O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Security  Automation  Using  ZAP
About  us
• Vaibhav  Gupta
– Loves  to  be  both,  a  defender  and  attacker  J
– Security  Researcher  @  Adobe  (For  ...
About  Adobe
Twitter:  @VaibhavGupta_1 3
CONTENT DATA
Creative Cloud Document Cloud Marketing Cloud
Community Marketplace ...
Agenda
• What  is  ZAP
• Quick  run  through  of  ZAP  GUI
• Understanding  what  can  be  automated
• Automating  ZAP
• F...
What  is  ZAP
• Zed  Attack  Proxy
• Automated  Web  Application  Security  Scanner
• An  OWASP  Project
• Voted  as  No. ...
Quick  run  through  of  ZAP  GUI
• Contexts
• Request/Response
• Options
• Spider
• Scan  Alerts
• Scan  policy  manager
...
Understanding  what  can  be  automated
• Configuration
• Spidering
• Passive  Scan
• Active  Scan
• Authentication
• Many...
Automating  ZAP
• ZAP  APIs  (http://zap/UI/)
• pip  install  python-­owasp-­zap-­v2.4
• Example  1:  Initializing  ZAP  i...
Example  1:  Initializing  ZAP  in  python
from  zapv2  import  ZAPv2
zap  =  ZAPv2()
or
zap =  ZAPv2(proxies={'http':  'h...
Example  2:  Spidering  web  application
zap.spider.scan(input_target,  apikey =  API_Key)
while  (int(zap.spider.status()...
Example  3:  Passive  scanning
zap.pscan.disable_all_scanners(apikey =  API_Key)
zap.pscan.enable_scanners(ids  =  10040, ...
Example  4:  Active  scanning
zap.ascan.scan(target,  apikey =  API_Key)
while  (int(zap.ascan.status())  <  100):        ...
Example  5:  Simple  authenticated  scanning
zap.ascan.scan_as_user(url =  input_target,  contextid =  1,  
userid =  4,  ...
Example  6:  Some  other  important  APIs
• http://zap/UI/spider/action/setOptionMaxDepth/
• http://zap/UI/context/action/...
Few  considerations/hacks
• Ajax  spidering
• Importing  contexts/configs
• Random  sleeps
• Scan  output  for  a  particu...
Lets  Discuss  few  Use  Cases
• Scanning  at  scale
• Integration  with  CI/CD  systems  like  Jenkins
• Custom  authenti...
ZAP  Resources
• Getting  Started  Guide  (pdf) -­ an  introductory  guide
• Tutorial  Videos
• User  Guide -­ online  ver...
Thank  you!  J
18
Vaibhav	
  Gupta
Vaibhav.Gupta@owasp.org
Twitter:	
  @VaibhavGupta_1
Blog:	
  www.exploits.work
-­‐-­‐-...
Próximos SlideShares
Carregando em…5
×

Security Automation using ZAP

These are the slides from my lightning talk at OWASP AppSec Europe 2016. The session broadly consisted of:

- Quick run through of ZAP GUI
- Understanding what can be automated
- How to integrate ZAP with automation scripts
- Example scripts/Hands-on
- Some delicate considerations

Code: https://github.com/r3ver53r/AppSecEU_2016

Download: https://2016.appsec.eu/wp-content/uploads/2016/07/OWASP_AppSec_EU2016-Security_Automation_Using_ZAP_v1.3.pdf

