Automating Web Application Security Testing With OWASP ZAP DOT NET API - Dot Net Bangalore Nov 28 2015 Marudhamaran Gunasekaran
https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI2
2. 2
Prelude
• This talk adds up on the previous talks in Dot Net
Bangalore. If you are new to OWASP ZAP – watch
these first (use QR code to scan the urls)
• Practical Security Testing For Developers Using OWASP
ZAP - http://wp.me/p323iP-fO
• OWASP ZAP Demonstration –
http://wp.me/p323iP-fV
• Dot Net Web Application Security
http://wp.me/p323iP-fS
http://wp.me/p323iP-ib
3. 3
Agenda
• Application Security Program Challenges
• Why OWASP ZAP?
• Earlier episodes on Dot Net Security and
OWASP ZAP
• ZAP – Operating Modes
•
•
•
4. 4
The problems
• Most developers know very little about security
• Most companies have very few application
security folks
• External consultants cost $$$$$
• Security testing is done late in the application
development lifecycle (it at all is done)
5. 5
Part of the Solution
• Use a security tool like ZAP in development
• In addition to security training, secure
development lifecycle, threat modelling,
static source code analysis, secure code
reviews, professional pentesting…
6. 6
Why ZAP?
•An easy to use webapp pentest tool
•Completely free and open source
•Source code updated almost every day
•One of the OWASP Flagship projects
•Ideal for beginners, But also used by professionals
•
•Powerful API - for automated security tests
7. 7
The app sec foundations
• Vulnerability Analysis
– Look for weak spots
• Penetration Testing
– Exploit the weaknesses
• Security Testing
– May involve both or just VA
8. 8
The app sec tool
foundations
• Spider or Crawler
– Gather information about what to attack
• Passive Scan
– Static analysis on the gathered information
(HTTP requests and responses)
• Active Scan
– Send attack (potentially harmful) payloads to
exploit / confirm weakness
12. 12
OWASP ZAP DOT NET
API
Source Code and Sampleshttps://github.com/zaproxy/zap-api-dotnet
13. 13
Automating authenticated
scans
1. Create a context in the name of the application
2. Choose the mode of authentication (for instance
Forms Authentication)
3. Provide Authentication information
4. Spider
5. Scan
6. Verify
7. Fix
16. ZAP – Need Help?
ZAP user group -
https://groups.google.com/forum/#!forum/zaproxy-users
ZAP Evangelists -
https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists
ZAP Developers group -
https://groups.google.com/forum/#!forum/zaproxy-develo
17. ZAP - Get Involved
Use the tool
Recommend
Write Add-ons
Write Scanners / Scripts
Report bugs
18. Conclusion
• Consider security at all stages of development cycle
• OWASP ZAP is ideal for automating security tests
• It is also a great way to learn about security
“Man is a tool-using animal. Without tools he is nothing,
with “right set of” tools he is all”
20. 20
Postlude
• This talk adds up on the previous talks in Dot Net
Bangalore. If you are new to OWASP ZAP – watch
these first (use QR code to scan the urls)
• Practical Security Testing For Developers Using OWASP
ZAP - http://wp.me/p323iP-fO
• OWASP ZAP Demonstration –
http://wp.me/p323iP-fV
• Dot Net Web Application Security
http://wp.me/p323iP-fS
http://wp.me/p323iP-ib
21. 21
Postlude - Extended
• OWASP App sec tutorial series
https://www.youtube.com/user/AppsecTutorialSeries
• OWASP ZAP – Ajax Spidering with Authentication
http://wp.me/p323iP-en
• Cross Site Scripting [XSS]
http://wp.me/p323iP-es
• XML – Attack surface and Defenses
http://wp.me/p323iP-cU
• Sql injection exploitation and prevention part 1
http://wp.me/p323iP-bi
• Sql injection exploitation and prevention part 2
http://wp.me/p323iP-by