SlideShare uma empresa Scribd logo

Security Automation using ZAP

Vaibhav Gupta
Vaibhav Gupta

The document discusses automating security scans using the Zed Attack Proxy (ZAP). It provides an overview of ZAP and its graphical user interface. It then discusses how various aspects of ZAP can be automated using its APIs, including spidering, passive scanning, active scanning, and authenticated scanning. It provides Python code examples to initialize ZAP, run spiders and scans, and access other ZAP features programmatically. It concludes with use cases for automating ZAP at scale or integrating it with continuous integration systems.

Engenharia
1 de 18
Baixar para ler offline
Security  Automation  Using  ZAP
About  us • Vaibhav  Gupta – Loves  to  be  both,  a  defender  and  attacker  J – Security  Researcher  @  Adobe  (For  bread,  butter  &  beer!) – Delhi  Chapter  Leader  – OWASP  &  Null   • Sandeep  Sigh  (Not  with  us  today  L) – Security  Engineer  @  ESSEL  Group – Delhi  Chapter  Leader  – OWASP  &  Null 2
About  Adobe Twitter:  @VaibhavGupta_1 3 CONTENT DATA Creative Cloud Document Cloud Marketing Cloud Community Marketplace Partners Developers
Agenda • What  is  ZAP • Quick  run  through  of  ZAP  GUI • Understanding  what  can  be  automated • Automating  ZAP • Few  considerations/hacks • Use  cases Twitter:  @VaibhavGupta_1 4
What  is  ZAP • Zed  Attack  Proxy • Automated  Web  Application  Security  Scanner • An  OWASP  Project • Voted  as  No.  1  Security  Tool  as  per  ToolsWatch Survey Ref:  https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Twitter:  @VaibhavGupta_1 5
Quick  run  through  of  ZAP  GUI • Contexts • Request/Response • Options • Spider • Scan  Alerts • Scan  policy  manager Twitter:  @VaibhavGupta_1 6
Understanding  what  can  be  automated • Configuration • Spidering • Passive  Scan • Active  Scan • Authentication • Many  additional  capabilities  J Twitter:  @VaibhavGupta_1 7
Automating  ZAP • ZAP  APIs  (http://zap/UI/) • pip  install  python-­owasp-­zap-­v2.4 • Example  1:  Initializing  ZAP  in  python • Example  2:  Spidering  web  application • Example  3:  Passive  scanning • Example  4:  Active  scanning • Example  5:  Simple  authenticated  scanning • Example  6:  Some  other  important  APIs Twitter:  @VaibhavGupta_1 8
Example  1:  Initializing  ZAP  in  python from  zapv2  import  ZAPv2 zap  =  ZAPv2() or zap =  ZAPv2(proxies={'http':  'http://x.x.x.x:yyyy',   'https':  'http://x.x.x.x:yyyy'}) Twitter:  @VaibhavGupta_1 9
Example  2:  Spidering  web  application zap.spider.scan(input_target,  apikey =  API_Key) while  (int(zap.spider.status())  <  100):         print  'Spider  progress  %:  '  +  zap.spider.status()         time.sleep(2) zap.ajaxSpider.scan(url =  input_target,  apikey =  API_Key) Twitter:  @VaibhavGupta_1 10
Example  3:  Passive  scanning zap.pscan.disable_all_scanners(apikey =  API_Key) zap.pscan.enable_scanners(ids  =  10040,  apikey =  API_Key) zap.pscan.enable_all_scanners(apikey =  API_Key) zap.pscan.set_enabled(enabled  =  True,  apikey =  API_Key) Ref:  http://zap/UI/pscan/view/scanners/ Twitter:  @VaibhavGupta_1 11
Example  4:  Active  scanning zap.ascan.scan(target,  apikey =  API_Key) while  (int(zap.ascan.status())  <  100):         print  'Scan  progress  %:  '  +  zap.ascan.status() zap.ascan.scan(input_target,  scanpolicyname =   input_policy,  apikey =  API_Key) Twitter:  @VaibhavGupta_1 12
Example  5:  Simple  authenticated  scanning zap.ascan.scan_as_user(url =  input_target,  contextid =  1,   userid =  4,  apikey =  API_Key) • http://zap/UI/context/view/context/ • http://zap/UI/users/view/usersList/ Twitter:  @VaibhavGupta_1 13
Example  6:  Some  other  important  APIs • http://zap/UI/spider/action/setOptionMaxDepth/ • http://zap/UI/context/action/importContext/ • http://zap/UI/context/action/includeInContext/ • http://zap/UI/context/action/newContext/ • http://zap/UI/core/other/xmlreport/ • http://zap/UI/core/action/shutdown/ Twitter:  @VaibhavGupta_1 14
Few  considerations/hacks • Ajax  spidering • Importing  contexts/configs • Random  sleeps • Scan  output  for  a  particular  context/scan • Documentation • Custom  scripting! Twitter:  @VaibhavGupta_1 15
Lets  Discuss  few  Use  Cases • Scanning  at  scale • Integration  with  CI/CD  systems  like  Jenkins • Custom  authentication • Unit  security  test  cases • Research  at  scale!   • The  list  is  endless…  J Twitter:  @VaibhavGupta_1 16
ZAP  Resources • Getting  Started  Guide  (pdf) -­ an  introductory  guide • Tutorial  Videos • User  Guide -­ online  version  of  the  ZAP’s  user  guide • User  Group -­ ask  questions  about  using  ZAP • Add-­ons -­ help  for  the  optional  add-­ons  you  can  install • StackOverflow -­ because  some  people  use  this  for  everything ;;-­) Twitter:  @VaibhavGupta_1 17
Thank  you!  J 18 Vaibhav  Gupta Vaibhav.Gupta@owasp.org Twitter:  @VaibhavGupta_1 Blog:  www.exploits.work -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐ Security  portal:  https://www.adobe.com/security Security  @Adobe  blog:  https://blogs.adobe.com/security Twitter:  @AdobeSecurity

