OWASP 2013 EU Tour Amsterdam ZAP Intro

•Transferir como ODP, PDF•

3 gostaram•2,758 visualizações

Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation as part of the 2013 OWASP EU Tour in Amsterdam. For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Tecnologia

The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP EU Tour
2013
An Introduction to ZAP
OWASP
Zed Attack Proxy
Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Team
psiinon@gmail.com

2
What is ZAP?
• An easy to use webapp pentest tool
• Completely free and open source
• An OWASP flagship project
• Ideal for beginners
• But also used by professionals
• Ideal for devs, esp. for automated security tests
• Becoming a framework for advanced testing
• Not a silver bullet!

3
ZAP Principles
• Free, Open source
• Involvement actively encouraged
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Work well with other tools
• Reuse well regarded components

4
Statistics
• Released September 2010, fork of Paros
• V 2.1.0 released in April 2013
• V 2.1.0 downloaded > 10K times
• 16 active contributors (Ohloh)
• 120 Person years (Ohloh)
• Translated into 17 languages
• Mostly used by Professional Pentesters?
• Paros code: ~30% ZAP Code: ~70%

5
The Main Features
All the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Traditional and Ajax Spiders
• WebSockets support
• Forced Browsing (using OWASP DirBuster
code)
• Fuzzing (using fuzzdb & OWASP JBroFuzz)
• Online Add-ons Marketplace

6
Developer Features
• Quick start
• REST API
• Java and Python clients
• Headless mode
• Anti CSRF token handling
• Authentication support
• Auto updating
• Modes

7
Some Additional Features
• Auto tagging
• Port scanner
• Script Console
• Report generation
• Smart card support
• Contexts and scope
• Session management
• Invoke external apps
• Dynamic SSL Certificates

How can you use ZAP?
• Point and shoot – the Quick Start tab
• Proxying via ZAP, and then scanning
• Manual pentesting
• Automated security regression tests
8

9
Regression Tests
http://code.google.com/p/zaproxy/wiki/SecRegTests
Security


Ajax Spider via Crawljax
Guifre Ruiz

WebSockets support
Robert Kock

New Spider plus Session awareness
Cosmin Stefan
All in current release (2.1.0)

• Dynamically Configurable Actions
Alessandro Secco
• SAML 2.0
Pulasthi Mahawithana
• Enhanced HTTP Session Handling
Cosmin Stefan
• Advanced Reporting using BIRT
Rauf Butt
• CMS Scanner
Abdelhadi Azouni

But theres more!
• Minion – ZAP (+ more) in “the Cloud”
Stefan Arentz + others
• Plug-n-hack : Easy Browser Integration
Mark Goodwin + Simon Bennetts
• Zest – Security scripting
Simon Bennetts + Alessandro Secco
• Importing ModSecurity logs
Joe Kirwin (Mozilla mentorship)
• New networking features
(Mozilla intern)

Collaborations
• Dradis – ZAP upload plugin
• OWASP ModSecurity Core Rule Set
script – SpiderLabs
• ThreadFix – Denim Group
• Ultimate Obsolete File Detection
– Hacktics ASC, Ernst & Young
• Grey-box plugin – BCC Risk Advisory
13

Any Questions?
http://www.owasp.org/index.php/ZAP

Mais conteúdo relacionado

Mais procurados

OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014

gmaran23

Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/ The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode. This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.

Automating OWASP ZAP - DevCSecCon talk

Simon Bennetts

BlackHat 2014 OWASP ZAP Turbo Talk

Simon Bennetts

2014 ZAP Workshop 1: Getting Started

Simon Bennetts

JavaOne 2014 Security Testing for Developers using OWASP ZAP

Simon Bennetts

2014 ZAP Workshop 2: Contexts and Fuzzing

Simon Bennetts

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...

gmaran23

https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017#tab=Conference_0101_talks In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges. This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example.

