SlideShare ist ein Scribd-Unternehmen logo

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015

Als ODP, PDF herunterladen
G
gmaran23

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015 Screen Recording: https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI

Technologie
1 von 21
The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Prowareness Tech Talk Tuesdays 22 Dec 2015 Automating Web Application Security Testing with OWASP ZAP DOT NET API The OWASP Zed Attack Proxy https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI Marudhamaran Gunasekaran Zap Contributor @gmaran23
2 Prelude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
3 Agenda • Application Security Program Challenges • Why OWASP ZAP? • Earlier episodes on Dot Net Security and OWASP ZAP • ZAP – Operating Modes • ZAP Demonstration – API • OWASP ZAP DOT NET API - Automating •
4 The problems • Most developers know very little about security • Most companies have very few application security folks • External consultants cost $$$$$ • Security testing is done late in the application development lifecycle (it at all is done)
5 Part of the Solution • Use a security tool like ZAP in development • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
6 Why ZAP? •An easy to use webapp pentest tool •Completely free and open source •Source code updated almost every day •One of the OWASP Flagship projects •Ideal for beginners, But also used by professionals • •Powerful API - for automated security tests
7 The app sec foundations • Vulnerability Analysis – Look for weak spots • Penetration Testing – Exploit the weaknesses • Security Testing – May involve both or just VA
8 The app sec tool foundations • Spider or Crawler – Gather information about what to attack • Passive Scan – Static analysis on the gathered information (HTTP requests and responses) • Active Scan – Send attack (potentially harmful) payloads to exploit / confirm weakness
9 Download ZAP • Download OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Prox
10 ZAP API demo Headless attack!
11 Introducing the OWASP ZAP DOT NET API https://www.nuget.org/packages/OWASPZAPDotNetAPI/
12 OWASP ZAP DOT NET API Source Code and Sampleshttps://github.com/zaproxy/zap-api-dotnet
13 Automating authenticated scans 1. Create a context in the name of the application 2. Choose the mode of authentication (for instance Forms Authentication) 3. Provide Authentication information 4. Spider 5. Scan 6. Verify 7. Fix
14 Security Regression Testing Well, let me watch you here!
15 Security Regression Testing Well, let me watch you here!
ZAP – Need Help? ZAP user group - https://groups.google.com/forum/#!forum/zaproxy-users ZAP Evangelists - https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists ZAP Developers group - https://groups.google.com/forum/#!forum/zaproxy-develo
ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”
Any Questions? http://www.owasp.org/index.php/ZAP
20 Postlude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
21 Postlude - Extended • OWASP App sec tutorial series https://www.youtube.com/user/AppsecTutorialSeries • OWASP ZAP – Ajax Spidering with Authentication http://wp.me/p323iP-en • Cross Site Scripting [XSS] http://wp.me/p323iP-es • XML – Attack surface and Defenses http://wp.me/p323iP-cU • Sql injection exploitation and prevention part 1 http://wp.me/p323iP-bi • Sql injection exploitation and prevention part 2 http://wp.me/p323iP-by

Empfohlen

Owasp zap
Owasp zapOwasp zap
Owasp zap
penetration Tester
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
Casey Ellis
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
ColdFusionConference
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 

Empfohlen

Owasp zap
Owasp zapOwasp zap
Owasp zap
penetration Tester
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
Casey Ellis
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
ColdFusionConference
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
Aman Srivastava
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
DaveEdwards12
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
SecuRing
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
Marco Morana
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Codemotion
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
Mobile Application Penetration Testing Giordano Giammaria
Mobile Application Penetration Testing Giordano GiammariaMobile Application Penetration Testing Giordano Giammaria
Mobile Application Penetration Testing Giordano Giammaria
Giammaria Giordano
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Automation testing API in Java
Automation testing API in JavaAutomation testing API in Java
Automation testing API in Java
Wix.com
 
Pragmatic Java Test Automation
Pragmatic Java Test AutomationPragmatic Java Test Automation
Pragmatic Java Test Automation
Dmitry Buzdin
 

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
DaveEdwards12
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
SecuRing
 

Was ist angesagt? (20)

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
 
Security testing
Security testingSecurity testing
Security testing
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
Mobile Application Penetration Testing Giordano Giammaria
Mobile Application Penetration Testing Giordano GiammariaMobile Application Penetration Testing Giordano Giammaria
Mobile Application Penetration Testing Giordano Giammaria
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 

Andere mochten auch

Pragmatic Java Test Automation
Pragmatic Java Test AutomationPragmatic Java Test Automation
Pragmatic Java Test Automation
Dmitry Buzdin
 
