SlideShare a Scribd company logo

JoinSEC 2013 London - ZAP Intro

Simon Bennetts, profile picture
Simon Bennetts

ZAP (Zed Attack Proxy) is a free and open-source web application penetration testing tool developed by the OWASP Foundation to help find vulnerabilities in web applications. It includes features like an intercepting proxy, scanners, a spider, fuzzing tools and a macro language to aid in testing applications. The tool is actively developed by a community of contributors and used by both professionals and beginners for tasks like security testing, debugging and regression testing of applications.

Technology
1 of 12
Downloaded 39 times
1
2
3
4
5
6
7
8
9
10
11
12
J OIN SEC 2013 The OWASP Foundation http://www.owasp.org An Introduction to ZAP OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
What is ZAP? • • • • • • • • • An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions Not a silver bullet! 2
ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 3
Statistics • Released September 2010, fork of Paros • V 2.2.2 released in Sept 2013 • V 2.1.0 downloaded > 25K times • Translated into 20+ languages • Over 50 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80% 4
Ohloh Statistics • Very High Activity • The most active OWASP Project • 28 active contributors • 236 years of effort Source: http://www.ohloh.net/p/zaproxy 5
The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional Spider • Report Generation • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JbroFuzz) • Dynamic SSL certificates 6
Developer Features • Quick start • REST API • Java and Python clients • Headless mode • Anti CSRF token handling • Authentication support • Session management • Auto updating • Modes 7
Advanced Features • Ajax Spider • WebSockets support • Smart card support • Plug-n-Hack • Integrated Scripting – JS, Python, Ruby... • Zest Support – macro language on steroids • Online Add-ons Marketplace 8
How can you use ZAP? • • • • • • Point and shoot – the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests As a debugger As part of a larger security program 9
SecurityRegression Tests http://code.google.com/p/zaproxy/wiki/SecRegTests 10
ZAP – Embedded • ThreadFix – Denim Group Software vulnerability aggregation and management system • Minion – Mozilla Security automation platform 11
Any Questions? http://www.owasp.org/index.php/ZAP

More Related Content

ODP
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
ODP
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
ODP
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
ODP
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
ODP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
ODP
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
ODP
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
ODP
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 

What's hot (20)

ODP
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
ODP
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
ODP
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
ODP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
ODP
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
ODP
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
ODP
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
PDF
Owasp zap
ColdFusionConference
 
ODP
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
ODP
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
PDF
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
PDF
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
PPTX
ZAP @FOSSASIA2015
Sumanth Damarla
 
PPTX
The OWASP Zed Attack Proxy
Aditya Gupta
 
ODP
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
ODP
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
PPTX
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Sherif Mansour
 
PDF
2021 ZAP Automation in CI/CD
Simon Bennetts
 
PDF
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
PDF
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Owasp zap
ColdFusionConference
 
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
ZAP @FOSSASIA2015
Sumanth Damarla
 
The OWASP Zed Attack Proxy
Aditya Gupta
 
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Sherif Mansour
 
2021 ZAP Automation in CI/CD
Simon Bennetts
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
Ad

Similar to JoinSEC 2013 London - ZAP Intro (17)

PPT
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
ODP
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Tabăra de Testare
 
PPTX
OWASP ZAP API Automation
Thivya Lakshmi
 
PPTX
Security testing using zap
Confiz Limited
 
PPTX
Owasp zap
penetration Tester
 
ODP
Simon Bennetts - Automating ZAP
DevSecCon
 
PPTX
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
ODP
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
PPTX
OWSAP Zap Tool Execution - API Security Scan
Palani Kumar
 
PPTX
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
PPTX
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
PPTX
Zap api and scripting - @iprav33nk
Praveen Kumar
 
PPTX
Slides St. Clair College Forensics Cyber Security
BrenoMeister
 
PDF
installing-and-setting-up-your-zap-environment-slides.pdf
Marcelo Cunha
 
PDF
GECon2017_ Security testing and selenium tests can you do one using the other...
GECon_Org Team
 
PDF
Security Testing using ZAP in SFDC
Thinqloud
 
PPTX
Cyber ppt
karthik menon
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Tabăra de Testare
 
OWASP ZAP API Automation
Thivya Lakshmi
 
Security testing using zap
Confiz Limited
 
Owasp zap
penetration Tester
 
Simon Bennetts - Automating ZAP
DevSecCon
 
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
OWSAP Zap Tool Execution - API Security Scan
Palani Kumar
 
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Zap api and scripting - @iprav33nk
Praveen Kumar
 
Slides St. Clair College Forensics Cyber Security
BrenoMeister
 
installing-and-setting-up-your-zap-environment-slides.pdf
Marcelo Cunha
 
GECon2017_ Security testing and selenium tests can you do one using the other...
GECon_Org Team
 
Security Testing using ZAP in SFDC
Thinqloud
 
Cyber ppt
karthik menon
 
Ad

Recently uploaded (20)

PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Approach and Philosophy of On baking technology
30anthuong17
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

JoinSEC 2013 London - ZAP Intro

  • 1. J OIN SEC 2013 The OWASP Foundation http://www.owasp.org An Introduction to ZAP OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 2. What is ZAP? • • • • • • • • • An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions Not a silver bullet! 2
  • 3. ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 3
  • 4. Statistics • Released September 2010, fork of Paros • V 2.2.2 released in Sept 2013 • V 2.1.0 downloaded > 25K times • Translated into 20+ languages • Over 50 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80% 4
  • 5. Ohloh Statistics • Very High Activity • The most active OWASP Project • 28 active contributors • 236 years of effort Source: http://www.ohloh.net/p/zaproxy 5
  • 6. The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional Spider • Report Generation • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JbroFuzz) • Dynamic SSL certificates 6
  • 7. Developer Features • Quick start • REST API • Java and Python clients • Headless mode • Anti CSRF token handling • Authentication support • Session management • Auto updating • Modes 7
  • 8. Advanced Features • Ajax Spider • WebSockets support • Smart card support • Plug-n-Hack • Integrated Scripting – JS, Python, Ruby... • Zest Support – macro language on steroids • Online Add-ons Marketplace 8
  • 9. How can you use ZAP? • • • • • • Point and shoot – the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests As a debugger As part of a larger security program 9
  • 11. ZAP – Embedded • ThreadFix – Denim Group Software vulnerability aggregation and management system • Minion – Mozilla Security automation platform 11