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...

gmaran23

OWASP 2013 APPSEC USA ZAP Hackathon

Simon Bennetts

AllDayDevOps ZAP automation in CI

Simon Bennetts

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oct 15 2017 http://cybersecurity.withthebest.com In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...

gmaran23

Owasp zap

ColdFusionConference

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

ZAP @FOSSASIA2015

Sumanth Damarla

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...

gmaran23

2017 DevSecCon ZAP Scripting Workshop

Simon Bennetts

2017 Codemotion OWASP ZAP in CI/CD

Simon Bennetts

2021 ZAP Automation in CI/CD

Simon Bennetts

Scripts that automate OWASP ZAP as part of a continuous delivery pipeline

Sherif Mansour

Zed Attack Proxy (ZAP)

JAINAM KAPADIYA

The OWASP Zed Attack Proxy

Aditya Gupta

Mais procurados (20)

OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014

Automating OWASP ZAP - DevCSecCon talk

BlackHat 2014 OWASP ZAP Turbo Talk

2014 ZAP Workshop 1: Getting Started

JavaOne 2014 Security Testing for Developers using OWASP ZAP

2014 ZAP Workshop 2: Contexts and Fuzzing

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...

OWASP 2013 APPSEC USA ZAP Hackathon

AllDayDevOps ZAP automation in CI

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...

Owasp zap

ZAP @FOSSASIA2015

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...

2017 DevSecCon ZAP Scripting Workshop

2017 Codemotion OWASP ZAP in CI/CD

2021 ZAP Automation in CI/CD

Scripts that automate OWASP ZAP as part of a continuous delivery pipeline

Zed Attack Proxy (ZAP)

The OWASP Zed Attack Proxy

Semelhante a OWASP 2013 EU Tour Amsterdam ZAP Intro

AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts

Magno Logan

Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20

Tabăra de Testare

10 Useful Testing Tools for Open Source Projects @ TuxCon 2015

Peter Sabev

we45 DEFCON Workshop - Building AppSec Automation with Python

Abhay Bhargav

DAST in CI/CD pipelines using Selenium & OWASP ZAP

srini0x00

In Practical DevSecOps - DevSecOps Live online meetup, you’ll learn Automating security tests using Selenium and OWASP ZAP. Join Srinivas, Red Team Member at Banking Industry, also Offensive Security Certified Professional(OSCP) and Offensive Security Certified Expert(OSCE. He will cover Automating security tests using Selenium and OWASP ZAP. In this intriguing meetup, you will learn: 1. Introduction to automated vulnerability scans and their limitations. 2. A short introduction to how functional tests can be useful in performing robust security tests. 3. Introduction to selenium and OWASP ZAP 4. Proxying selenium tests through OWASP ZAP 5. Invoking authenticated active scans using OWASP ZAP 6. Obtaining scan reports … and more useful takeaways!

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps

Mohammed A. Imran

Simon Bennetts - Automating ZAP

DevSecCon

[Wroclaw #5] OWASP Projects: beyond Top 10

OWASP

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. This talk by the ZAP project lead will focus on embedding ZAP in continuous integration / delivery pipelines in order to automate security tests. Simon will cover the range of integration options available and explain how ZAP is being integrated into the Mozilla Cloud Services CD pipeline. He will also explain and demonstrate how to drive the ZAP API, which gives complete control over the ZAP daemon.

Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...

Codemotion

Modern Web Framework : Play framework

Suman Adak

OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

SecuRing

Ten Commandments of Secure Coding

Mateusz Olejarka

Security testing using zap

Confiz Limited

AppSec & OWASP Top 10 Primer By Matt Scheurer (@c3rkah) Cincinnati, Ohio Date: 03/21/2019 Momentum Developer Conference Sharonville Convention Center #momentumdevcon Abstract: Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP). Bio: Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).

AppSec & OWASP Top 10 Primer

ThreatReel Podcast

AppSec DC 2019 ASVS 4.0 Final.pptx

Josh Grossman

AppSec DC 2019 ASVS 4.0 Final.pptx

TuynNguyn819213

Testing API's: Tools & Tips & Tricks (Oh My!)

