The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications
2. Overview
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Pen Testing tool for web applications
Easy to install (required Java as prerequisites)
Free and open source (World contribution)
Ideal for beginners and professionals
Support automation
Cross platform(Windows , Linux and Mac)
Fully documented and Integrated with other tools
3. Overview
Intercepting tool
Active /Passive scanning
Spider to crawl the site (also support Ajax spider for heavy JavaScript applications)
Report Generation with useful information and recommendation
Brute force (based on OWASP DirBuster tool)
https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
It is now included in the ZAP Marketplace as a ZAP add-on rather than as a stand-alone tool
to brute force directories and files names on web/application servers
Fuzzing (using fuzzdb and OWASP JBroFuzz)
https://github.com/fuzzdb-project/fuzzdb
https://www.owasp.org/index.php/JBroFuzz
4. Overview
Auto tagging (hidden filed , cookie …)
Port scanning
Parameters analysis
Support Web socket
http://browserquest.mozilla.org/
Support HTTP Sessions
Has REST API (Tools >> Browse API)
Has Dynamic SSL certificate to generate root certificate for browsers
Support Anti-CSRF token
Framework for other tools
5. Overview
Quick Test
No authentication
Spider not covering everything
Add extensions/update as marketplace (Add-ons)
Debug and breakpoints
Support Context(Scopes)
Exclude/Include URLs
Authentication
Modes
Safe (passive), Protected(within scope) and Standard
You can scan Subtree only
6. Overview
You can write Java or python codes
ZAP embedded into ThreadFix (Denim Group) and Minion (Mozilla)
Integrated with Firefox as Plug-in-Hack
Intercept client side GET/POST requests
Use less memory and has minimum false positive risks
7. Installation and Configuration
Download it
Install it
Configure browser proxy (local proxy)
Run ZAP
Browser your application manually (No one know the application functionalities like
you)
Use spider for more hidden content (beside manual browsing also find logical tests)
Run Attacks to find vulnerabilities
8. Initial Setup
Configure Proxy(Options >> Local Proxy…)
Import SSL certificate (.cer) to certificate manger in your browser if you need to
intercept SSL websites (Options >> Dynamic SSL…)
chrome://settings/search#ssl
Open Sites Tab to view resources which have been visited
Check Request/Response
Vulnerable Site https://github.com/psiinon/bodgeit
9. Security Testing in Dev and QA
Consider security in all phases of project
It’s a risk to postpone this testing at the end of project lifecycle
Most important phases are Dev and QA
Beside testing functionality test also inject ZAP for security Test
https://github.com/zaproxy/zaproxy/wiki/SecRegTests
11. Authentication
Context
A set of URLs together
Good to Categories your web applications
Session Management
Cookie based
HTTP Header based
Authentication methods
Form , HTTP Header or oAuth authentication
User Management
Define users and map them to HTTP sessions
12. HTTP Sessions
Browser your site with different accounts
All sessions are recorded to HTTP Session tab
You can switch between them using “Set as active”
Refresh the page after switching the session
Flag login page (username , password and indicators for login and logout)
Then click resend
13. HTTP Sessions
Demo
Browse the site anonymously
Login from the browser
Go to login page and flag as Context
Define Username , passwords
Create Users
Spider the site as User
14. HTTP Sessions
This force ZAP to login again
Try to resend a page after removing session cookie from header
You can add session manually
15. HTTP Sessions
With Ajax site , maybe the session is not recorded
You can identify it manually
Right click and Flag as Session token
Right click and make it active
Then logout from the site and login again
Sometime you need to exclude logout page to avoid session termination
16. Attacks and Attacks Strength
You can control the attacks and attacks strength
17. Statistics – ZAP Innovations
Released Sept 2010
ZAP 2.4.3 (Current Version)
V 2.1 downloaded > 25k times
Translated into 20+ languages
Most Active OWASP project
28 active contributors
18. Zest
Scripting language developed by Mozilla team
Free and open source
Represent JSON
Included with ZAP from 2.0
19. Fuzzing
Highlight the text (user input/parameters)
Select Fuzz category
Run it and see the browser
You can use multiple fuzz payloads
20. Injection
Highlight the found text
You can get information from failed requests
Also use your patterns
21. Hashing and New UI
Included with ZAP
New UI: Hide or Show all tabs (also advanced options)
You can add note and use filter in history tab
Persistent Session to resume your work
Define Scan policy to control the attacks
Don’t stick with one tool , use more because each one has its advantages