The second of a series of workshops on OWASP ZAP delivered remotely to OWASP Canberra.

1. The OWASP Foundation
http://www.owasp.org
OWASP ZAP
Workshop 2:
Contexts and Fuzzing
Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Team
psiinon@gmail.com
Copyright © The OWASP Foundation
OWASP
Canberra 2014
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

2. The plan
• The main bit
• Demo feature
• Let you play with feature
• Answer any questions
• Repeat
• Plans for the future sessions
2

3. Contexts
• Assign characteristics to groups of URLs
• Like an application:
– Per site:
• http://www.example.com
– Site subtree:
• http://www.example.com/app1
– Multiple sites:
• http://www.example1.com
• http://www.example2.com

4. Practical 1
• Create and edit a Context definition
• Add and remove context to scope
• Try using ZAP with different modes and
scopes
4

5. Contexts
• Allow you to define:
– Scope
– Session handling
– Authentication
– Users
– 'Forced user'
– Structure
– with more coming soon

6. Practical 2
• Define a context for an app with
authentication
• Configure the authentication method,
logged in/out indicator and 1+ users(s)
• Spider / scan using the Forced User
mode
6

7. Basic Fuzzing
• Current 'basic' fuzzing:
– Sending attack vectors at 1 selected target
– Just supports files of attack vectors
– JbroFuzz files included by default
– FuzzDb and SVN Digger files on Marketplace
– You can add your own files
– Handles anti CSRF tokens
– Results can be searched

8. Practical 3
• Fuzz input fields
• Fuzz input fields in forms with an anti
CRSF token
• Search fuzzing results
• Download and use FuzzDb and SVN Digger
files
8

9. Advanced Fuzzing
• 'MultiFuzz' on the Marketplace:
– Sending attack vectors at multiple selected
targets
– Range of attack vectors, not just files
– Supports graphing of results
– Google Summer of Code Project
– Alpha quality

10. Practical 4
• Download MultiFuzz
• Try out all of its features
• Provide feedback :)
10

11. Advanced Scanning
• Accessed from:
– Right click Attack menu
– Tools menu
– Key board shortcut (default Ctrl-Alt-A)
• Gives you fine grained control over:
– Scope
– Input Vectors
– Custom Vectors
– Policy

12. Practical 5
• Scan one URL with one scan rule
• Play with the thresholds and strengths
• Scan custom input vectors
• Create, save and load Policies
12

13. 13
Future Sessions?
• Scripts
• Zest
• The API
• Websockets
• Marketplace add-ons
• Intro to the source code?
• What do you want?? 

14. Any Questions?
http://www.owasp.org/index.php/ZAP