SlideShare a Scribd company logo

OWASP ZAP API Automation

Download as PPTX, PDF
Thivya Lakshmi
Thivya Lakshmi

Workshop on OWASP ZAP API automation

Technology
1 of 15
OWASP ZAP API Automation Workshop
Session Agenda ● Introduction to ZAP ● Familiarize with ZAP UI ● Hands on workshop of using ZAP with selenium ● Hands on some key features of ZAP using ZAP API ● Demo - ZAP Integration with CI/CD
What is ZAP ? ● The OWASP ZED Attack proxy (ZAP) is a penetration testing tool for finding vulnerabilities in the web applications. ● Designed to be used by people with wide range of security experience. ● Cross platform. ● Marketplace. ● Released on September 2010. ● Current version 2.7.0
Key Features of ZAP ● Intercepting proxy ● Spider ● Passive Scanners ● Active Scanners ● Fuzzing ● Report Generation
Active Scan ● Performs attacks on the application ● Run when explicitly invoked by the user ● Scan policy ● Set of pre configured rules ● Attack Strength ○ Low – to be up to 6 requests ○ Medium – to be up to 12 requests ○ High- to be up to 24 requests ○ Insane- to be over 24 requests ● Attack threshold ○ Off - scanner won't run. ○ Low - lead to false positives. ○ High - lead to false negatives ● Cannot identify any logical vulnerability ○ Example - broken access control
Report Generation Alert - Potential vulnerability Risk - Informational,Low,Medium,High Beware of false positives Confidence ● False Positive - for potential issues that you later find are not exploitable ● Low - for unconfirmed issues ● Medium - for issues you are somewhat confident of ● High - for findings you are highly confident in ● Confirmed - for confirmed issues Tag an alert to be false positive
Fuzzing Automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program ZAP allows you to fuzz any request using: ● A build in set of payloads ● Payloads defined by optional add-ons ● Custom scripts
HANDS ON ...
https://github.com/sukesh7/ZapWorkshop.git
Active Scan Rules ● Release quality: master/src/org/zaproxy/zap/extension/ascanrules ● Beta quality: branches/beta/src/org/zaproxy/zap/extension/ascanrulesBeta ● Alpha quality: branches/alpha/src/org/zaproxy/zap/extension/ascanrulesAlpha
Integration with CI/CD Security tests in CI pipeline - Early feedback on security vulnerabilities Steps: ● Start ZAP daemon on 8080 port ● Run tests ● Generate results ● Fail build for HIGH vulnerabilities ● Stop Server Demo on configuring ZAP in Go CI Active scan rules mapping page -https://www.owasp.org/index.php/ZAPpingTheTop10
More ZAP Features…. ● Authentication and session support ● Smartcard and client digital certificate support ● Anti CSRF token handling ● Port scanner ● WebSockets support. ● Marketplace
Questions ??
Thank you

Recommended

DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00
 
Archery Open Source Vulnerability Assessment and Management - null Bangalore ...
Archery Open Source Vulnerability Assessment and Management - null Bangalore ...Archery Open Source Vulnerability Assessment and Management - null Bangalore ...
Archery Open Source Vulnerability Assessment and Management - null Bangalore ...Anand Tiwari
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020Anand Tiwari
 
Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Anand Tiwari
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Enforcing code guidelines by extending JDeveloper’s auditing framework @OOW14
Enforcing code guidelines by extending JDeveloper’s auditing framework @OOW14Enforcing code guidelines by extending JDeveloper’s auditing framework @OOW14
Enforcing code guidelines by extending JDeveloper’s auditing framework @OOW14Richard Olrichs
 
EFL QA Statistics
EFL QA StatisticsEFL QA Statistics
EFL QA StatisticsSamsung Open Source Group
 

Recommended

DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00
 
Archery Open Source Vulnerability Assessment and Management - null Bangalore ...
Archery Open Source Vulnerability Assessment and Management - null Bangalore ...Archery Open Source Vulnerability Assessment and Management - null Bangalore ...
Archery Open Source Vulnerability Assessment and Management - null Bangalore ...Anand Tiwari
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020Anand Tiwari
 
Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Anand Tiwari
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Enforcing code guidelines by extending JDeveloper’s auditing framework @OOW14
Enforcing code guidelines by extending JDeveloper’s auditing framework @OOW14Enforcing code guidelines by extending JDeveloper’s auditing framework @OOW14
Enforcing code guidelines by extending JDeveloper’s auditing framework @OOW14Richard Olrichs
 
EFL QA Statistics
EFL QA StatisticsEFL QA Statistics
EFL QA StatisticsSamsung Open Source Group
 
TestIstanbul 2015
TestIstanbul 2015TestIstanbul 2015
TestIstanbul 2015Martin Spier
 
Performance Testing using Taurus
Performance Testing using TaurusPerformance Testing using Taurus
Performance Testing using TaurusVodqaBLR
 
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...DroidConTLV
 
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Tabăra de Testare
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
How to Upgrade to the Newest Shiniest Django Version
How to Upgrade to the Newest Shiniest Django VersionHow to Upgrade to the Newest Shiniest Django Version
How to Upgrade to the Newest Shiniest Django VersionSusan Tan
 
PAC 2019 virtual Bruno Audoux
PAC 2019 virtual Bruno Audoux PAC 2019 virtual Bruno Audoux
PAC 2019 virtual Bruno Audoux Neotys
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
J hipster
J hipsterJ hipster
J hipsterRasmita Jena
 
Working With People Adl Uni
Working With People Adl UniWorking With People Adl Uni
Working With People Adl UniMatthew Landauer
 
Training Webinar: Top front-end techniques for OutSystems
Training Webinar: Top front-end techniques for OutSystems Training Webinar: Top front-end techniques for OutSystems
Training Webinar: Top front-end techniques for OutSystemsOutSystems
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDCThinqloud
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts
 
ZAP @FOSSASIA2015
ZAP @FOSSASIA2015ZAP @FOSSASIA2015
ZAP @FOSSASIA2015Sumanth Damarla
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)JAINAM KAPADIYA
 

More Related Content

What's hot

Performance Testing using Taurus
Performance Testing using TaurusPerformance Testing using Taurus
Performance Testing using TaurusVodqaBLR
 
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...DroidConTLV
 
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Tabăra de Testare
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
How to Upgrade to the Newest Shiniest Django Version
How to Upgrade to the Newest Shiniest Django VersionHow to Upgrade to the Newest Shiniest Django Version
How to Upgrade to the Newest Shiniest Django VersionSusan Tan
 
PAC 2019 virtual Bruno Audoux
PAC 2019 virtual Bruno Audoux PAC 2019 virtual Bruno Audoux
PAC 2019 virtual Bruno Audoux Neotys
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Working With People Adl Uni
Working With People Adl UniWorking With People Adl Uni
Working With People Adl UniMatthew Landauer
 
Training Webinar: Top front-end techniques for OutSystems
Training Webinar: Top front-end techniques for OutSystems Training Webinar: Top front-end techniques for OutSystems
Training Webinar: Top front-end techniques for OutSystemsOutSystems
 

What's hot (12)

TestIstanbul 2015
TestIstanbul 2015TestIstanbul 2015
TestIstanbul 2015
 
Performance Testing using Taurus
Performance Testing using TaurusPerformance Testing using Taurus
Performance Testing using Taurus
 
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
 
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
How to Upgrade to the Newest Shiniest Django Version
How to Upgrade to the Newest Shiniest Django VersionHow to Upgrade to the Newest Shiniest Django Version
How to Upgrade to the Newest Shiniest Django Version
 
PAC 2019 virtual Bruno Audoux
PAC 2019 virtual Bruno Audoux PAC 2019 virtual Bruno Audoux
PAC 2019 virtual Bruno Audoux
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
J hipster
J hipsterJ hipster
J hipster
 
