SlideShare a Scribd company logo

Using the Zed Attack Proxy as a Web App testing tool

David Sweigert, profile picture
David Sweigert

The document discusses configuring the Firefox web browser to work with the OWASP Zed Attack Proxy (ZAP) tool in order to conduct quasi-man-in-the-middle attacks against web applications for security testing purposes. It provides instructions for setting ZAP as the proxy in Firefox's network settings and enabling the ZAP plug-in to allow manual testing of vulnerabilities like SQL injection. The results of such security tests run with ZAP are then compiled.

Technology
1 of 8
1
2
3
4
5
6
7
8
Dave Sweigert, CISSP, CISA, PMP, Security+ OWASP (Zed Attack Proxy) Securing Web Apps with a quasi-man-in-the-middle (MitM) attack tool 11/25/2014 OWASP Zed Attack Proxy (ZAP) 1
Firefox configured to use proxy 11/25/2014 OWASP Zed Attack Proxy (ZAP) 2
FireFox Menu -- Tools – Options – Network -- Settings Set the host to localhost and the port to 8080, these are the default ZAP proxy ports. Use these settings for all protocols. 11/25/2014 OWASP Zed Attack Proxy (ZAP) 3
To enable FireFox Plug-in click Plug-n-Hack within the Quick Start Tab. 11/25/2014 OWASP Zed Attack Proxy (ZAP) 4
Configure automatic plug-in within FireFox 11/25/2014 OWASP Zed Attack Proxy (ZAP) 5
MANUAL intervention (using a Plug-N-Hack web page in the FireFox browser) allows manual testing of web services (e.g. SQL injection, etc.). These are manual tests typically run by a “human” penetration tester or software quality assurance (SQA) tester. 11/25/2014 OWASP Zed Attack Proxy (ZAP) 6
Test Results Compiled 11/25/2014 OWASP Zed Attack Proxy (ZAP) 7
References: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 11/25/2014 OWASP Zed Attack Proxy (ZAP) 8

More Related Content

PPTX
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
PPTX
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
PPTX
Security Testing - Zap It
Manjyot Singh
 
ODP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
PDF
Owasp zap
ColdFusionConference
 
ODP
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
ODP
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
ODP
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Security Testing - Zap It
Manjyot Singh
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
Owasp zap
ColdFusionConference
 
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 

What's hot (20)

PDF
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
PDF
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
PDF
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
ODP
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
PDF
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
ODP
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
ODP
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
ODP
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
ODP
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
ODP
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
PDF
2020 ADDO Spring Break OWASP ZAP Automation
Simon Bennetts
 
ODP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
ODP
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
ODP
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
ODP
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
ODP
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
PDF
2021 ZAP Automation in CI/CD
Simon Bennetts
 
ODP
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
PPTX
Zap vs burp
Tomasz Fajks
 
PPTX
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Sherif Mansour
 
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
2020 ADDO Spring Break OWASP ZAP Automation
Simon Bennetts
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
2021 ZAP Automation in CI/CD
Simon Bennetts
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
Zap vs burp
Tomasz Fajks
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Sherif Mansour
 
Ad

Similar to Using the Zed Attack Proxy as a Web App testing tool (20)

PDF
installing-and-setting-up-your-zap-environment-slides.pdf
Marcelo Cunha
 
PPT
Zap attack proxy
Artem Vasilenko
 
ODP
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
PPT
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
PDF
Automated Security Testing
seleniumconf
 
PPTX
The OWASP Zed Attack Proxy
Aditya Gupta
 
PPTX
OWASP ZAP API Automation
Thivya Lakshmi
 
PPTX
ZAP @FOSSASIA2015
Sumanth Damarla
 
PPTX
Owasp zap
penetration Tester
 
PPTX
Security testing using zap
Confiz Limited
 
PDF
GECon2017_ Security testing and selenium tests can you do one using the other...
GECon_Org Team
 
PPTX
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
PPTX
Security testautomation
Linkesh Kanna Velu
 
PPT
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
PDF
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
ODP
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
PPTX
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
PPTX
Slides St. Clair College Forensics Cyber Security
BrenoMeister
 
PPTX
Cyber ppt
karthik menon
 
PDF
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
installing-and-setting-up-your-zap-environment-slides.pdf
Marcelo Cunha
 
Zap attack proxy
Artem Vasilenko
 
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
Automated Security Testing
seleniumconf
 
The OWASP Zed Attack Proxy
Aditya Gupta
 
OWASP ZAP API Automation
Thivya Lakshmi
 
ZAP @FOSSASIA2015
Sumanth Damarla
 
Owasp zap
penetration Tester
 
Security testing using zap
Confiz Limited
 
GECon2017_ Security testing and selenium tests can you do one using the other...
GECon_Org Team
 
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Security testautomation
Linkesh Kanna Velu
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Slides St. Clair College Forensics Cyber Security
BrenoMeister
 
Cyber ppt
karthik menon
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
Ad

More from David Sweigert (20)

PDF
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
David Sweigert
 
PDF
Law Enforcement Cyber Incident Reporting
David Sweigert
 
PDF
Sample Network Analysis Report based on Wireshark Analysis
David Sweigert
 
PDF
National Cyber Security Awareness Month poster
David Sweigert
 
PDF
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
David Sweigert
 
PDF
National Cyber Security Awareness Month - October 2017
David Sweigert
 
PDF
California Attorney General Notification Penal Code 646.9
David Sweigert
 
PDF
Congressional support of Ethical Hacking and Cyber Security
David Sweigert
 
PDF
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
PDF
Application of Racketeering Law to Suppress CrowdStalking Threats
David Sweigert
 
PDF
Canada Communications Security Establishment - Threat Vector Chart
David Sweigert
 
DOCX
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
David Sweigert
 
PDF
Cyber Incident Response Team NIMS Public Comment
David Sweigert
 
PDF
Cyber Incident Response Team - NIMS - Public Comment
David Sweigert
 
PDF
National Incident Management System (NIMS) NQS DRAFT
David Sweigert
 
PDF
National Incident Management System - NQS Public Feedback
David Sweigert
 
DOCX
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
David Sweigert
 
PDF
National Preparedness Goals 2015 2nd edition
David Sweigert
 
PDF
Healthcare Sector-wide Disaster Prepardness Plan
David Sweigert
 
PDF
Cyber Risk Assessment for the Emergency Services Sector - DHS
David Sweigert
 
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
David Sweigert
 
Law Enforcement Cyber Incident Reporting
David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
David Sweigert
 
National Cyber Security Awareness Month poster
David Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
David Sweigert
 
National Cyber Security Awareness Month - October 2017
David Sweigert
 
California Attorney General Notification Penal Code 646.9
David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
David Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
David Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
David Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
David Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
David Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
David Sweigert
 
National Incident Management System - NQS Public Feedback
David Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
David Sweigert
 
National Preparedness Goals 2015 2nd edition
David Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
David Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
David Sweigert
 

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Teaching material agriculture food technology
LiaRayya
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

Using the Zed Attack Proxy as a Web App testing tool