CF Objective Notes - Using OWASP ZAP To Find Vulnerabilities In Your Web Apps
May 14, 2014
USING OWASP ZAP TO FIND VULNERABILITIES IN YOUR WEB APPS
David Epler, OWASP Individual Member
Join as a member to give them funding (non profit, tax deductible)
what is OWASP ZAP (zed attack proxy)
free and open source
easy way to use web application penetration testing tool
completely free, no "pro" version
flagship project
included in major security distro's
kali, samaruai WTF (web testing framework), and others
used in courseware for teaching web penetration testing
started as a tool called "Paros Proxy" by Simon Bennetts
current version is 80% new code that's be rewritten from the Paros days
Best Security Tool 2013 voted by ToolsWatch.org
Why use ZAP?
Ideal for beginners, developers
also used by professional pen testers
Point and shoot via Quick Start Tab
press the "big red button" and it starts testing
Can do manual penetration testing
Can also use it as a debugger
b/c ZAP works directly with headers of the http request/responses
can be easier to use than Chrome Debugger for this (Chrome munges the responses, ZAP doesn't)
As part of a larger security programmer-- automated security regression tests via Selenium, etc
Main ZAP Features
Intercepting Proxy-- sits b/t web browser and site to get info
Active and Passive Scanners
active – sending live data to the site
passive – just inspecting the request coming back and tells you wants missing/broken
Traditional AND ajax spiders
most only do traditional
Forced browsing
using OWASP DirBuster
uses list of directories, common dictionary words
can go thru and find any "dead" or hidden files that might have old data in them
Fuzzing – sending random data to see what happens as a result
using fuzzdb and OWAS JbroFuzz
Cross Platform – built on Java 1.7
WebSockets support
Authentication and session support
smart card and client digital certificate support
anti CSRF token handling
report generation
port scanner
can build custom functionality via JavaScript, Python, Groovy or Zest
invoke external applications
online add-ons market place
translated into 20+ languages
Intercepting Proxy
Installing and Configuring Zap
download and installing
configure browser to use ZAP as proxy
FoxyProxy Standard
Demo Time
Quick Start version with all the defaults. Takes about 2 minutes to run. Good starting point to begin using ZAP.
Plug-n-Hack
can issue ZAP commands from inside the web browser
Tips
Can use linux install on Windows, if don't have rights to install on your machine
Don't forget to import your certificate
DO NOT USE ZAP AGAINST REAL LIVE WEB UNLESS YOU HAVE PERMISSION FROM THAT SITE. You can open up security holes or cause DDOS attacks and other security breaches that would cause a world of issues for you (and the site).
Marketplace Add-ons
Can save the reports to HTML for later reference (but need to edit out the techie details before handing them to non IT/security personnel – it's too terse as-is).
Recommended reading
everything on OWASP
ANYthing coming from the web browser is an UNTRUSTED input.
ANYthing that can write or consume an HTTP request
all potential locations to tamper with the data
there are ways to do really bizarre xss with just the "user agent" strings, for example
all kinds of requests under the hood that you never actually see depending on which browser you use.
Sqlmap – the defacto tool for doing sql injection to a site.
Nitko –
when you run an external tool in ZAP the output displays in the "output" tab
can save results to an XML file
Just testing isn't good enough. You have to be ACTIONABLE and DO something with those test results.
David Epler, OWASP Individual Member
Join as a member to give them funding (non profit, tax deductible)
what is OWASP ZAP (zed attack proxy)
free and open source
easy way to use web application penetration testing tool
completely free, no "pro" version
flagship project
included in major security distro's
kali, samaruai WTF (web testing framework), and others
used in courseware for teaching web penetration testing
started as a tool called "Paros Proxy" by Simon Bennetts
current version is 80% new code that's be rewritten from the Paros days
Best Security Tool 2013 voted by ToolsWatch.org
Why use ZAP?
Ideal for beginners, developers
also used by professional pen testers
Point and shoot via Quick Start Tab
press the "big red button" and it starts testing
Can do manual penetration testing
Can also use it as a debugger
b/c ZAP works directly with headers of the http request/responses
can be easier to use than Chrome Debugger for this (Chrome munges the responses, ZAP doesn't)
As part of a larger security programmer-- automated security regression tests via Selenium, etc
Main ZAP Features
Intercepting Proxy-- sits b/t web browser and site to get info
Active and Passive Scanners
active – sending live data to the site
passive – just inspecting the request coming back and tells you wants missing/broken
Traditional AND ajax spiders
most only do traditional
Forced browsing
using OWASP DirBuster
uses list of directories, common dictionary words
can go thru and find any "dead" or hidden files that might have old data in them
Fuzzing – sending random data to see what happens as a result
using fuzzdb and OWAS JbroFuzz
Cross Platform – built on Java 1.7
WebSockets support
Authentication and session support
smart card and client digital certificate support
anti CSRF token handling
report generation
port scanner
can build custom functionality via JavaScript, Python, Groovy or Zest
invoke external applications
online add-ons market place
translated into 20+ languages
Intercepting Proxy
Installing and Configuring Zap
download and installing
configure browser to use ZAP as proxy
FoxyProxy Standard
Demo Time
Quick Start version with all the defaults. Takes about 2 minutes to run. Good starting point to begin using ZAP.
Plug-n-Hack
can issue ZAP commands from inside the web browser
Tips
Can use linux install on Windows, if don't have rights to install on your machine
Don't forget to import your certificate
DO NOT USE ZAP AGAINST REAL LIVE WEB UNLESS YOU HAVE PERMISSION FROM THAT SITE. You can open up security holes or cause DDOS attacks and other security breaches that would cause a world of issues for you (and the site).
Marketplace Add-ons
Can save the reports to HTML for later reference (but need to edit out the techie details before handing them to non IT/security personnel – it's too terse as-is).
Recommended reading
everything on OWASP
ANYthing coming from the web browser is an UNTRUSTED input.
ANYthing that can write or consume an HTTP request
all potential locations to tamper with the data
there are ways to do really bizarre xss with just the "user agent" strings, for example
all kinds of requests under the hood that you never actually see depending on which browser you use.
Sqlmap – the defacto tool for doing sql injection to a site.
Nitko –
when you run an external tool in ZAP the output displays in the "output" tab
can save results to an XML file
Just testing isn't good enough. You have to be ACTIONABLE and DO something with those test results.