2014 ZAP Workshop 1: Getting Started
•Télécharger en tant que ODP, PDF•
5 j'aime•3,642 vues
The first of a series of workshops on OWASP ZAP delivered remotely to OWASP Canberra.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à 2014 ZAP Workshop 1: Getting Started
Similaire à 2014 ZAP Workshop 1: Getting Started (20)
Dernier
Dernier (20)
2014 ZAP Workshop 1: Getting Started
- 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP Canberra 2014 OWASP ZAP Workshop 1: Getting started Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com
- 2. The plan • Introduction • The main bit • Demo feature • Let you play with feature • Answer any questions • Repeat • Plans for the future sessions 2
- 3. 3 What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Becoming a framework for advanced testing • Included in all major security distributions • ToolsWatch.org Top Security Tool of 2013 • Not a silver bullet!
- 4. 4 ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components
- 5. 5 Statistics • Released September 2010, fork of Paros • V 2.3.1 released in May 2014 • V 2.3.1 downloaded > 35K times • Translated into 20+ languages • Over 90 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80%
- 6. 6 Open HUB Statistics • Very High Activity • The most active OWASP Project • 31 active contributors • 327 years of effort Source: https://www.openhub.net/p/zaproxy
- 7. Some ZAP use cases • Point and shoot – the Quick Start tab • Proxying via ZAP, and then scanning • Manual pentesting • Automated security regression tests • Debugging • Part of a larger security program 7
- 8. The BodgeIt Store • A simple vulnerable web app • Easy to install, minimal dependencies • In memory db • Scoring page – how well can you do? 8
- 9. The ZAP UI • Top level menu • Top level toolbar • Tree window • Workspace window • Information window • Footer 9
- 10. Quick Start - Attack • Specify one URL • ZAP will spider that URL • Then perform an Active Scan • And display the results • Simple and effective • Little control & cant handle authentication 10
- 11. Proxying via ZAP • Plug-n-Hack easiest option, if using Firefox • Otherwise manually configure your browser to proxy via ZAP • And import the ZAP root CA • Requests made via your browser should appear in the Sites & History tabs • IE – dont “Bypass proxy for local addresses” 11
- 12. Practical 1 • Try out the Quick Start – Attack • Configure your browser to proxy via ZAP • Manually explore your target application 12
- 13. The Spiders • Traditional Spider • Fast • Cant handle JavaScript very well • AJAX Spider • Launches a browser • Slower • Can handle Java Script 13
- 14. Practical 2 • Use the 'traditional' spider on your target application • Use the AJAX spider on your target application • If you're using BodgeIt – can you find the 'hidden' content? 14
- 15. Active and Passive Scanning• Passive Scanning is safe • Active Scanning in NOT safe • Only use on apps you have permission to test • Launch via tab or 'attack' right click menu • Effectiveness depends on how well you explored your app 15
- 16. Practical 3 • Review the Passive issues already found • Run the Active Scanner on your target application • If you're using BodgeIt – • Can you login as user1 or admin? • Can you get an “XSS” popup? 16
- 17. Intercepting and changing Break on all requests Break on all responses Submit and step Submit and continue Bin the request or response Add a custom HTTP break point 17
- 18. Practical 4 • Intercept and change requests and responses • Use custom break points just on a specific page • If you're using BodgeIt – can you make some money via the basket? 18
- 19. Some final pointers • Generating reports • Save sessions at the start • Right click everywhere • Play with the UI options • Explore the ZAP Marketplace • F1: The User Guide • Menu: Online / ZAP User Group 19
- 20. 20 Future Sessions? • Fuzzing • Advanced Active Scanning • Contexts • Authentication • Scripts • Zest • The API • Websockets • What do you want??