120 likes | 305 Views
OWASP Zed Attack Proxy. Project leader Simon Bennetts psiinon@gmail.com. December, 2010. The Introduction. The statement You cannot build secure web applications unless you know how to attack them The problem
E N D
OWASP Zed Attack Proxy Project leader Simon Bennetts psiinon@gmail.com December, 2010
The Introduction • The statement • You cannot build secure web applications unless you know how to attack them • The problem • For many developers (including functional testers) ‘penetration testing’ is a black art • The solution • Teach basic penetration techniques to developers Thanks to Royston Robertson www.roystonrobertson.co.uk for permission to use his cartoon!
The Caveat • This is in addition to: • Teaching secure coding techniques • Teaching about common vulnerabilities (e.g. OWASP top 10) • Secure Development Software Lifecycle • Static source code analysis • Code reviews • Professional pen testing • …
What sort of tools? • Easy to use • Well documented • Functional • Free • Maintained • Cross platform • Open source • Internationalized
Introducing OWASP ZAP • An integrated penetration testing tool for finding vulnerabilities in web applications. • Ease of use a priority • Comprehensive help pages • Free • Open source • Cross platform • Mostly internationalized ;) • A fork of the well regarded Paros Proxy • Under active development • Involvement actively encouraged
The Features • All the essentials for web application testing • Intercepting proxy • Active scanner • Passive scanner • Spider • Brute force (using OWASP DirBuster code) • Port Scanner • Plus lots of useful things: • Auto tagging • Report generation • Session comparison • Smart card support
Suggested use • Explore the application using your browser (via ZAP) • Spider to find missed content • Brute force to find unreferenced content • Active scan to find basic vulnerabilities • Examine the requests and responses for more subtle issues • Use the OWASP Testing Guide!
The Future • Fuzzing (using OWASP JBroFuzz) • Enhanced scanners to detect more vulnerabilities • Technology detection • Parameter analysis • Better help • Full internationalization • More localization(all offers gratefully received!) • What do you want??
Summary • Ideal for developers new to penetration testing • Useful addition to experienced pen testers toolbox • Get involved: • Try it out • Find vulnerabilities in your apps • Report bugs • Localize • Suggest improvements • Implement improvements • http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project