An Introduction to ZAP The OWASP Zed Attack Proxy OWASP AppSec Simon Bennetts

OWASP AppSec
The OWASP Foundation
http://www.owasp.org
Asia-Pacific 2012
An Introduction to ZAP
The OWASP Zed Attack Proxy
Simon Bennetts
OWASP ZAP Project Lead
psiinon@gmail.com
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
What is ZAP?
•
An easy to use webapp pentest tool
•
Completely free and open source
•
An OWASP flagship project
•
Ideal for beginners
•
But also used by professionals
•
Ideal for devs, esp. for automated security tests
•
Becoming a framework for advanced testing
2
ZAP Principles
•
Free, Open source
•
Involvement actively encouraged
•
Cross platform
•
Easy to use
•
Easy to install
•
Internationalized
•
Fully documented
•
Work well with other tools
•
Reuse well regarded components
3
Statistics
• Released September 2010, fork of Paros
• V 1.3.4 downloaded 15,000 times
• V 1.4 alpha just released
• Fully internationalized
• Translated into 11 languages:
Brazilian Portuguese, Chinese, Danish, French, German,
Greek, Indonesian, Japanese, Persian, Polish, Spanish
• Mostly used by Professional Pentesters?
• Paros code: ~40%
Zap Code: ~60%
4
The Main Features
All the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Spider
• Report Generation
• Brute Force (using OWASP DirBuster code)
• Fuzzing (using fuzzdb & OWASP JBroFuzz)
• Extensibility
5
The Additional Features
•
Auto tagging
•
Port scanner
•
Smart card support
•
Session comparison
•
Invoke external apps
•
BeanShell integration
•
API + Headless mode
•
Dynamic SSL Certificates
•
Anti CSRF token handling
6
New in Version 1.4
• Syntax highlighting
7
8
New in Version 1.4
• Syntax highlighting
• Fuzzdb integration
• Parameter analysis
9
10
New in Version 1.4
• Syntax highlighting
• Fuzzdb integration
• Parameter analysis
• Enhanced XSS scanner
• Plugable extensions
• Reveal hidden fields
• Some of the Watcher checks
• Lots of bug fixes!
11
Extending ZAP
•
•
•
•
•
•
Invoking applications directly
REST API
Filters
Active Scan Rules
Passive Scan Rules
Full Extensions
https://code.google.com/p/zap-extensions/
12
Security Regression Tests
http://code.google.com/p/bodgeit/wiki/RegTests
13
Collaborations
• Dradis – ZAP upload plugin
• OWASP AJAX Crawling Tool
• OWASP ModSecurity Core Rule Set
script – SpiderLabs
• ThreadFix – Denim Group
• Ultimate Obsolete File Detection
– Hacktics ASC, Ernst & Young
• Grey-box plugin – BCC Risk Advisory
14
Work In Progress
• Enhance scanners to detect more vulnerabilities
• Extend API, Ant and Maven integration
• Easier to use, better help
• Improved stability
• Session analysis
15
16
Work In Progress
• Enhance scanners to detect more vulnerabilities
• Extend API, Ant and Maven integration
• Easier to use, better help
• Improved stability
• Session analysis
•
17
The Future
• Closer integration with OWASP AJAX Tool
• Support for SPDY and WebSockets
• Extensions marketplace
• Full scripting support
• Configurable Actions
• Fuzzing analysis
• What do you want?? 
18
Any Questions?
http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project