Recomendados

The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDCThinqloud
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burpTomasz Fajks
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)JAINAM KAPADIYA
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomationLinkesh Kanna Velu
 

Recomendados

The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDCThinqloud
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burpTomasz Fajks
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)JAINAM KAPADIYA
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomationLinkesh Kanna Velu
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..Simon Bennetts
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineScripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineSherif Mansour
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014gmaran23
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroSimon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroSimon Bennetts
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting StartedSimon Bennetts
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroSimon Bennetts
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 

Mais conteúdo relacionado

Mais procurados

OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..Simon Bennetts
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineScripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineSherif Mansour
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014gmaran23
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroSimon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroSimon Bennetts
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting StartedSimon Bennetts
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroSimon Bennetts
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
 

Mais procurados (20)

OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipelineScripts that automate OWASP ZAP as part of a continuous delivery pipeline
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP Intro
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
 

Semelhante a Security Automation using ZAP

Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP DevSecCon
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CISimon Bennetts
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDSparsh Raj
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
Building robust REST APIs
Building robust REST APIsBuilding robust REST APIs
Building robust REST APIsNejc Zupan
 
Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Anand Tiwari
 
Hadoop Eagle - Real Time Monitoring Framework for eBay Hadoop
Hadoop Eagle - Real Time Monitoring Framework for eBay HadoopHadoop Eagle - Real Time Monitoring Framework for eBay Hadoop
Hadoop Eagle - Real Time Monitoring Framework for eBay HadoopDataWorks Summit
 
Developing Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonDeveloping Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonSmartBear
 
iOS and Android Acceptance Testing with Calabash - Xcake Dublin
iOS and Android Acceptance Testing with Calabash - Xcake DubliniOS and Android Acceptance Testing with Calabash - Xcake Dublin
iOS and Android Acceptance Testing with Calabash - Xcake Dublinroland99
 
swift-log について
swift-log についてswift-log について
swift-log についてShinya Mochida
 

Semelhante a Security Automation using ZAP (20)

Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
 
ZAP @FOSSASIA2015
ZAP @FOSSASIA2015ZAP @FOSSASIA2015
ZAP @FOSSASIA2015
 
OpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATEDOpenSourceSecurityTools - UPDATED
OpenSourceSecurityTools - UPDATED
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAP
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
Building robust REST APIs
Building robust REST APIsBuilding robust REST APIs
Building robust REST APIs
 
Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018
 
Hadoop Eagle - Real Time Monitoring Framework for eBay Hadoop
Hadoop Eagle - Real Time Monitoring Framework for eBay HadoopHadoop Eagle - Real Time Monitoring Framework for eBay Hadoop
Hadoop Eagle - Real Time Monitoring Framework for eBay Hadoop
 
Developing Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonDeveloping Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & Python
 
iOS and Android Acceptance Testing with Calabash - Xcake Dublin
iOS and Android Acceptance Testing with Calabash - Xcake DubliniOS and Android Acceptance Testing with Calabash - Xcake Dublin
iOS and Android Acceptance Testing with Calabash - Xcake Dublin
 
swift-log について
swift-log についてswift-log について
swift-log について
 

Último

Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...tanu pandey
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLManishPatel169454
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01KreezheaRecto
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfSuman Jyoti
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Christo Ananth
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 

Último (20)

Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 

Security Automation using ZAP

  • 2. About  us • Vaibhav  Gupta – Loves  to  be  both,  a  defender  and  attacker  J – Security  Researcher  @  Adobe  (For  bread,  butter  &  beer!) – Delhi  Chapter  Leader  – OWASP  &  Null   • Sandeep  Sigh  (Not  with  us  today  L) – Security  Engineer  @  ESSEL  Group – Delhi  Chapter  Leader  – OWASP  &  Null 2
  • 3. About  Adobe Twitter:  @VaibhavGupta_1 3 CONTENT DATA Creative Cloud Document Cloud Marketing Cloud Community Marketplace Partners Developers
  • 4. Agenda • What  is  ZAP • Quick  run  through  of  ZAP  GUI • Understanding  what  can  be  automated • Automating  ZAP • Few  considerations/hacks • Use  cases Twitter:  @VaibhavGupta_1 4
  • 5. What  is  ZAP • Zed  Attack  Proxy • Automated  Web  Application  Security  Scanner • An  OWASP  Project • Voted  as  No.  1  Security  Tool  as  per  ToolsWatch Survey Ref:  https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Twitter:  @VaibhavGupta_1 5
  • 6. Quick  run  through  of  ZAP  GUI • Contexts • Request/Response • Options • Spider • Scan  Alerts • Scan  policy  manager Twitter:  @VaibhavGupta_1 6
  • 7. Understanding  what  can  be  automated • Configuration • Spidering • Passive  Scan • Active  Scan • Authentication • Many  additional  capabilities  J Twitter:  @VaibhavGupta_1 7
  • 8. Automating  ZAP • ZAP  APIs  (http://zap/UI/) • pip  install  python-­owasp-­zap-­v2.4 • Example  1:  Initializing  ZAP  in  python • Example  2:  Spidering  web  application • Example  3:  Passive  scanning • Example  4:  Active  scanning • Example  5:  Simple  authenticated  scanning • Example  6:  Some  other  important  APIs Twitter:  @VaibhavGupta_1 8
  • 9. Example  1:  Initializing  ZAP  in  python from  zapv2  import  ZAPv2 zap  =  ZAPv2() or zap =  ZAPv2(proxies={'http':  'http://x.x.x.x:yyyy',   'https':  'http://x.x.x.x:yyyy'}) Twitter:  @VaibhavGupta_1 9
  • 10. Example  2:  Spidering  web  application zap.spider.scan(input_target,  apikey =  API_Key) while  (int(zap.spider.status())  <  100):         print  'Spider  progress  %:  '  +  zap.spider.status()         time.sleep(2) zap.ajaxSpider.scan(url =  input_target,  apikey =  API_Key) Twitter:  @VaibhavGupta_1 10
  • 11. Example  3:  Passive  scanning zap.pscan.disable_all_scanners(apikey =  API_Key) zap.pscan.enable_scanners(ids  =  10040,  apikey =  API_Key) zap.pscan.enable_all_scanners(apikey =  API_Key) zap.pscan.set_enabled(enabled  =  True,  apikey =  API_Key) Ref:  http://zap/UI/pscan/view/scanners/ Twitter:  @VaibhavGupta_1 11
  • 12. Example  4:  Active  scanning zap.ascan.scan(target,  apikey =  API_Key) while  (int(zap.ascan.status())  <  100):         print  'Scan  progress  %:  '  +  zap.ascan.status() zap.ascan.scan(input_target,  scanpolicyname =   input_policy,  apikey =  API_Key) Twitter:  @VaibhavGupta_1 12
  • 13. Example  5:  Simple  authenticated  scanning zap.ascan.scan_as_user(url =  input_target,  contextid =  1,   userid =  4,  apikey =  API_Key) • http://zap/UI/context/view/context/ • http://zap/UI/users/view/usersList/ Twitter:  @VaibhavGupta_1 13
  • 14. Example  6:  Some  other  important  APIs • http://zap/UI/spider/action/setOptionMaxDepth/ • http://zap/UI/context/action/importContext/ • http://zap/UI/context/action/includeInContext/ • http://zap/UI/context/action/newContext/ • http://zap/UI/core/other/xmlreport/ • http://zap/UI/core/action/shutdown/ Twitter:  @VaibhavGupta_1 14
  • 15. Few  considerations/hacks • Ajax  spidering • Importing  contexts/configs • Random  sleeps • Scan  output  for  a  particular  context/scan • Documentation • Custom  scripting! Twitter:  @VaibhavGupta_1 15
  • 16. Lets  Discuss  few  Use  Cases • Scanning  at  scale • Integration  with  CI/CD  systems  like  Jenkins • Custom  authentication • Unit  security  test  cases • Research  at  scale!   • The  list  is  endless…  J Twitter:  @VaibhavGupta_1 16
  • 17. ZAP  Resources • Getting  Started  Guide  (pdf) -­ an  introductory  guide • Tutorial  Videos • User  Guide -­ online  version  of  the  ZAP’s  user  guide • User  Group -­ ask  questions  about  using  ZAP • Add-­ons -­ help  for  the  optional  add-­ons  you  can  install • StackOverflow -­ because  some  people  use  this  for  everything ;;-­) Twitter:  @VaibhavGupta_1 17
  • 18. Thank  you!  J 18 Vaibhav  Gupta Vaibhav.Gupta@owasp.org Twitter:  @VaibhavGupta_1 Blog:  www.exploits.work -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐ Security  portal:  https://www.adobe.com/security Security  @Adobe  blog:  https://blogs.adobe.com/security Twitter:  @AdobeSecurity