Vous êtes sur la page 1sur 31

OWASP The OWASP Foundation

Canberra 2014 http://www.owasp.org

OWASP ZAP
Workshop 1:
Getting started
Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Team

psiinon@gmail.com
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The plan
• Introduction
• The main bit
• Demo feature
• Let you play with feature
• Answer any questions
• Repeat
• Plans for the future sessions
2
What is ZAP?
• An easy to use webapp pentest tool
• Completely free and open source
• Ideal for beginners
• But also used by professionals
• Ideal for devs, esp. for automated security tests
• Becoming a framework for advanced testing
• Included in all major security distributions
• ToolsWatch.org Top Security Tool of 2013
• Not a silver bullet!

3
ZAP Principles
• Free, Open source
• Involvement actively encouraged
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Work well with other tools
• Reuse well regarded components

4
Statistics
• Released September 2010, fork of Paros
• V 2.3.1 released in May 2014
• V 2.3.1 downloaded > 35K times
• Translated into 20+ languages
• Over 90 translators
• Mostly used by Professional Pentesters?
• Paros code: ~20% ZAP Code: ~80%

5
Open HUB Statistics
• Very High Activity
• The most active OWASP Project
• 31 active contributors
• 327 years of effort

Source: https://www.openhub.net/p/zaproxy

6
Some ZAP use cases
• Point and shoot – the Quick Start tab
• Proxying via ZAP, and then scanning
• Manual pentesting
• Automated security regression tests
• Debugging
• Part of a larger security program

7
The BodgeIt Store
• A simple vulnerable web app
• Easy to install, minimal dependencies
• In memory db
• Scoring page – how well can you do?

8
The ZAP UI
• Top level menu
• Top level toolbar
• Tree window
• Workspace window
• Information window
• Footer

9
Quick Start - Attack
• Specify one URL
• ZAP will spider that URL
• Then perform an Active Scan
• And display the results
• Simple and effective
• Little control & cant handle authentication

10
Proxying via ZAP
• Plug-n-Hack easiest option, if using
Firefox
• Otherwise manually configure your
browser to proxy via ZAP
• And import the ZAP root CA
• Requests made via your browser should
appear in the Sites & History tabs
• IE – dont “Bypass proxy for local
addresses”
11
ZAP PnH
Manual ZAP config
Practical 1
• Try out the Quick Start – Attack
• Configure your browser to proxy via ZAP
• Manually explore your target application

18
The Spiders
• Traditional Spider
• Fast
• Cant handle JavaScript very well
• AJAX Spider
• Launches a browser
• Slower
• Can handle Java Script
19
Practical 2
• Use the 'traditional' spider on your target
application
• Use the AJAX spider on your target
application
• If you're using BodgeIt – can you find the
'hidden' content?

20
Answer: Hidden content
Active and Passive Scanning
• Passive Scanning is safe
• Active Scanning in NOT safe
• Only use on apps you have permission
to test
• Launch via tab or 'attack' right click
menu
• Effectiveness depends on how well you
explored your app
22
Practical 3
• Review the Passive issues already found
• Run the Active Scanner on your target
application
• If you're using BodgeIt –
• Can you login as user1 or admin?
• Can you get an “XSS” popup?

23
Answer: Login as…
• Password guessing
• test@thebodgeitstore.com
• password
• SQL Injection
• user1@thebodgeitstore.com’ or ‘1’=‘1
• admin@thebodgeitstore.com’ or ‘1’=‘1
Answer: XSS popup
• Search function
• Append <script>alert(“XSS”)</script>
Intercepting and changing
Break on all requests
Break on all responses
Submit and step
Submit and continue
Bin the request or response
Add a custom HTTP break point

26
Practical 4
• Intercept and change requests and
responses
• Use custom break points just on a specific
page
• If you're using BodgeIt – can you make
some money via the basket?

27
Answer: Make money
• Your Basket page
• Change quantity to negative number
• quantity_26=-5&update=Update+
Basket
Some final pointers
• Generating reports
• Save sessions at the start
• Right click everywhere
• Play with the UI options
• Explore the ZAP Marketplace
• F1: The User Guide
• Menu: Online / ZAP User Group
29
Future Sessions?
• Fuzzing
• Advanced Active Scanning
• Contexts
• Authentication
• Scripts
• Zest
• The API
• Websockets
• What do you want?? 
30
Any Questions?
http://www.owasp.org/index.php/ZAP