OWASP AppSec USA 2011 An Introduction to ZAP The OWASP Zed Attack Proxy Simon Bennetts Sage UK Ltd OWASP ZAP Project Lead psiinongmailcom 2 The Introduction The statement You cannot build secure web applications unless you ID: 764263
Download Presentation The PPT/PDF document "OWASP AppSec USA 2011" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
OWASP AppSecUSA 2011 An Introduction to ZAPThe OWASP Zed Attack Proxy Simon Bennetts Sage UK Ltd OWASP ZAP Project Lead psiinon@gmail.com
2The IntroductionThe statementYou cannot build secure web applications unless youknow how to attack themThe problem For many developers ‘penetration testing’ is a black artThe solutionTeach basic pentesting techniques to developers Thanks to Royston Robertson www.roystonrobertson.co.uk for permission to use his cartoon!
3The CaveatThis is in addition to:Teaching secure coding techniquesTeaching about common vulnerabilities (e.g. OWASP top 10)Secure Development Software LifecycleStatic source code analysisCode reviews Professional pentesting …
4The Zed Attack ProxyReleased September 2010Ease of use a priorityComprehensive help pages Free, Open sourceCross platformA fork of the well regarded Paros Proxy Involvement actively encouraged Adopted by OWASP October 2010
51 year later…Version 1.3.2 released in August....and downloaded 4000+ times 5 main coders, 15 contributorsFully internationalized Translated into 10 languages: Brazilian Portuguese, Chinese, Danish, French, German, Greek, Indonesian, Japanese, Polish, Spanish Mostly used by Professional Pentesters ? Paros code: ~55% Zap Code: ~45%
6ZAP PrinciplesFree, Open sourceCross platformEasy to use Easy to installInternationalizedFully documented Involvement actively encouraged Reuse well regarded components
Where is ZAP being used?7
8The Main FeaturesAll the essentials for web application testingIntercepting Proxy Active and Passive ScannersSpiderReport Generation Brute Force (using OWASP DirBuster code) Fuzzing (using OWASP JBroFuzz code)
9The Additional FeaturesAuto taggingPort scannerSmart card supportSession comparisonInvoke external appsBeanShell integrationAPI + Headless mode Dynamic SSL Certificates Anti CSRF token handling
10The Demo
11The FutureEnhance scanners to detect more vulnerabilitiesExtend API, Ant and Maven integration Easier to use, better helpFuzzing analysisSession analysis More localization (all offers gratefully received!) Technology detection? What do you want??
Summary and Conclusion 1ZAP is:Easy to use (for a web app pentest tool;)Ideal for appsec newcomersIdeal for training courses Being used by Professional Pen Testers Easy to contribute to (and please do!)Improving rapidly 12
Summary and Conclusion 2ZAP has:An active development communityAn international user baseThe potential to reach people new to OWASP and appsec, especially developers and functional testers ZAP is (provisionally) a flagship OWASP project 13
Any Questions?http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project