2. The plan
• Introduction
• The main bit
• Demo feature
• Let you play with feature
• Answer any questions
• Repeat
• Plans for the future sessions
2
3. 3
What is ZAP?
• An easy to use webapp pentest tool
• Completely free and open source
• Ideal for beginners
• But also used by professionals
• Ideal for devs, esp. for automated security tests
• Becoming a framework for advanced testing
• Included in all major security distributions
• ToolsWatch.org Top Security Tool of 2013
• Not a silver bullet!
4. 4
ZAP Principles
• Free, Open source
• Involvement actively encouraged
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Work well with other tools
• Reuse well regarded components
5. 5
Statistics
• Released September 2010, fork of Paros
• V 2.3.1 released in May 2014
• V 2.3.1 downloaded > 35K times
• Translated into 20+ languages
• Over 90 translators
• Mostly used by Professional Pentesters?
• Paros code: ~20% ZAP Code: ~80%
6. 6
Open HUB Statistics
• Very High Activity
• The most active OWASP Project
• 31 active contributors
• 327 years of effort
Source: https://www.openhub.net/p/zaproxy
7. Some ZAP use cases
• Point and shoot – the Quick Start tab
• Proxying via ZAP, and then scanning
• Manual pentesting
• Automated security regression tests
• Debugging
• Part of a larger security program
7
8. The BodgeIt Store
• A simple vulnerable web app
• Easy to install, minimal dependencies
• In memory db
• Scoring page – how well can you do?
8
9. The ZAP UI
• Top level menu
• Top level toolbar
• Tree window
• Workspace window
• Information window
• Footer
9
10. Quick Start - Attack
• Specify one URL
• ZAP will spider that URL
• Then perform an Active Scan
• And display the results
• Simple and effective
• Little control & cant handle authentication
10
11. Proxying via ZAP
• Plug-n-Hack easiest option, if using
Firefox
• Otherwise manually configure your
browser to proxy via ZAP
• And import the ZAP root CA
• Requests made via your browser should
appear in the Sites & History tabs
• IE – dont “Bypass proxy for local
addresses”
11
12. Practical 1
• Try out the Quick Start – Attack
• Configure your browser to proxy via ZAP
• Manually explore your target application
12
13. The Spiders
• Traditional Spider
• Fast
• Cant handle JavaScript very well
• AJAX Spider
• Launches a browser
• Slower
• Can handle Java Script
13
14. Practical 2
• Use the 'traditional' spider on your target
application
• Use the AJAX spider on your target
application
• If you're using BodgeIt – can you find the
'hidden' content?
14
15. Active and Passive
Scanning• Passive Scanning is safe
• Active Scanning in NOT safe
• Only use on apps you have permission
to test
• Launch via tab or 'attack' right click
menu
• Effectiveness depends on how well you
explored your app
15
16. Practical 3
• Review the Passive issues already found
• Run the Active Scanner on your target
application
• If you're using BodgeIt –
• Can you login as user1 or admin?
• Can you get an “XSS” popup?
16
17. Intercepting and changing
Break on all requests
Break on all responses
Submit and step
Submit and continue
Bin the request or response
Add a custom HTTP break point
17
18. Practical 4
• Intercept and change requests and
responses
• Use custom break points just on a
specific page
• If you're using BodgeIt – can you make
some money via the basket?
18
19. Some final pointers
• Generating reports
• Save sessions at the start
• Right click everywhere
• Play with the UI options
• Explore the ZAP Marketplace
• F1: The User Guide
• Menu: Online / ZAP User Group
19
20. 20
Future Sessions?
• Fuzzing
• Advanced Active Scanning
• Contexts
• Authentication
• Scripts
• Zest
• The API
• Websockets
• What do you want??