  • Entre para ver os comentários

Security Automation using ZAP

  1. 1. Security  Automation  Using  ZAP
  2. 2. About  us • Vaibhav  Gupta – Loves  to  be  both,  a  defender  and  attacker  J – Security  Researcher  @  Adobe  (For  bread,  butter  &  beer!) – Delhi  Chapter  Leader  – OWASP  &  Null   • Sandeep  Sigh  (Not  with  us  today  L) – Security  Engineer  @  ESSEL  Group – Delhi  Chapter  Leader  – OWASP  &  Null 2
  3. 3. About  Adobe Twitter:  @VaibhavGupta_1 3 CONTENT DATA Creative Cloud Document Cloud Marketing Cloud Community Marketplace Partners Developers
  4. 4. Agenda • What  is  ZAP • Quick  run  through  of  ZAP  GUI • Understanding  what  can  be  automated • Automating  ZAP • Few  considerations/hacks • Use  cases Twitter:  @VaibhavGupta_1 4
  5. 5. What  is  ZAP • Zed  Attack  Proxy • Automated  Web  Application  Security  Scanner • An  OWASP  Project • Voted  as  No.  1  Security  Tool  as  per  ToolsWatch Survey Ref:  https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Twitter:  @VaibhavGupta_1 5
  6. 6. Quick  run  through  of  ZAP  GUI • Contexts • Request/Response • Options • Spider • Scan  Alerts • Scan  policy  manager Twitter:  @VaibhavGupta_1 6
  7. 7. Understanding  what  can  be  automated • Configuration • Spidering • Passive  Scan • Active  Scan • Authentication • Many  additional  capabilities  J Twitter:  @VaibhavGupta_1 7
  8. 8. Automating  ZAP • ZAP  APIs  (http://zap/UI/) • pip  install  python-­owasp-­zap-­v2.4 • Example  1:  Initializing  ZAP  in  python • Example  2:  Spidering  web  application • Example  3:  Passive  scanning • Example  4:  Active  scanning • Example  5:  Simple  authenticated  scanning • Example  6:  Some  other  important  APIs Twitter:  @VaibhavGupta_1 8
  9. 9. Example  1:  Initializing  ZAP  in  python from  zapv2  import  ZAPv2 zap  =  ZAPv2() or zap =  ZAPv2(proxies={'http':  'http://x.x.x.x:yyyy',   'https':  'http://x.x.x.x:yyyy'}) Twitter:  @VaibhavGupta_1 9
  10. 10. Example  2:  Spidering  web  application zap.spider.scan(input_target,  apikey =  API_Key) while  (int(zap.spider.status())  <  100):         print  'Spider  progress  %:  '  +  zap.spider.status()         time.sleep(2) zap.ajaxSpider.scan(url =  input_target,  apikey =  API_Key) Twitter:  @VaibhavGupta_1 10
  11. 11. Example  3:  Passive  scanning zap.pscan.disable_all_scanners(apikey =  API_Key) zap.pscan.enable_scanners(ids  =  10040,  apikey =  API_Key) zap.pscan.enable_all_scanners(apikey =  API_Key) zap.pscan.set_enabled(enabled  =  True,  apikey =  API_Key) Ref:  http://zap/UI/pscan/view/scanners/ Twitter:  @VaibhavGupta_1 11
  12. 12. Example  4:  Active  scanning zap.ascan.scan(target,  apikey =  API_Key) while  (int(zap.ascan.status())  <  100):         print  'Scan  progress  %:  '  +  zap.ascan.status() zap.ascan.scan(input_target,  scanpolicyname =   input_policy,  apikey =  API_Key) Twitter:  @VaibhavGupta_1 12
  13. 13. Example  5:  Simple  authenticated  scanning zap.ascan.scan_as_user(url =  input_target,  contextid =  1,   userid =  4,  apikey =  API_Key) • http://zap/UI/context/view/context/ • http://zap/UI/users/view/usersList/ Twitter:  @VaibhavGupta_1 13
  14. 14. Example  6:  Some  other  important  APIs • http://zap/UI/spider/action/setOptionMaxDepth/ • http://zap/UI/context/action/importContext/ • http://zap/UI/context/action/includeInContext/ • http://zap/UI/context/action/newContext/ • http://zap/UI/core/other/xmlreport/ • http://zap/UI/core/action/shutdown/ Twitter:  @VaibhavGupta_1 14
  15. 15. Few  considerations/hacks • Ajax  spidering • Importing  contexts/configs • Random  sleeps • Scan  output  for  a  particular  context/scan • Documentation • Custom  scripting! Twitter:  @VaibhavGupta_1 15
  16. 16. Lets  Discuss  few  Use  Cases • Scanning  at  scale • Integration  with  CI/CD  systems  like  Jenkins • Custom  authentication • Unit  security  test  cases • Research  at  scale!   • The  list  is  endless…  J Twitter:  @VaibhavGupta_1 16
  17. 17. ZAP  Resources • Getting  Started  Guide  (pdf) -­ an  introductory  guide • Tutorial  Videos • User  Guide -­ online  version  of  the  ZAP’s  user  guide • User  Group -­ ask  questions  about  using  ZAP • Add-­ons -­ help  for  the  optional  add-­ons  you  can  install • StackOverflow -­ because  some  people  use  this  for  everything ;;-­) Twitter:  @VaibhavGupta_1 17
  18. 18. Thank  you!  J 18 Vaibhav  Gupta Vaibhav.Gupta@owasp.org Twitter:  @VaibhavGupta_1 Blog:  www.exploits.work -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐ Security  portal:  https://www.adobe.com/security Security  @Adobe  blog:  https://blogs.adobe.com/security Twitter:  @AdobeSecurity

×