2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured
Eing Ong
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 

Andere mochten auch (9)

Automation testing API in Java
Automation testing API in JavaAutomation testing API in Java
Automation testing API in Java
 
Pragmatic Java Test Automation
Pragmatic Java Test AutomationPragmatic Java Test Automation
Pragmatic Java Test Automation
 
Deploy and Destroy Complete Test Environments
Deploy and Destroy Complete Test EnvironmentsDeploy and Destroy Complete Test Environments
Deploy and Destroy Complete Test Environments
 
2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured
 
Api testing
Api testingApi testing
Api testing
 
4 Major Advantages of API Testing
4 Major Advantages of API Testing4 Major Advantages of API Testing
4 Major Advantages of API Testing
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
 
Api testing
Api testingApi testing
Api testing
 
How to Automate API Testing
How to Automate API TestingHow to Automate API Testing
How to Automate API Testing
 

Ähnlich wie Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
CiNPA Security SIG
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
CiNPA Security SIG
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
ISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP PrimerISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP Primer
CiNPA Security SIG
 

Ähnlich wie Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015 (20)

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAP
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
ISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP PrimerISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP Primer
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
 

Mehr von gmaran23

Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Devouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defences
gmaran23
 

Mehr von gmaran23 (14)

First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
 
Performance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh SharmaPerformance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh Sharma
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
 
What Can I Learn From You?
What Can I Learn From You?What Can I Learn From You?
What Can I Learn From You?
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
 
Six steps for securing offshore development
Six steps for securing offshore developmentSix steps for securing offshore development
Six steps for securing offshore development
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Devouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defences
 
Devouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and PreventionDevouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and Prevention
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015

  • 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Prowareness Tech Talk Tuesdays 22 Dec 2015 Automating Web Application Security Testing with OWASP ZAP DOT NET API The OWASP Zed Attack Proxy https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI Marudhamaran Gunasekaran Zap Contributor @gmaran23
  • 2. 2 Prelude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
  • 3. 3 Agenda • Application Security Program Challenges • Why OWASP ZAP? • Earlier episodes on Dot Net Security and OWASP ZAP • ZAP – Operating Modes • ZAP Demonstration – API • OWASP ZAP DOT NET API - Automating •
  • 4. 4 The problems • Most developers know very little about security • Most companies have very few application security folks • External consultants cost $$$$$ • Security testing is done late in the application development lifecycle (it at all is done)
  • 5. 5 Part of the Solution • Use a security tool like ZAP in development • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
  • 6. 6 Why ZAP? •An easy to use webapp pentest tool •Completely free and open source •Source code updated almost every day •One of the OWASP Flagship projects •Ideal for beginners, But also used by professionals • •Powerful API - for automated security tests
  • 7. 7 The app sec foundations • Vulnerability Analysis – Look for weak spots • Penetration Testing – Exploit the weaknesses • Security Testing – May involve both or just VA
  • 8. 8 The app sec tool foundations • Spider or Crawler – Gather information about what to attack • Passive Scan – Static analysis on the gathered information (HTTP requests and responses) • Active Scan – Send attack (potentially harmful) payloads to exploit / confirm weakness
  • 9. 9 Download ZAP • Download OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Prox
  • 11. 11 Introducing the OWASP ZAP DOT NET API https://www.nuget.org/packages/OWASPZAPDotNetAPI/
  • 12. 12 OWASP ZAP DOT NET API Source Code and Sampleshttps://github.com/zaproxy/zap-api-dotnet
  • 13. 13 Automating authenticated scans 1. Create a context in the name of the application 2. Choose the mode of authentication (for instance Forms Authentication) 3. Provide Authentication information 4. Spider 5. Scan 6. Verify 7. Fix
  • 16. ZAP – Need Help? ZAP user group - https://groups.google.com/forum/#!forum/zaproxy-users ZAP Evangelists - https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists ZAP Developers group - https://groups.google.com/forum/#!forum/zaproxy-develo
  • 17. ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
  • 18. Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”
  • 20. 20 Postlude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
  • 21. 21 Postlude - Extended • OWASP App sec tutorial series https://www.youtube.com/user/AppsecTutorialSeries • OWASP ZAP – Ajax Spidering with Authentication http://wp.me/p323iP-en • Cross Site Scripting [XSS] http://wp.me/p323iP-es • XML – Attack surface and Defenses http://wp.me/p323iP-cU • Sql injection exploitation and prevention part 1 http://wp.me/p323iP-bi • Sql injection exploitation and prevention part 2 http://wp.me/p323iP-by