Zed Attack Proxy (ZAP)
JAINAMKAPADIA
4,054 views
16 slides
Aug 13, 2018
Slide 1 of 16
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
About This Presentation
totally case study on OWASP Zed attack proxy. it is really used in cybersecurity.
Slide Content
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
1
Case study on
OWASP Zed Attack Proxy
1. Introduction
The OWASP (Open Web Application Security Project) Zed Attack Proxy (ZAP) is
one of the world’s most popular free security tools and is actively maintained by hundreds of
international volunteers. It can help you automatically find security vulnerabilities in your
web applications while you are developing and testing your applications. Its also a great tool
for experienced pentesters to use for manual security testing.
OWASP ZAP (Zed Attack Proxy) is a open-source web application security scanner.
It is intended to be used by both those new to application security as well as professional
penetration testers. It is one of the most active OWASP projects and has been given Flagship
status. It is also fully internationalized and is being translated into over 25 languages.
When used as a proxy server it allows the user to manipulate all of the traffic that
passes through it, including traffic using https. It can also run in a ‘daemon’ mode which is
then controlled via a REST Application programming interface. This cross-platform tool is
written in Java and is available in all of the popular operating systems including Microsoft
Windows, Linux and Mac OS X. ZAP was added to the ThoughtWorks Technology Radar in
May 2015 in the Trial ring.
• An easy to use webapp pentest tool
• Completely free and open source
• OWASP Flagship project
• Ideal for beginners
• But also used by professionals
• Ideal for devs, esp. for automated security tests
• Included in all major security distributions
• ToolsWatch.org Top Security Tool of 2015
• Not a silver bullet!
1
Case study on
OWASP Zed Attack Proxy
1. Introduction
The OWASP (Open Web Application Security Project) Zed Attack Proxy (ZAP) is
one of the world’s most popular free security tools and is actively maintained by hundreds of
international volunteers. It can help you automatically find security vulnerabilities in your
web applications while you are developing and testing your applications. Its also a great tool
for experienced pentesters to use for manual security testing.
OWASP ZAP (Zed Attack Proxy) is a open-source web application security scanner.
It is intended to be used by both those new to application security as well as professional
penetration testers. It is one of the most active OWASP projects and has been given Flagship
status. It is also fully internationalized and is being translated into over 25 languages.
When used as a proxy server it allows the user to manipulate all of the traffic that
passes through it, including traffic using https. It can also run in a ‘daemon’ mode which is
then controlled via a REST Application programming interface. This cross-platform tool is
written in Java and is available in all of the popular operating systems including Microsoft
Windows, Linux and Mac OS X. ZAP was added to the ThoughtWorks Technology Radar in
May 2015 in the Trial ring.
• An easy to use webapp pentest tool
• Completely free and open source
• OWASP Flagship project
• Ideal for beginners
• But also used by professionals
• Ideal for devs, esp. for automated security tests
• Included in all major security distributions
• ToolsWatch.org Top Security Tool of 2015
• Not a silver bullet!
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
2
1.1 ZAP Features
• Swing based UI for desktop mode
• Comprehensive REST(ish) API for daemon mode
• Plug in architecture (add-ons)
• Online ‘marketplace’ (all free:)
• Release, beta and alpha quality add-ons
• Traditional and ajax spiders
• Passive and active scanning
• Highly configurable, eg scan policies
• Highly scriptable
1.2 ZAP Principles
• Free, Open source
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Involvement actively encouraged
• Reuse well regarded components
2
1.1 ZAP Features
• Swing based UI for desktop mode
• Comprehensive REST(ish) API for daemon mode
• Plug in architecture (add-ons)
• Online ‘marketplace’ (all free:)
• Release, beta and alpha quality add-ons
• Traditional and ajax spiders
• Passive and active scanning
• Highly configurable, eg scan policies
• Highly scriptable
1.2 ZAP Principles
• Free, Open source
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Involvement actively encouraged
• Reuse well regarded components
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
3
2. Installation of ZAP
• Download Link:
• http://code.google.com/p/zaproxy/downloads/list
• https://github.com/zaproxy/zaproxy/wiki/Downloads
• Zap runs on proxy. To set up the proxy in ZAP
• go to TOOLS > OPTIONS > LOCAL PROXY in ZAP
• Same configuration in the browser too
Downloading and Installing ZAP
Step 1: First step of course is to download ZAP, which can be downloaded from
GitHub, here. Choose the right installer for your operating system.\
3
2. Installation of ZAP
• Download Link:
• http://code.google.com/p/zaproxy/downloads/list
• https://github.com/zaproxy/zaproxy/wiki/Downloads
• Zap runs on proxy. To set up the proxy in ZAP
• go to TOOLS > OPTIONS > LOCAL PROXY in ZAP
• Same configuration in the browser too
Downloading and Installing ZAP
Step 1: First step of course is to download ZAP, which can be downloaded from
GitHub, here. Choose the right installer for your operating system.\
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
4
Step 2:Once you’ve started the executable file, the next installation screen will appear. At
this point click on the Next button to continue.