Ford Prior

InVision is a collaborative design company that’s growing into Golang. That being said, when we started doing web services, we looked at using one of the middleware libraries out there such as Alice and Negroni. We found them all interesting but decided to tackle it on our own. As we did that we realized that our library was pretty cool so we broke it out and open sourced it as Rye. I’ll present on the approach we took and some of the benefits of using Rye including integration with Statsd, Context and custom middleware handlers we’ve added such as CIDR validation and JWT validation.

Middleware in Golang: InVision's Rye

Cale Hoopes

Semelhante a OWASP 2013 EU Tour Amsterdam ZAP Intro (18)

AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts

Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20

10 Useful Testing Tools for Open Source Projects @ TuxCon 2015

we45 DEFCON Workshop - Building AppSec Automation with Python

DAST in CI/CD pipelines using Selenium & OWASP ZAP

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps

Simon Bennetts - Automating ZAP

[Wroclaw #5] OWASP Projects: beyond Top 10

Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...

Modern Web Framework : Play framework

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

Ten Commandments of Secure Coding

Security testing using zap

AppSec & OWASP Top 10 Primer

AppSec DC 2019 ASVS 4.0 Final.pptx

Testing API's: Tools & Tips & Tricks (Oh My!)

Middleware in Golang: InVision's Rye

Último

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Handwritten Text Recognition for manuscripts and early printed texts

Maria Levchenko

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Real Time Object Detection Using Open CV

Khem

OWASP 2013 EU Tour Amsterdam ZAP Intro

1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP EU Tour 2013 An Introduction to ZAP OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com

2. 2 What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • An OWASP flagship project • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Becoming a framework for advanced testing • Not a silver bullet!

3. 3 ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components

4. 4 Statistics • Released September 2010, fork of Paros • V 2.1.0 released in April 2013 • V 2.1.0 downloaded > 10K times • 16 active contributors (Ohloh) • 120 Person years (Ohloh) • Translated into 17 languages • Mostly used by Professional Pentesters? • Paros code: ~30% ZAP Code: ~70%

5. 5 The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Traditional and Ajax Spiders • WebSockets support • Forced Browsing (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Online Add-ons Marketplace

6. 6 Developer Features • Quick start • REST API • Java and Python clients • Headless mode • Anti CSRF token handling • Authentication support • Auto updating • Modes

7. 7 Some Additional Features • Auto tagging • Port scanner • Script Console • Report generation • Smart card support • Contexts and scope • Session management • Invoke external apps • Dynamic SSL Certificates

8. How can you use ZAP? • Point and shoot – the Quick Start tab • Proxying via ZAP, and then scanning • Manual pentesting • Automated security regression tests 8

9. 9 Regression Tests http://code.google.com/p/zaproxy/wiki/SecRegTests Security

10.  Ajax Spider via Crawljax Guifre Ruiz  WebSockets support Robert Kock  New Spider plus Session awareness Cosmin Stefan All in current release (2.1.0)

11. • Dynamically Configurable Actions Alessandro Secco • SAML 2.0 Pulasthi Mahawithana • Enhanced HTTP Session Handling Cosmin Stefan • Advanced Reporting using BIRT Rauf Butt • CMS Scanner Abdelhadi Azouni

12. But theres more! • Minion – ZAP (+ more) in “the Cloud” Stefan Arentz + others • Plug-n-hack : Easy Browser Integration Mark Goodwin + Simon Bennetts • Zest – Security scripting Simon Bennetts + Alessandro Secco • Importing ModSecurity logs Joe Kirwin (Mozilla mentorship) • New networking features (Mozilla intern)

13. Collaborations • Dradis – ZAP upload plugin • OWASP ModSecurity Core Rule Set script – SpiderLabs • ThreadFix – Denim Group • Ultimate Obsolete File Detection – Hacktics ASC, Ernst & Young • Grey-box plugin – BCC Risk Advisory 13

14. Any Questions? http://www.owasp.org/index.php/ZAP

OWASP 2013 EU Tour Amsterdam ZAP Intro

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a OWASP 2013 EU Tour Amsterdam ZAP Intro

Semelhante a OWASP 2013 EU Tour Amsterdam ZAP Intro (18)

Último

Último (20)

OWASP 2013 EU Tour Amsterdam ZAP Intro