OWASP Zed Attack Proxy
Download as PPTX, PDF6 likes2,606 views
The OWASP Zed Attack Proxy (ZAP) is a free, open-source pen testing tool for web applications that is user-friendly for both beginners and professionals. It features capabilities such as active/passive scanning, spidering, brute force tools, and session management while being cross-platform and well-documented. ZAP emphasizes the importance of integrating security testing throughout the development and QA phases of the project lifecycle.
OWASP Zed Attack Proxy
- 1. OWASP Zed Attack Proxy FADI ABDULWAHAB FABDULWAHAB.COM
- 2. Overview https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Pen Testing tool for web applications Easy to install (required Java as prerequisites) Free and open source (World contribution) Ideal for beginners and professionals Support automation Cross platform(Windows , Linux and Mac) Fully documented and Integrated with other tools
- 3. Overview Intercepting tool Active /Passive scanning Spider to crawl the site (also support Ajax spider for heavy JavaScript applications) Report Generation with useful information and recommendation Brute force (based on OWASP DirBuster tool) https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project It is now included in the ZAP Marketplace as a ZAP add-on rather than as a stand-alone tool to brute force directories and files names on web/application servers Fuzzing (using fuzzdb and OWASP JBroFuzz) https://github.com/fuzzdb-project/fuzzdb https://www.owasp.org/index.php/JBroFuzz
- 4. Overview Auto tagging (hidden filed , cookie …) Port scanning Parameters analysis Support Web socket http://browserquest.mozilla.org/ Support HTTP Sessions Has REST API (Tools >> Browse API) Has Dynamic SSL certificate to generate root certificate for browsers Support Anti-CSRF token Framework for other tools
- 5. Overview Quick Test No authentication Spider not covering everything Add extensions/update as marketplace (Add-ons) Debug and breakpoints Support Context(Scopes) Exclude/Include URLs Authentication Modes Safe (passive), Protected(within scope) and Standard You can scan Subtree only
- 6. Overview You can write Java or python codes ZAP embedded into ThreadFix (Denim Group) and Minion (Mozilla) Integrated with Firefox as Plug-in-Hack Intercept client side GET/POST requests Use less memory and has minimum false positive risks
- 7. Installation and Configuration Download it Install it Configure browser proxy (local proxy) Run ZAP Browser your application manually (No one know the application functionalities like you) Use spider for more hidden content (beside manual browsing also find logical tests) Run Attacks to find vulnerabilities
- 8. Initial Setup Configure Proxy(Options >> Local Proxy…) Import SSL certificate (.cer) to certificate manger in your browser if you need to intercept SSL websites (Options >> Dynamic SSL…) chrome://settings/search#ssl Open Sites Tab to view resources which have been visited Check Request/Response Vulnerable Site https://github.com/psiinon/bodgeit
- 9. Security Testing in Dev and QA Consider security in all phases of project It’s a risk to postpone this testing at the end of project lifecycle Most important phases are Dev and QA Beside testing functionality test also inject ZAP for security Test https://github.com/zaproxy/zaproxy/wiki/SecRegTests
- 10. Security Testing in Dev and QA
- 11. Authentication Context A set of URLs together Good to Categories your web applications Session Management Cookie based HTTP Header based Authentication methods Form , HTTP Header or oAuth authentication User Management Define users and map them to HTTP sessions
- 12. HTTP Sessions Browser your site with different accounts All sessions are recorded to HTTP Session tab You can switch between them using “Set as active” Refresh the page after switching the session Flag login page (username , password and indicators for login and logout) Then click resend
- 13. HTTP Sessions Demo Browse the site anonymously Login from the browser Go to login page and flag as Context Define Username , passwords Create Users Spider the site as User
- 14. HTTP Sessions This force ZAP to login again Try to resend a page after removing session cookie from header You can add session manually
- 15. HTTP Sessions With Ajax site , maybe the session is not recorded You can identify it manually Right click and Flag as Session token Right click and make it active Then logout from the site and login again Sometime you need to exclude logout page to avoid session termination
- 16. Attacks and Attacks Strength You can control the attacks and attacks strength
- 17. Statistics – ZAP Innovations Released Sept 2010 ZAP 2.4.3 (Current Version) V 2.1 downloaded > 25k times Translated into 20+ languages Most Active OWASP project 28 active contributors
- 18. Zest Scripting language developed by Mozilla team Free and open source Represent JSON Included with ZAP from 2.0
- 19. Fuzzing Highlight the text (user input/parameters) Select Fuzz category Run it and see the browser You can use multiple fuzz payloads
- 20. Injection Highlight the found text You can get information from failed requests Also use your patterns
- 21. Hashing and New UI Included with ZAP New UI: Hide or Show all tabs (also advanced options) You can add note and use filter in history tab Persistent Session to resume your work Define Scan policy to control the attacks Don’t stick with one tool , use more because each one has its advantages