2014 ZAP Workshop 1: Getting Started
5 likes3,660 views
This document discusses an introduction to using OWASP ZAP, an open source web application security scanning tool. It provides an overview of ZAP's capabilities and principles, including that it is free, open source, and designed to be easy to use for both beginners and professionals. The document then demonstrates several features of ZAP through practical examples, such as using the quick start feature to scan a target site, configuring the browser as a proxy, and intercepting requests and responses. It concludes with potential topics to cover in future sessions, and invites questions from the audience.
2014 ZAP Workshop 1: Getting Started
- 1. The OWASP Foundation http://www.owasp.org Copyright Β© The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP Canberra 2014 OWASP ZAP Workshop 1: Getting started Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com
- 2. The plan β’ Introduction β’ The main bit β’ Demo feature β’ Let you play with feature β’ Answer any questions β’ Repeat β’ Plans for the future sessions 2
- 3. 3 What is ZAP? β’ An easy to use webapp pentest tool β’ Completely free and open source β’ Ideal for beginners β’ But also used by professionals β’ Ideal for devs, esp. for automated security tests β’ Becoming a framework for advanced testing β’ Included in all major security distributions β’ ToolsWatch.org Top Security Tool of 2013 β’ Not a silver bullet!
- 4. 4 ZAP Principles β’ Free, Open source β’ Involvement actively encouraged β’ Cross platform β’ Easy to use β’ Easy to install β’ Internationalized β’ Fully documented β’ Work well with other tools β’ Reuse well regarded components
- 5. 5 Statistics β’ Released September 2010, fork of Paros β’ V 2.3.1 released in May 2014 β’ V 2.3.1 downloaded > 35K times β’ Translated into 20+ languages β’ Over 90 translators β’ Mostly used by Professional Pentesters? β’ Paros code: ~20% ZAP Code: ~80%
- 6. 6 Open HUB Statistics β’ Very High Activity β’ The most active OWASP Project β’ 31 active contributors β’ 327 years of effort Source: https://www.openhub.net/p/zaproxy
- 7. Some ZAP use cases β’ Point and shoot β the Quick Start tab β’ Proxying via ZAP, and then scanning β’ Manual pentesting β’ Automated security regression tests β’ Debugging β’ Part of a larger security program 7
- 8. The BodgeIt Store β’ A simple vulnerable web app β’ Easy to install, minimal dependencies β’ In memory db β’ Scoring page β how well can you do? 8
- 9. The ZAP UI β’ Top level menu β’ Top level toolbar β’ Tree window β’ Workspace window β’ Information window β’ Footer 9
- 10. Quick Start - Attack β’ Specify one URL β’ ZAP will spider that URL β’ Then perform an Active Scan β’ And display the results β’ Simple and effective β’ Little control & cant handle authentication 10
- 11. Proxying via ZAP β’ Plug-n-Hack easiest option, if using Firefox β’ Otherwise manually configure your browser to proxy via ZAP β’ And import the ZAP root CA β’ Requests made via your browser should appear in the Sites & History tabs β’ IE β dont βBypass proxy for local addressesβ 11
- 12. Practical 1 β’ Try out the Quick Start β Attack β’ Configure your browser to proxy via ZAP β’ Manually explore your target application 12
- 13. The Spiders β’ Traditional Spider β’ Fast β’ Cant handle JavaScript very well β’ AJAX Spider β’ Launches a browser β’ Slower β’ Can handle Java Script 13
- 14. Practical 2 β’ Use the 'traditional' spider on your target application β’ Use the AJAX spider on your target application β’ If you're using BodgeIt β can you find the 'hidden' content? 14
- 15. Active and Passive Scanningβ’ Passive Scanning is safe β’ Active Scanning in NOT safe β’ Only use on apps you have permission to test β’ Launch via tab or 'attack' right click menu β’ Effectiveness depends on how well you explored your app 15
- 16. Practical 3 β’ Review the Passive issues already found β’ Run the Active Scanner on your target application β’ If you're using BodgeIt β β’ Can you login as user1 or admin? β’ Can you get an βXSSβ popup? 16
- 17. Intercepting and changing Break on all requests Break on all responses Submit and step Submit and continue Bin the request or response Add a custom HTTP break point 17
- 18. Practical 4 β’ Intercept and change requests and responses β’ Use custom break points just on a specific page β’ If you're using BodgeIt β can you make some money via the basket? 18
- 19. Some final pointers β’ Generating reports β’ Save sessions at the start β’ Right click everywhere β’ Play with the UI options β’ Explore the ZAP Marketplace β’ F1: The User Guide β’ Menu: Online / ZAP User Group 19
- 20. 20 Future Sessions? β’ Fuzzing β’ Advanced Active Scanning β’ Contexts β’ Authentication β’ Scripts β’ Zest β’ The API β’ Websockets β’ What do you want?? ο