Step 3: Accept the License Agreement and click Next to continue.
4
Step 2:Once you’ve started the executable file, the next installation screen will appear. At
this point click on the Next button to continue.
Step 3: Accept the License Agreement and click Next to continue.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
5
Step 4: Select the Standard installation option and click Next to continue.
Step 5: To start the installation of ZAP, click Install.
5
Step 4: Select the Standard installation option and click Next to continue.
Step 5: To start the installation of ZAP, click Install.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
6
Step 6: After the installation is complete, click Finish.
6
Step 6: After the installation is complete, click Finish.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
7
3. Implementation
Step 1: Enter the attack URL in “URL to Attack” text box.
Step 2: Now click on Attack button.
Step 3: ZAP will automatically scans the web application and generate the alert report with
list of possible vulnerabilities for your application.
7
3. Implementation
Step 1: Enter the attack URL in “URL to Attack” text box.
Step 2: Now click on Attack button.
Step 3: ZAP will automatically scans the web application and generate the alert report with
list of possible vulnerabilities for your application.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
8
Step 4: After exploring any of the vulnerability from Alert tab, ZAP will provide details of
that vulnerability and shows the affected area of the code by highlighting the code as shown
in below.
Step 5: It will also provide detail description of vulnerability and a solution for developer
with reference website(s) to prevent that attack as shown in below screen shots.
8
Step 4: After exploring any of the vulnerability from Alert tab, ZAP will provide details of
that vulnerability and shows the affected area of the code by highlighting the code as shown
in below.
Step 5: It will also provide detail description of vulnerability and a solution for developer
with reference website(s) to prevent that attack as shown in below screen shots.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
9
ZAP offers different functionalities to analyze application vulnerabilities with spider,
passive and active approaches, fuzzer, brute force, and many others.
3.1 Passive Scan
Passive scan can be used to analyze web applications and it allows you to assess the
vulnerability by sniffing the normal network traffic then acting as a proxy between server and
9
ZAP offers different functionalities to analyze application vulnerabilities with spider,
passive and active approaches, fuzzer, brute force, and many others.
3.1 Passive Scan
Passive scan can be used to analyze web applications and it allows you to assess the
vulnerability by sniffing the normal network traffic then acting as a proxy between server and
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
10
browser. Passive scan does not attack or interfere with client and server but analyzes the
request/response to and from the server to identify vulnerabilities.
(List of vulnerabilities found by a passive analysis)
3.2 Spider
Spider explores and creates, automatically, the structure of a web application with the list of
all URL resources found. For each URL, ZAP creates a request to get the resource and then
parses the response, discovering hyperlinks. To use the Spider is necessary to specify an
initial URL or subgroup of URLs.
(Spider analysis)
10
browser. Passive scan does not attack or interfere with client and server but analyzes the
request/response to and from the server to identify vulnerabilities.
(List of vulnerabilities found by a passive analysis)
3.2 Spider
Spider explores and creates, automatically, the structure of a web application with the list of
all URL resources found. For each URL, ZAP creates a request to get the resource and then
parses the response, discovering hyperlinks. To use the Spider is necessary to specify an
initial URL or subgroup of URLs.
(Spider analysis)
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
11
3.3 Active Scan
Active scanning attempts to find security holes by simulating real known attacks against
target web applications. Active scan should be used only with your own applications.
