CF Objective Notes - Using OWASP ZAP To Find Vulnerabilities In Your Web Apps

May 14, 2014

USING OWASP ZAP TO FIND VULNERABILITIES IN YOUR WEB APPS
David Epler, OWASP Individual Member

Join as a member to give them funding (non profit, tax deductible)

what is OWASP ZAP (zed attack proxy)
free and open source
easy way to use web application penetration testing tool
completely free, no "pro" version
flagship project
included in major security distro's
kali, samaruai WTF (web testing framework), and others
used in courseware for teaching web penetration testing

started as a tool called "Paros Proxy" by Simon Bennetts
current version is 80% new code that's be rewritten from the Paros days

Best Security Tool 2013 voted by ToolsWatch.org

Why use ZAP?
Ideal for beginners, developers
also used by professional pen testers

Point and shoot via Quick Start Tab
press the "big red button" and it starts testing

Can do manual penetration testing

Can also use it as a debugger
b/c ZAP works directly with headers of the http request/responses
can be easier to use than Chrome Debugger for this (Chrome munges the responses, ZAP doesn't)

As part of a larger security programmer-- automated security regression tests via Selenium, etc

Main ZAP Features
Intercepting Proxy-- sits b/t web browser and site to get info
Active and Passive Scanners
active – sending live data to the site
passive – just inspecting the request coming back and tells you wants missing/broken

Traditional AND ajax spiders
most only do traditional

Forced browsing
using OWASP DirBuster
uses list of directories, common dictionary words
can go thru and find any "dead" or hidden files that might have old data in them

Fuzzing – sending random data to see what happens as a result
using fuzzdb and OWAS JbroFuzz

Cross Platform – built on Java 1.7

WebSockets support
Authentication and session support
smart card and client digital certificate support
anti CSRF token handling
report generation
port scanner

can build custom functionality via JavaScript, Python, Groovy or Zest

invoke external applications

online add-ons market place
translated into 20+ languages

Intercepting Proxy

Installing and Configuring Zap
download and installing
configure browser to use ZAP as proxy
FoxyProxy Standard

Demo Time

Quick Start version with all the defaults. Takes about 2 minutes to run. Good starting point to begin using ZAP.

Plug-n-Hack
can issue ZAP commands from inside the web browser

Tips
Can use linux install on Windows, if don't have rights to install on your machine
Don't forget to import your certificate

DO NOT USE ZAP AGAINST REAL LIVE WEB UNLESS YOU HAVE PERMISSION FROM THAT SITE. You can open up security holes or cause DDOS attacks and other security breaches that would cause a world of issues for you (and the site).

Marketplace Add-ons

Can save the reports to HTML for later reference (but need to edit out the techie details before handing them to non IT/security personnel – it's too terse as-is).

Recommended reading
everything on OWASP

ANYthing coming from the web browser is an UNTRUSTED input.
ANYthing that can write or consume an HTTP request
all potential locations to tamper with the data
there are ways to do really bizarre xss with just the "user agent" strings, for example

all kinds of requests under the hood that you never actually see depending on which browser you use.

Sqlmap – the defacto tool for doing sql injection to a site.

Nitko –
when you run an external tool in ZAP the output displays in the "output" tab
can save results to an XML file

Just testing isn't good enough. You have to be ACTIONABLE and DO something with those test results.