SlideShare une entreprise Scribd logo

Owasp zap

ColdFusionConference
ColdFusionConference
LogicielsTechnologie
1  sur  21
Télécharger pour lire hors ligne
Using OWASP ZAP to find vulnerabilities in your web apps David Epler Security Architect depler@aboutweb.com
About Me • Primarily an Application Developer • Contributor to Learn CF In a Week • Created Unofficial Updater 2 to patch Adobe ColdFusion 8.0.1 & 9.0.x • OWASP Individual Member • OWASP ZAP Evangelist
What is OWASP Zed Attack Proxy (ZAP)? • An easy to use web application penetration testing tool • Completely free and Open Source • no paid PRO version • OWASP flagship project • Included in major security distributions • Kali, Samurai WTF, etc.
Brief ZAP History • Fork of Paros Proxy by Simon Bennetts • Code: Paros ~20%, ZAP ~80% • 1st Release September 2010 • Adopted by OWASP October 2010 • Now at 2.3.0, with roadmap to 2.4.0+ • Best Security Tool of 2013 as Voted by ToolsWatch.org Readers
Why use ZAP? • Ideal for beginners, developers • also used by professional pen testers • Point and shoot via Quick Start Tab • Manual penetration testing • As a debugger • As part of larger security program • Automated security regression tests
Main ZAP Features • Intercepting Proxy • Active and Passive Scanners • Traditional and AJAX spiders • Forced browsing • using OWASP DirBuster • Fuzzing • using fuzzdb and OWASP JBroFuzz • Cross Platform • built on Java (requires 1.7)
More ZAP Features • WebSockets support • Authentication and session support • Smart card and client digital certificate support • Anti CSRF token handling • Report generation • Port scanner • Invoke external applications • Support for wide range of scripting • JavaScript, Zest, Python, Groovy • Online Add-ons Marketplace • Translated into 20+ languages
Intercepting Proxy Website
Intercepting Proxy Website
Installing and Configuring ZAP • Download and Install • https://code.google.com/p/zaproxy/ wiki/Downloads • Configure browser to use ZAP as proxy • FoxyProxy Standard plugin for Firefox • Import OWASP ZAP Root CA • needed for testing HTTPS sites/apps
Installing and Configuring ZAP Demo Time
Plug-n-Hack • Configuring browser to work with security tool can be difficult • Proposed standard developed by Mozilla Security Team • Allows browsers and security tools to integrate more easily • Allows security tools to expose functionality to browser • Requires Firefox 24+ and plugin • Other tools to support it • Burp Suite, Kali
A Few Tips • Can use Linux install on Windows, if don’t have rights to install • Don’t forget to import certificate • If you get the following when trying HTTPS • ZAP Error: handshake alert: unrecognized_name • Add to zap.sh/zap.bat • !Djsse.enableSNIExtension=false
Testing for vulnerabilities • Automated Testing • Quick Start • Active Scan
Testing for vulnerabilities • Directed Testing • Manual, using browser walk through web app • ZAP capturing responses then, testing further by manipulating requests
Testing for vulnerabilities Demo Time
Integrating ZAP with other tools • Run external applications • Nikto • sqlmap
Integrating ZAP with other tools • Generate ModSecurity virtual patching rules from ZAP XML results • zap2modsec.pl
Integrating ZAP with other tools Demo Time
• Please be sure to fill out evaluations • Blog: http://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler Q&A - Thanks
• OWASP Zed Attack Proxy Project • Plug-n-Hack • Issue 704: ZAP Error: handshake alert: unrecognized_name • ModSecurity Advanced Topic of the Week: Automated Virtual Patching using OWASP Zed Attack Proxy Resources

Recommandé

The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
penetration Tester
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Burpsuite 101
Burpsuite 101Burpsuite 101
Burpsuite 101
n|u - The Open Security Community
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 

Recommandé

The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
penetration Tester
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Burpsuite 101
Burpsuite 101Burpsuite 101
Burpsuite 101
n|u - The Open Security Community
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
Burp suite
Burp suiteBurp suite
Burp suite
hamdi_sevben
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
Ashraf Bashir
 
Api testing
Api testingApi testing
Api testing
Keshav Kashyap
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
n|u - The Open Security Community
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Fadi Abdulwahab
 
Postman
PostmanPostman
Postman
Igor Shubovych
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDC
Thinqloud
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 

Contenu connexe

Tendances

Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 

Tendances (20)

Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Burp suite
Burp suiteBurp suite
Burp suite
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
 
Api testing
Api testingApi testing
Api testing
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
 
Postman
PostmanPostman
Postman
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDC
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 

En vedette

Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Performance and load testing
Performance and load testingPerformance and load testing
Performance and load testing
sonukalpana
 

En vedette (14)

OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Load Testing and JMeter Presentation
Load Testing and JMeter PresentationLoad Testing and JMeter Presentation
Load Testing and JMeter Presentation
 
Introduction to Performance testing
Introduction to Performance testingIntroduction to Performance testing
Introduction to Performance testing
 
Performance Testing in Oracle Apps
Performance Testing in Oracle AppsPerformance Testing in Oracle Apps
Performance Testing in Oracle Apps
 
How to start performance testing project
How to start performance testing projectHow to start performance testing project
How to start performance testing project
 
Performance Testing
Performance TestingPerformance Testing
Performance Testing
 
Introduction to performance testing
Introduction to performance testingIntroduction to performance testing
Introduction to performance testing
 
Performance and load testing
Performance and load testingPerformance and load testing
Performance and load testing
 

Similaire à Owasp zap

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
OpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red HatsOpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red Hats
Mark Atwood
 

Similaire à Owasp zap (20)