With ZAP is possible to select a list of previously used resources and make active attacks on
them in order to be aware of known vulnerabilities. Active scanning provides a wider list of
vulnerabilities and, combined with spider and the passive scan, can show all the
vulnerabilities ZAP can recognize, including high risk vulnerabilities:
(List of some vulnerabilities found by passive and active analysis)
3.4 Fuzzer
Fuzzer is a feature that allows you to send a range of invalid and unexpected random string in
order to discover security holes in the target application. ZAP allows fuzzing any request
using strings from a text file list that contain inputs. Users can add files manually or via the
application to extend the range of strings available.
(Fuzz testing)
11
3.3 Active Scan
Active scanning attempts to find security holes by simulating real known attacks against
target web applications. Active scan should be used only with your own applications.
With ZAP is possible to select a list of previously used resources and make active attacks on
them in order to be aware of known vulnerabilities. Active scanning provides a wider list of
vulnerabilities and, combined with spider and the passive scan, can show all the
vulnerabilities ZAP can recognize, including high risk vulnerabilities:
(List of some vulnerabilities found by passive and active analysis)
3.4 Fuzzer
Fuzzer is a feature that allows you to send a range of invalid and unexpected random string in
order to discover security holes in the target application. ZAP allows fuzzing any request
using strings from a text file list that contain inputs. Users can add files manually or via the
application to extend the range of strings available.
(Fuzz testing)
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
12
3.5 Brute Force
The Brute Force feature is not used for brute force attacks on authentication fields, but aids in
finding files or directories of the target application. ZAP contains huge files with lists of files
and directories names and uses these names to try to access resources directly, rather than
relying on finding links to them. A brute force attack only requires knowledge of the target
web application and the associated file with the list of names.
Other functionalities, not explored in this brief introduction, are HttpSession, Param,
WebSockets, and many others.
12
3.5 Brute Force
The Brute Force feature is not used for brute force attacks on authentication fields, but aids in
finding files or directories of the target application. ZAP contains huge files with lists of files
and directories names and uses these names to try to access resources directly, rather than
relying on finding links to them. A brute force attack only requires knowledge of the target
web application and the associated file with the list of names.
Other functionalities, not explored in this brief introduction, are HttpSession, Param,
WebSockets, and many others.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
13
4. Advantages & Disadvantages
Advantages
List out all possible vulnerabilities from your application.
Provide a solution to developer for preventing vulnerabilities within an application
with reference website(s).
Scan all the pages and highlight the affected area of the code by vulnerability.
Provide facility to generate report of vulnerabilities in various formats.
ZAP security tool is very time consuming.
Disadvantages
lack of proper authentication with backend systems
lack of access control over connections to backend systems
lack of proper validation and encoding of data sent to and received from backend
systems
lack of proper error handling surrounding backend connections
lack of centralization in security mechanisms
13
4. Advantages & Disadvantages
Advantages
List out all possible vulnerabilities from your application.
Provide a solution to developer for preventing vulnerabilities within an application
with reference website(s).
Scan all the pages and highlight the affected area of the code by vulnerability.
Provide facility to generate report of vulnerabilities in various formats.
ZAP security tool is very time consuming.
Disadvantages
lack of proper authentication with backend systems
lack of access control over connections to backend systems
lack of proper validation and encoding of data sent to and received from backend
systems
lack of proper error handling surrounding backend connections
lack of centralization in security mechanisms
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
14
5. Applications
Software testing tool
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for
finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as
such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find
security vulnerabilities manually.
Automated Security Testing of web applications using OWASP Zed Attack
Proxy
Penetration testing web applications is not an easy task, no matter if you are a Java,
PHP, Ruby or C# developer. Often development teams use web frameworks to
develop their application and rely on build-in security features without understanding
possible attack scenarios. Other times developers rely on the operation team when it
comes to securing the web application.
Recently I came across a tool that solves this problem, the Zed Attack Proxy (ZAP).
This open-source tool was developed at the Open Web Application Security Project
(OWASP). Its main goal is to allow easy penetration testing to find vulnerabilities in
web applications. It is ideal for developers and functional testers as well as security
experts.
