1 / 31

OWASP ZAP Workshop 1: Getting started

OWASP ZAP Workshop 1: Getting started. Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com. OWASP Canberra 2014. The plan. Introduction The main bit Demo feature Let you play with feature Answer any questions Repeat Plans for the future sessions. 2.

devin
Download Presentation

OWASP ZAP Workshop 1: Getting started

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP ZAPWorkshop 1:Getting started Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com OWASP Canberra 2014

  2. The plan • Introduction • The main bit • Demo feature • Let you play with feature • Answer any questions • Repeat • Plans for the future sessions 2

  3. What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Becoming a framework for advanced testing • Included in all major security distributions • ToolsWatch.org Top Security Tool of 2013 • Not a silver bullet! 3

  4. ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 4

  5. Statistics • Released September 2010, fork of Paros • V 2.3.1 released in May 2014 • V 2.3.1 downloaded > 35K times • Translated into 20+ languages • Over 90 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80% 5

  6. Open HUB Statistics • Very High Activity • The most active OWASP Project • 31 active contributors • 327 years of effort Source: https://www.openhub.net/p/zaproxy 6

  7. Some ZAP use cases • Point and shoot – the Quick Start tab • Proxying via ZAP, and then scanning • Manual pentesting • Automated security regression tests • Debugging • Part of a larger security program 7

  8. The BodgeIt Store • A simple vulnerable web app • Easy to install, minimal dependencies • In memory db • Scoring page – how well can you do? 8

  9. The ZAP UI • Top level menu • Top level toolbar • Tree window • Workspace window • Information window • Footer 9

  10. Quick Start - Attack • Specify one URL • ZAP will spider that URL • Then perform an Active Scan • And display the results • Simple and effective • Little control & cant handle authentication 10

  11. Proxying via ZAP • Plug-n-Hack easiest option, if using Firefox • Otherwise manually configure your browser to proxy via ZAP • And import the ZAP root CA • Requests made via your browser should appear in the Sites & History tabs • IE – dont “Bypass proxy for local addresses” 11

  12. ZAP PnH

  13. Manual ZAP config

  14. Practical 1 • Try out the Quick Start – Attack • Configure your browser to proxy via ZAP • Manually explore your target application 18

  15. The Spiders • Traditional Spider • Fast • Cant handle JavaScript very well • AJAX Spider • Launches a browser • Slower • Can handle Java Script 19

  16. Practical 2 • Use the 'traditional' spider on your target application • Use the AJAX spider on your target application • If you're using BodgeIt – can you find the 'hidden' content? 20

  17. Answer: Hidden content

  18. Active and Passive Scanning • Passive Scanning is safe • Active Scanning in NOT safe • Only use on apps you have permission to test • Launch via tab or 'attack' right click menu • Effectiveness depends on how well you explored your app 22

  19. Practical 3 • Review the Passive issues already found • Run the Active Scanner on your target application • If you're using BodgeIt – • Can you login as user1 or admin? • Can you get an “XSS” popup? 23

  20. Answer: Login as… • Password guessing • test@thebodgeitstore.com • password • SQL Injection • user1@thebodgeitstore.com’ or ‘1’=‘1 • admin@thebodgeitstore.com’ or ‘1’=‘1

  21. Answer: XSS popup • Search function • Append <script>alert(“XSS”)</script>

  22. Intercepting and changing Break on all requests Break on all responses Submit and step Submit and continue Bin the request or response Add a custom HTTP break point 26

  23. Practical 4 • Intercept and change requests and responses • Use custom break points just on a specific page • If you're using BodgeIt – can you make some money via the basket? 27

  24. Answer: Make money • Your Basket page • Change quantity to negative number • quantity_26=-5&update=Update+ Basket

  25. Some final pointers • Generating reports • Save sessions at the start • Right click everywhere • Play with the UI options • Explore the ZAP Marketplace • F1: The User Guide • Menu: Online / ZAP User Group 29

  26. Future Sessions? • Fuzzing • Advanced Active Scanning • Contexts • Authentication • Scripts • Zest • The API • Websockets • What do you want??  30

  27. Any Questions?http://www.owasp.org/index.php/ZAP

More Related