ZAP @FOSSASIA2015
ZAP @FOSSASIA2015ZAP @FOSSASIA2015
ZAP @FOSSASIA2015
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP Intro
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
 
Automated tools for penetration testing
Automated tools for penetration testingAutomated tools for penetration testing
Automated tools for penetration testing
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
Hacking on WildFly 9
Hacking on WildFly 9Hacking on WildFly 9
Hacking on WildFly 9
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
OpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red HatsOpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red Hats
 

Plus de ColdFusionConference

Plus de ColdFusionConference (20)

Api manager preconference
Api manager preconferenceApi manager preconference
Api manager preconference
 
Cf ppt vsr
Cf ppt vsrCf ppt vsr
Cf ppt vsr
 
Building better SQL Server Databases
Building better SQL Server DatabasesBuilding better SQL Server Databases
Building better SQL Server Databases
 
API Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIsAPI Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIs
 
Don't just pdf, Smart PDF
Don't just pdf, Smart PDFDon't just pdf, Smart PDF
Don't just pdf, Smart PDF
 
Crafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an ArchitectCrafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an Architect
 
Security And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API ManagerSecurity And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API Manager
 
Monetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APISMonetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APIS
 
Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016
 
ColdFusion in Transit action
ColdFusion in Transit actionColdFusion in Transit action
ColdFusion in Transit action
 
Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016
 
Where is cold fusion headed
Where is cold fusion headedWhere is cold fusion headed
Where is cold fusion headed
 
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
 
Restful services with ColdFusion
Restful services with ColdFusionRestful services with ColdFusion
Restful services with ColdFusion
 
Super Fast Application development with Mura CMS
Super Fast Application development with Mura CMSSuper Fast Application development with Mura CMS
Super Fast Application development with Mura CMS
 
Build your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and webBuild your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and web
 
Why Everyone else writes bad code
Why Everyone else writes bad codeWhy Everyone else writes bad code
Why Everyone else writes bad code
 
Securing applications
Securing applicationsSecuring applications
Securing applications
 
Testing automaton
Testing automatonTesting automaton
Testing automaton
 

Dernier

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 

Dernier (20)

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 

Owasp zap

  • 1. Using OWASP ZAP to find vulnerabilities in your web apps David Epler Security Architect depler@aboutweb.com
  • 2. About Me • Primarily an Application Developer • Contributor to Learn CF In a Week • Created Unofficial Updater 2 to patch Adobe ColdFusion 8.0.1 & 9.0.x • OWASP Individual Member • OWASP ZAP Evangelist
  • 3. What is OWASP Zed Attack Proxy (ZAP)? • An easy to use web application penetration testing tool • Completely free and Open Source • no paid PRO version • OWASP flagship project • Included in major security distributions • Kali, Samurai WTF, etc.
  • 4. Brief ZAP History • Fork of Paros Proxy by Simon Bennetts • Code: Paros ~20%, ZAP ~80% • 1st Release September 2010 • Adopted by OWASP October 2010 • Now at 2.3.0, with roadmap to 2.4.0+ • Best Security Tool of 2013 as Voted by ToolsWatch.org Readers
  • 5. Why use ZAP? • Ideal for beginners, developers • also used by professional pen testers • Point and shoot via Quick Start Tab • Manual penetration testing • As a debugger • As part of larger security program • Automated security regression tests
  • 6. Main ZAP Features • Intercepting Proxy • Active and Passive Scanners • Traditional and AJAX spiders • Forced browsing • using OWASP DirBuster • Fuzzing • using fuzzdb and OWASP JBroFuzz • Cross Platform • built on Java (requires 1.7)
  • 7. More ZAP Features • WebSockets support • Authentication and session support • Smart card and client digital certificate support • Anti CSRF token handling • Report generation • Port scanner • Invoke external applications • Support for wide range of scripting • JavaScript, Zest, Python, Groovy • Online Add-ons Marketplace • Translated into 20+ languages
  • 10. Installing and Configuring ZAP • Download and Install • https://code.google.com/p/zaproxy/ wiki/Downloads • Configure browser to use ZAP as proxy • FoxyProxy Standard plugin for Firefox • Import OWASP ZAP Root CA • needed for testing HTTPS sites/apps
  • 12. Plug-n-Hack • Configuring browser to work with security tool can be difficult • Proposed standard developed by Mozilla Security Team • Allows browsers and security tools to integrate more easily • Allows security tools to expose functionality to browser • Requires Firefox 24+ and plugin • Other tools to support it • Burp Suite, Kali
  • 13. A Few Tips • Can use Linux install on Windows, if don’t have rights to install • Don’t forget to import certificate • If you get the following when trying HTTPS • ZAP Error: handshake alert: unrecognized_name • Add to zap.sh/zap.bat • !Djsse.enableSNIExtension=false
  • 14. Testing for vulnerabilities • Automated Testing • Quick Start • Active Scan
  • 15. Testing for vulnerabilities • Directed Testing • Manual, using browser walk through web app • ZAP capturing responses then, testing further by manipulating requests
  • 17. Integrating ZAP with other tools • Run external applications • Nikto • sqlmap
  • 18. Integrating ZAP with other tools • Generate ModSecurity virtual patching rules from ZAP XML results • zap2modsec.pl
  • 19. Integrating ZAP with other tools Demo Time
  • 20. • Please be sure to fill out evaluations • Blog: http://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler Q&A - Thanks
  • 21. • OWASP Zed Attack Proxy Project • Plug-n-Hack • Issue 704: ZAP Error: handshake alert: unrecognized_name • ModSecurity Advanced Topic of the Week: Automated Virtual Patching using OWASP Zed Attack Proxy Resources