SlideShare a Scribd company logo

Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20

Tabăra de Testare, profile picture
Tabăra de Testare

OWASP ZAP is a free, open-source web application pentesting tool designed for both beginners and professionals, featuring easy installation and cross-platform capabilities. Key functionalities include an intercepting proxy, various scanners, fuzzing tools, and support for automated security tests. Since its release in 2010, ZAP has gained significant traction with over 25,000 downloads and has been translated into more than 20 languages.

Technology
Related topics:
Software Testing Insights Security Testing
1 of 10
Downloaded 35 times
1
2
3
4
5
6
7
8
9
10
Tabara de Testare 2013 The OWASP Foundation http://www.owasp.org ZAP Quick Intro OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
What is ZAP? • • • • • • • • • An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions Not a silver bullet! 2
ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 3
Statistics • Released September 2010, fork of Paros • V 2.2.2 released in Sept 2013 • V 2.1.0 downloaded > 25K times • Translated into 20+ languages • Over 50 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80% 4
The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional and Ajax Spiders • WebSockets support • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Online Add-ons Marketplace 5
Some Additional Features • Auto tagging • Port scanner • Script Console • Report generation • Smart card support • Contexts and scope • Session management • Invoke external apps • Dynamic SSL Certificates 6
How can you use ZAP? • • • • • • Point and shoot – the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests As a debugger As part of a larger security program 7
SecurityRegression Tests http://code.google.com/p/zaproxy/wiki/SecRegTests 8
Questions? http://www.owasp.org/index.php/ZAP
Questions? http://www.owasp.org/index.php/ZAP

More Related Content

PPTX
ZAP @FOSSASIA2015
Sumanth Damarla
 
ODP
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
ODP
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
ODP
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
ODP
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
ODP
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
ODP
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
ODP
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
ZAP @FOSSASIA2015
Sumanth Damarla
 
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 

What's hot (20)

ODP
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
ODP
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
ODP
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
PPT
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
ODP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
PPTX
Security testing using zap
Confiz Limited
 
ODP
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
PDF
Owasp zap
ColdFusionConference
 
ODP
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
ODP
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
ODP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
ODP
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
PDF
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
ODP
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
PDF
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
ODP
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
PDF
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
PPTX
Security workflow with ansible
devanshdubey7
 
PPTX
OpenSourceSecurityTools - UPDATED
Sparsh Raj
 
PPTX
Automated tools for penetration testing
devanshdubey7
 
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
Security testing using zap
Confiz Limited
 
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
Owasp zap
ColdFusionConference
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
Security workflow with ansible
devanshdubey7
 
OpenSourceSecurityTools - UPDATED
Sparsh Raj
 
Automated tools for penetration testing
devanshdubey7
 
Ad

Similar to Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20 (18)

ODP
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
PPTX
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
PPTX
AppSec DC 2019 ASVS 4.0 Final.pptx
Josh Grossman
 
PPTX
AppSec DC 2019 ASVS 4.0 Final.pptx
TuynNguyn819213
 
PDF
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
PPTX
security misconfigurations
Megha Sahu
 
PPTX
Artifacts management with DevOps
Chen-Tien Tsai
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
PDF
Best practices for using open source software in the enterprise
Marcel de Vries
 
PDF
Azul Systems open source guide
Azul Systems Inc.
 
PDF
ISC2: AppSec & OWASP Primer
ThreatReel Podcast
 
PDF
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
PDF
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
PDF
Stackato v6
Jonas Brømsø
 
PDF
Accelerate Application development with WSO2 App Factory
WSO2
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
PPTX
Selenium overview ppt by quontra solutions
Quontra Solutions
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
AppSec DC 2019 ASVS 4.0 Final.pptx
Josh Grossman
 
AppSec DC 2019 ASVS 4.0 Final.pptx
TuynNguyn819213
 
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
security misconfigurations
Megha Sahu
 
Artifacts management with DevOps
Chen-Tien Tsai
 
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
Best practices for using open source software in the enterprise
Marcel de Vries
 
Azul Systems open source guide
Azul Systems Inc.
 
