A 50 min talk at OWASP AppSec USA including demos Zest (a new security scripting language from Mozilla) and Plug-n-Hack (including fuzzing postMessages in the browser to find DOM XSS vulnerabilities). A video of this talk is available here: http://www.youtube.com/watch?v=pYFtLA2yTR8

1. The OWASP Foundation
http://www.owasp.org
ZAP Innovations
OWASP
Zed Attack Proxy
Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Team
psiinon@gmail.com
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

2. What is ZAP?
•
•
•
•
•
•
•
•
•
An easy to use webapp pentest tool
Completely free and open source
An OWASP flagship project
Ideal for beginners
But also used by professionals
Ideal for devs, esp. for automated security tests
Becoming a framework for advanced testing
Included in all major security distributions
Not a silver bullet!
2

3. ZAP Principles
•
Free, Open source
•
Involvement actively encouraged
•
Cross platform
•
Easy to use
•
Easy to install
•
Internationalized
•
Fully documented
•
Work well with other tools
•
Reuse well regarded components
3

4. Statistics
• Released September 2010, fork of Paros
• V 2.2.2 released in Sept 2013
• V 2.1.0 downloaded > 25K times
• Translated into 20+ languages
• Over 50 translators
• Mostly used by Professional Pentesters?
• Paros code: ~20%
ZAP Code: ~80%
4

5. Ohloh Statistics
•
Very High Activity
• The most active OWASP Project
• 28 active contributors
• 236 years of effort
Source: http://www.ohloh.net/p/zaproxy
5

6. User Questionnaire
6

7. The Main Features
All the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Traditional and Ajax Spiders
• WebSockets support
• Forced Browsing (using OWASP DirBuster
code)
• Fuzzing (using fuzzdb & OWASP JBroFuzz)
• Online Add-ons Marketplace
7

8. Some Additional Features
•
Auto tagging
•
Port scanner
•
Script Console
•
Report generation
•
Smart card support
•
Contexts and scope
•
Session management
•
Invoke external apps
•
Dynamic SSL Certificates
8

9. How can you use ZAP?
•
•
•
•
•
•
Point and shoot – the Quick Start tab
Proxying via ZAP, and then scanning
Manual pentesting
Automated security regression tests
As a debugger
As part of a larger security program
9

10. SecurityRegression Tests
http://code.google.com/p/zaproxy/wiki/SecRegTests
10

11. ZAP – Embedded
ThreadFix – Denim Group
Software vulnerability aggregation
and management system
Minion – Mozilla
Security automation platform
11

12. 


New Spider plus Session awareness
Cosmin Stefan
Ajax Spider via Crawljax
Guifre Ruiz
WebSockets support
Robert Kock
All included since 2.1.0

13. • Enhanced HTTP Session Handling
Cosmin Stefan
• SAML 2.0
Pulasthi Mahawithana
• Advanced Reporting using BIRT
Rauf Butt
• CMS Scanner
Abdelhadi Azouni
• Dynamically Configurable Actions
Alessandro Secco

14. Enhanced Sessions
• Student: Cosmin Stefan – Studying for MSc at
University of Denmark
• Mentor: Guifre Ruiz (GSoC student 2012)
• Project: Plugable, fully integrated session and
authentication, (semi) automation of access
control testing, a platform to build on
• Status: Committed into the trunk

15. SAML 2.0
• Student: Pulasthi Mahawithana – Studying at
University of Moratuwa, Sri Lanka
• Mentors: Prasad Shenoy, Kevin Wall
• Project: Detect, decode and fuzz SAML
messages, simulate XSW attacks
• Status: Alpha add-on available now

16. Advanced Reporting
• Student: Rauf Butt – Studying at Regent's
College, London
• Mentors: Johanna Curiel
• Project: Flexible, plugable and highly
configurable BIRT generated reports
• Status: Code committed, add-on available
soon?

17. CMS Scanner
• Student: Abdelhadi Azouni – Studying at High
School of Computer Science, Algiers
• Mentors: Mennouchi Islam Azedine
• Project: Fingerprint CMS software and
versions, enumerate vulnerabilities in core,
plugins or templates
• Status: Code committed, add-on available
soon?

18. Dynamic actions
• Student: Alessandro Secco, studying at
University Padua, Italy
• Mentors: Simon Bennetts
• Project: Provide a very simple and flexible way
to extend ZAP, replace old Paros Filters
• Status: Code committed, add-on included in
2.2.0

19. More new stuff
•
New add-ons:
– Technology detection using Wappalyzer
– HTTPS Info
•
New / updated Scan rules:
– Command injection
– Code injection
– Xpath injection
– SQL injection (inc a port of SQLMap core)
19

20. Even more new stuff
•
New active scan targets and formats
– HTTP headers + Cookies
– Multipart Forms
– XML
– JSON
– Google Web Toolkit
– OData
20

21. Demo
Time
21

22. Plug-n-Hack – Phase 1
• Allow browsers and security tools to
integrate more easily
• Allows security tools to expose
functionality to browsers
• “Proposed standard”
• Developed by Mozilla Security Team
• Browser and security tool independent

23. Plug-n-Hack
Tools signed up:
– Firefox (via an add-on)
– ZAP (ditto)
– Minion
– Burp Suite
– OWASP OWTF
– Kali

24. Scripting
• Previously just supported 'run now' scripts
• Scripting is now embedded into ZAP
• Different types of scripts
– Stand alone
As now
– Targeted
Specify URLs to run against
– Active
Run in Active scanner
– Passive
Run in Passive scanner
– Proxy
Run 'inline'

25. Zest - Overview
•
•
•
•
An experimental scripting language
Developed by Mozilla Security Team
Free and open source (of course)
Format: JSON – designed to be
represented visually in security tools
• Tool independent – can be used in open
and closed, free or commercial software
• Is included by default in ZAP from 2.2.0
• Will replace filters – Alessandro's
project

26. Zest – Use cases
• Reporting vulnerabilities to companies
• Reporting vulnerabilities to developers
• Defining tool independent active and
passive scan rules
• Deep integration with security tools

27. Zest – Passive Scan Rule

28. Zest - Statements
•
•
•
•
•
•
•
HTTP(S) Requests
Assertions
Conditionals
Assignments
Actions
Loops
More to come …

29. Zest - Runtime
• Java runtime: reference implementation,
used by ZAP, but ZAP independent
• Runtimes also being developed:
– Javascript
– Python
• Want to implement another one?
We'll help you :)

30. Plug-n-Hack – Phase 2
• Allows browsers to to expose
functionality to security tools
•
•
•
•
•
•
•
This phase doesn't need browser plugins
Work in progress!
Inject javascript into 'monitored pages'
Heartbeat shows which pages are alive
Intercept and change postMessages
Fuzz postMessages
DOM XSS oracle

31. ZAP Hackathon!
• Tomorrow – Thursday 21 9am - 1pm
• Learn how to work on ZAP:
st
– Active/Passive scan rules
– Scripts
– Add-ons
– Localization
– Documentation
• Will include demos plus plenty
of time to work on ZAP

32. Conclusion
• ZAP is changing rapidly
• New features are being introduced which
exceed the capabilities of other tools
• We're implementing functionality so that it
can be reused in other tools
• Its a community based tool – get involved!
• We want feedback - fill in the Questionnaire!
(linked of ZAP homepage)
• Come along to the Hackathon tomorrow :)

33. Questions?
http://www.owasp.org/index.php/ZAP