2. The plan
• The main bit
• Demo feature
• Let you play with feature
• Answer any questions
• Repeat
• Plans for the future sessions
2
3. Contexts
• Assign characteristics to groups of URLs
• Like an application:
– Per site:
• http://www.example.com
– Site subtree:
• http://www.example.com/app1
– Multiple sites:
• http://www.example1.com
• http://www.example2.com
4. Practical 1
• Create and edit a Context definition
• Add and remove context to scope
• Try using ZAP with different modes and
scopes
4
5. Contexts
• Allow you to define:
– Scope
– Session handling
– Authentication
– Users
– 'Forced user'
– Structure
– with more coming soon
6. Practical 2
• Define a context for an app with
authentication
• Configure the authentication method,
logged in/out indicator and 1+ users(s)
• Spider / scan using the Forced User
mode
6
7. Basic Fuzzing
• Current 'basic' fuzzing:
– Sending attack vectors at 1 selected target
– Just supports files of attack vectors
– JbroFuzz files included by default
– FuzzDb and SVN Digger files on Marketplace
– You can add your own files
– Handles anti CSRF tokens
– Results can be searched
8. Practical 3
• Fuzz input fields
• Fuzz input fields in forms with an anti
CRSF token
• Search fuzzing results
• Download and use FuzzDb and SVN Digger
files
8
9. Advanced Fuzzing
• 'MultiFuzz' on the Marketplace:
– Sending attack vectors at multiple selected
targets
– Range of attack vectors, not just files
– Supports graphing of results
– Google Summer of Code Project
– Alpha quality
10. Practical 4
• Download MultiFuzz
• Try out all of its features
• Provide feedback :)
10
11. Advanced Scanning
• Accessed from:
– Right click Attack menu
– Tools menu
– Key board shortcut (default Ctrl-Alt-A)
• Gives you fine grained control over:
– Scope
– Input Vectors
– Custom Vectors
– Policy
12. Practical 5
• Scan one URL with one scan rule
• Play with the thresholds and strengths
• Scan custom input vectors
• Create, save and load Policies
12
13. 13
Future Sessions?
• Scripts
• Zest
• The API
• Websockets
• Marketplace add-ons
• Intro to the source code?
• What do you want??