ISC2: AppSec & OWASP Primer
ThreatReel Podcast
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Stackato v6
Jonas Brømsø
 
Accelerate Application development with WSO2 App Factory
WSO2
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Selenium overview ppt by quontra solutions
Quontra Solutions
 
Ad

More from Tabăra de Testare (20)

ODP
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Tabăra de Testare
 
PDF
Robotium framework & Jenkins CI tools - TdT@Cluj #19
Tabăra de Testare
 
PPTX
Tap into mobile app testing@TDT Iasi Sept2013
Tabăra de Testare
 
PPSX
Test analysis & design good practices@TDT Iasi 17Oct2013
Tabăra de Testare
 
PPTX
Webdriver with Thucydides - TdT@Cluj #18
Tabăra de Testare
 
PDF
Mobile Web UX - TdT@Cluj #17
Tabăra de Testare
 
PPTX
Behavior Driven Development - TdT@Cluj #15
Tabăra de Testare
 
PDF
TdT@Cluj #14 - Mobile Testing Workshop
Tabăra de Testare
 
PPS
Security testing
Tabăra de Testare
 
PDF
Mobile Testing - TdT Cluj #13
Tabăra de Testare
 
PDF
Td t summary
Tabăra de Testare
 
PPTX
How to evaluate a tester
Tabăra de Testare
 
PPT
Testing, job or game
Tabăra de Testare
 
PPTX
Test Automation Techniques for Windows Applications
Tabăra de Testare
 
PPTX
Help them to help you
Tabăra de Testare
 
PDF
Learning the Agile way
Tabăra de Testare
 
PPTX
How to bring creativity in testing
Tabăra de Testare
 
PPTX
Tester with benefits
Tabăra de Testare
 
PPTX
Doing things Differently
Tabăra de Testare
 
PPTX
Testarea: Prieten sau dusman? Adrian speteanu
Tabăra de Testare
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Tabăra de Testare
 
Robotium framework & Jenkins CI tools - TdT@Cluj #19
Tabăra de Testare
 
Tap into mobile app testing@TDT Iasi Sept2013
Tabăra de Testare
 
Test analysis & design good practices@TDT Iasi 17Oct2013
Tabăra de Testare
 
Webdriver with Thucydides - TdT@Cluj #18
Tabăra de Testare
 
Mobile Web UX - TdT@Cluj #17
Tabăra de Testare
 
Behavior Driven Development - TdT@Cluj #15
Tabăra de Testare
 
TdT@Cluj #14 - Mobile Testing Workshop
Tabăra de Testare
 
Security testing
Tabăra de Testare
 
Mobile Testing - TdT Cluj #13
Tabăra de Testare
 
Td t summary
Tabăra de Testare
 
How to evaluate a tester
Tabăra de Testare
 
Testing, job or game
Tabăra de Testare
 
Test Automation Techniques for Windows Applications
Tabăra de Testare
 
Help them to help you
Tabăra de Testare
 
Learning the Agile way
Tabăra de Testare
 
How to bring creativity in testing
Tabăra de Testare
 
Tester with benefits
Tabăra de Testare
 
Doing things Differently
Tabăra de Testare
 
Testarea: Prieten sau dusman? Adrian speteanu
Tabăra de Testare
 

Recently uploaded (20)

PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Encapsulation theory and applications.pdf
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 

Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20

  • 1. Tabara de Testare 2013 The OWASP Foundation http://www.owasp.org ZAP Quick Intro OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 2. What is ZAP? • • • • • • • • • An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions Not a silver bullet! 2
  • 3. ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 3
  • 4. Statistics • Released September 2010, fork of Paros • V 2.2.2 released in Sept 2013 • V 2.1.0 downloaded > 25K times • Translated into 20+ languages • Over 50 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80% 4
  • 5. The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional and Ajax Spiders • WebSockets support • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Online Add-ons Marketplace 5
  • 6. Some Additional Features • Auto tagging • Port scanner • Script Console • Report generation • Smart card support • Contexts and scope • Session management • Invoke external apps • Dynamic SSL Certificates 6
  • 7. How can you use ZAP? • • • • • • Point and shoot – the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests As a debugger As part of a larger security program 7