The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications

1. OWASP Zed Attack Proxy
FADI ABDULWAHAB
FABDULWAHAB.COM

2. Overview
 https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
 Pen Testing tool for web applications
 Easy to install (required Java as prerequisites)
 Free and open source (World contribution)
 Ideal for beginners and professionals
 Support automation
 Cross platform(Windows , Linux and Mac)
 Fully documented and Integrated with other tools

3. Overview
 Intercepting tool
 Active /Passive scanning
 Spider to crawl the site (also support Ajax spider for heavy JavaScript applications)
 Report Generation with useful information and recommendation
 Brute force (based on OWASP DirBuster tool)
 https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
 It is now included in the ZAP Marketplace as a ZAP add-on rather than as a stand-alone tool
 to brute force directories and files names on web/application servers
 Fuzzing (using fuzzdb and OWASP JBroFuzz)
 https://github.com/fuzzdb-project/fuzzdb
 https://www.owasp.org/index.php/JBroFuzz

4. Overview
 Auto tagging (hidden filed , cookie …)
 Port scanning
 Parameters analysis
 Support Web socket
 http://browserquest.mozilla.org/
 Support HTTP Sessions
 Has REST API (Tools >> Browse API)
 Has Dynamic SSL certificate to generate root certificate for browsers
 Support Anti-CSRF token
 Framework for other tools

5. Overview
 Quick Test
 No authentication
 Spider not covering everything
 Add extensions/update as marketplace (Add-ons)
 Debug and breakpoints
 Support Context(Scopes)
 Exclude/Include URLs
 Authentication
 Modes
 Safe (passive), Protected(within scope) and Standard
 You can scan Subtree only

6. Overview
 You can write Java or python codes
 ZAP embedded into ThreadFix (Denim Group) and Minion (Mozilla)
 Integrated with Firefox as Plug-in-Hack
 Intercept client side GET/POST requests
 Use less memory and has minimum false positive risks

7. Installation and Configuration
 Download it
 Install it
 Configure browser proxy (local proxy)
 Run ZAP
 Browser your application manually (No one know the application functionalities like
you)
 Use spider for more hidden content (beside manual browsing also find logical tests)
 Run Attacks to find vulnerabilities

8. Initial Setup
 Configure Proxy(Options >> Local Proxy…)
 Import SSL certificate (.cer) to certificate manger in your browser if you need to
intercept SSL websites (Options >> Dynamic SSL…)
 chrome://settings/search#ssl
 Open Sites Tab to view resources which have been visited
 Check Request/Response
 Vulnerable Site https://github.com/psiinon/bodgeit

9. Security Testing in Dev and QA
 Consider security in all phases of project
 It’s a risk to postpone this testing at the end of project lifecycle
 Most important phases are Dev and QA
 Beside testing functionality test also inject ZAP for security Test
 https://github.com/zaproxy/zaproxy/wiki/SecRegTests

10. Security Testing in Dev and QA

11. Authentication
 Context
 A set of URLs together
 Good to Categories your web applications
 Session Management
 Cookie based
 HTTP Header based
 Authentication methods
 Form , HTTP Header or oAuth authentication
 User Management
 Define users and map them to HTTP sessions

12. HTTP Sessions
 Browser your site with different accounts
 All sessions are recorded to HTTP Session tab
 You can switch between them using “Set as active”
 Refresh the page after switching the session
 Flag login page (username , password and indicators for login and logout)
 Then click resend

13. HTTP Sessions
 Demo
 Browse the site anonymously
 Login from the browser
 Go to login page and flag as Context
 Define Username , passwords
 Create Users
 Spider the site as User

14. HTTP Sessions
 This force ZAP to login again
 Try to resend a page after removing session cookie from header
 You can add session manually

15. HTTP Sessions
 With Ajax site , maybe the session is not recorded
 You can identify it manually
 Right click and Flag as Session token
 Right click and make it active
 Then logout from the site and login again
 Sometime you need to exclude logout page to avoid session termination

16. Attacks and Attacks Strength
 You can control the attacks and attacks strength

17. Statistics – ZAP Innovations
 Released Sept 2010
 ZAP 2.4.3 (Current Version)
 V 2.1 downloaded > 25k times
 Translated into 20+ languages
 Most Active OWASP project
 28 active contributors

18. Zest
 Scripting language developed by Mozilla team
 Free and open source
 Represent JSON
 Included with ZAP from 2.0

19. Fuzzing
 Highlight the text (user input/parameters)
 Select Fuzz category
 Run it and see the browser
 You can use multiple fuzz payloads

20. Injection
 Highlight the found text
 You can get information from failed requests
 Also use your patterns

21. Hashing and New UI
 Included with ZAP
 New UI: Hide or Show all tabs (also advanced options)
 You can add note and use filter in history tab
 Persistent Session to resume your work
 Define Scan policy to control the attacks
Don’t stick with one tool , use more because each one has its advantages

22. References
 https://www.youtube.com/watch?v=eH0RBI0nmww&list=PLEBitBW-
Hlsv8cEIUntAO8st2UGhmrjUB