Anti CSRF token handling 18. ZAP 2.4.0 Splash Screen Unused tabs hidden Scan dialogs with advanced options Attack modes Advanced fuzzing Sequence scanning Access control testing 19. ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs 20. ZAP Get Involved https://code.google.com/p/zaproxy/wiki/GetInvolve 21. Conclusion Consider security at all stages of development cycle OWASP ZAP is ideal for automating security tests It is also a great way to learn about security Man is a tool-using animal. Without tools he is nothing, with right set of tools he is all 22. Any Questions? http://www.owasp.org/index.php/ZAP