Working With People Adl Uni
Working With People Adl UniWorking With People Adl Uni
Working With People Adl Uni
 
Training Webinar: Top front-end techniques for OutSystems
Training Webinar: Top front-end techniques for OutSystems Training Webinar: Top front-end techniques for OutSystems
Training Webinar: Top front-end techniques for OutSystems
 

Similar to OWASP ZAP API Automation

Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDCThinqloud
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CISimon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroSimon Bennetts
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015Peter Sabev
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Ensuring Performance in a Fast-Paced Environment (CMG 2014)Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Ensuring Performance in a Fast-Paced Environment (CMG 2014)Martin Spier
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroSimon Bennetts
 

Similar to OWASP ZAP API Automation (20)

Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDC
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
 
ZAP @FOSSASIA2015
ZAP @FOSSASIA2015ZAP @FOSSASIA2015
ZAP @FOSSASIA2015
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Ensuring Performance in a Fast-Paced Environment (CMG 2014)Ensuring Performance in a Fast-Paced Environment (CMG 2014)
Ensuring Performance in a Fast-Paced Environment (CMG 2014)
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
 

Recently uploaded

Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...SOFTTECHHUB
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)Wonjun Hwang
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 

Recently uploaded (20)

Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 

OWASP ZAP API Automation

  • 1. OWASP ZAP API Automation Workshop
  • 2. Session Agenda ● Introduction to ZAP ● Familiarize with ZAP UI ● Hands on workshop of using ZAP with selenium ● Hands on some key features of ZAP using ZAP API ● Demo - ZAP Integration with CI/CD
  • 3. What is ZAP ? ● The OWASP ZED Attack proxy (ZAP) is a penetration testing tool for finding vulnerabilities in the web applications. ● Designed to be used by people with wide range of security experience. ● Cross platform. ● Marketplace. ● Released on September 2010. ● Current version 2.7.0
  • 4.
  • 5. Key Features of ZAP ● Intercepting proxy ● Spider ● Passive Scanners ● Active Scanners ● Fuzzing ● Report Generation
  • 6. Active Scan ● Performs attacks on the application ● Run when explicitly invoked by the user ● Scan policy ● Set of pre configured rules ● Attack Strength ○ Low – to be up to 6 requests ○ Medium – to be up to 12 requests ○ High- to be up to 24 requests ○ Insane- to be over 24 requests ● Attack threshold ○ Off - scanner won't run. ○ Low - lead to false positives. ○ High - lead to false negatives ● Cannot identify any logical vulnerability ○ Example - broken access control
  • 7. Report Generation Alert - Potential vulnerability Risk - Informational,Low,Medium,High Beware of false positives Confidence ● False Positive - for potential issues that you later find are not exploitable ● Low - for unconfirmed issues ● Medium - for issues you are somewhat confident of ● High - for findings you are highly confident in ● Confirmed - for confirmed issues Tag an alert to be false positive
  • 8. Fuzzing Automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program ZAP allows you to fuzz any request using: ● A build in set of payloads ● Payloads defined by optional add-ons ● Custom scripts
  • 11. Active Scan Rules ● Release quality: master/src/org/zaproxy/zap/extension/ascanrules ● Beta quality: branches/beta/src/org/zaproxy/zap/extension/ascanrulesBeta ● Alpha quality: branches/alpha/src/org/zaproxy/zap/extension/ascanrulesAlpha
  • 12. Integration with CI/CD Security tests in CI pipeline - Early feedback on security vulnerabilities Steps: ● Start ZAP daemon on 8080 port ● Run tests ● Generate results ● Fail build for HIGH vulnerabilities ● Stop Server Demo on configuring ZAP in Go CI Active scan rules mapping page -https://www.owasp.org/index.php/ZAPpingTheTop10
  • 13. More ZAP Features…. ● Authentication and session support ● Smartcard and client digital certificate support ● Anti CSRF token handling ● Port scanner ● WebSockets support. ● Marketplace