ZAP (Zed Attack Proxy) is a free and open-source web application penetration testing tool developed by the OWASP Foundation to help find vulnerabilities in web applications. It includes features like an intercepting proxy, scanners, a spider, fuzzing tools and a macro language to aid in testing applications. The tool is actively developed by a community of contributors and used by both professionals and beginners for tasks like security testing, debugging and regression testing of applications.

1. J OIN SEC
2013
The OWASP Foundation
http://www.owasp.org
An Introduction to ZAP
OWASP
Zed Attack Proxy
Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Team
psiinon@gmail.com
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

2. What is ZAP?
•
•
•
•
•
•
•
•
•
An easy to use webapp pentest tool
Completely free and open source
An OWASP flagship project
Ideal for beginners
But also used by professionals
Ideal for devs, esp. for automated security tests
Becoming a framework for advanced testing
Included in all major security distributions
Not a silver bullet!
2

3. ZAP Principles
•
Free, Open source
•
Involvement actively encouraged
•
Cross platform
•
Easy to use
•
Easy to install
•
Internationalized
•
Fully documented
•
Work well with other tools
•
Reuse well regarded components
3

4. Statistics
• Released September 2010, fork of Paros
• V 2.2.2 released in Sept 2013
• V 2.1.0 downloaded > 25K times
• Translated into 20+ languages
• Over 50 translators
• Mostly used by Professional Pentesters?
• Paros code: ~20%
ZAP Code: ~80%
4

5. Ohloh Statistics
•
Very High Activity
• The most active OWASP Project
• 28 active contributors
• 236 years of effort
Source: http://www.ohloh.net/p/zaproxy
5

6. The Main Features
All the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Traditional Spider
• Report Generation
• Forced Browsing (using OWASP DirBuster
code)
• Fuzzing (using fuzzdb & OWASP JbroFuzz)
• Dynamic SSL certificates
6

7. Developer Features
•
Quick start
•
REST API
•
Java and Python clients
•
Headless mode
•
Anti CSRF token handling
•
Authentication support
•
Session management
•
Auto updating
•
Modes
7

8. Advanced Features
• Ajax Spider
• WebSockets support
• Smart card support
• Plug-n-Hack
• Integrated Scripting – JS, Python, Ruby...
• Zest Support – macro language on steroids
• Online Add-ons Marketplace
8

9. How can you use ZAP?
•
•
•
•
•
•
Point and shoot – the Quick Start tab
Proxying via ZAP, and then scanning
Manual pentesting
Automated security regression tests
As a debugger
As part of a larger security program
9

10. SecurityRegression Tests
http://code.google.com/p/zaproxy/wiki/SecRegTests
10

11. ZAP – Embedded
•
ThreadFix – Denim Group
Software vulnerability aggregation and
management system
•
Minion – Mozilla
Security automation platform
11

12. Any Questions?
http://www.owasp.org/index.php/ZAP