ZAP Penetration Testing: to Detect Vulnerabilities
Penetration testing (otherwise known as pen testing, or the more general security
testing) is the process of testing your applications for vulnerabilities, and answering a
simple question: “What could a hacker do to harm my application, or organization,
out in the real world?”
Recently I came across a tool, Zed Attack Proxy (ZAP). Its main goal is to allow easy
penetration testing to find vulnerabilities in web applications. It is ideal for developers
and functional testers as well as security experts. Let’s check out how ZAP
penetration testing works.
14
5. Applications
Software testing tool
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for
finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as
such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find
security vulnerabilities manually.
Automated Security Testing of web applications using OWASP Zed Attack
Proxy
Penetration testing web applications is not an easy task, no matter if you are a Java,
PHP, Ruby or C# developer. Often development teams use web frameworks to
develop their application and rely on build-in security features without understanding
possible attack scenarios. Other times developers rely on the operation team when it
comes to securing the web application.
Recently I came across a tool that solves this problem, the Zed Attack Proxy (ZAP).
This open-source tool was developed at the Open Web Application Security Project
(OWASP). Its main goal is to allow easy penetration testing to find vulnerabilities in
web applications. It is ideal for developers and functional testers as well as security
experts.
ZAP Penetration Testing: to Detect Vulnerabilities
Penetration testing (otherwise known as pen testing, or the more general security
testing) is the process of testing your applications for vulnerabilities, and answering a
simple question: “What could a hacker do to harm my application, or organization,
out in the real world?”
Recently I came across a tool, Zed Attack Proxy (ZAP). Its main goal is to allow easy
penetration testing to find vulnerabilities in web applications. It is ideal for developers
and functional testers as well as security experts. Let’s check out how ZAP
penetration testing works.
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
15
Conclusion
• ZAP is a free, open-source community developed tool aimed at making the online
world more secure
• Some of the ideals that have driven ZAP are listed below
• Help users develop and apply application security skills
• Build a competitive, open source, and community oriented platform
• Provide an extensible platform for testing
• Designed to be easy to use
• Raise the bar for other security tools
Future of ZAP:
• Enhance scanners to detect more vulnerabilities
• Extend API, better integration
• Fuzzing analysis
• Easier to use, better help
15
Conclusion
• ZAP is a free, open-source community developed tool aimed at making the online
world more secure
• Some of the ideals that have driven ZAP are listed below
• Help users develop and apply application security skills
• Build a competitive, open source, and community oriented platform
• Provide an extensible platform for testing
• Designed to be easy to use
• Raise the bar for other security tools
Future of ZAP:
• Enhance scanners to detect more vulnerabilities
• Extend API, better integration
• Fuzzing analysis
• Easier to use, better help
OWASP Zed Attack Proxy Enrollment No:-150450116015 2017
16
References
• Open Web Application Security Project
• https://www.owasp.org/index.php/Main_Page
• OWASP Top Ten Project
• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• Cross-site Scripting (XSS)
• https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
• OWASP Zed Attack Proxy Project
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• Zaproxy :
• https://code.google.com/p/zaproxy/
• ZAP Blog:
• http://zaproxy.blogspot.co.uk/
• Penetration Testing For Developers
• http://pentest4devs.blogspot.in/2010/09/exploring-web-application-with-
zap.html
• Setting Up Web Security Learning Lab
• http://people.mozilla.org/~mcoates/WebSecurityLab.html
• Webgoat:
• https://www.owasp.org/index.php/OWASP_WebGoat_Project
16
References
• Open Web Application Security Project
• https://www.owasp.org/index.php/Main_Page
• OWASP Top Ten Project
• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• Cross-site Scripting (XSS)
• https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
• OWASP Zed Attack Proxy Project
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• Zaproxy :
• https://code.google.com/p/zaproxy/
• ZAP Blog:
• http://zaproxy.blogspot.co.uk/
• Penetration Testing For Developers
• http://pentest4devs.blogspot.in/2010/09/exploring-web-application-with-
zap.html
• Setting Up Web Security Learning Lab
• http://people.mozilla.org/~mcoates/WebSecurityLab.html
• Webgoat:
• https://www.owasp.org/index.php/OWASP_WebGoat_Project
Tags
zed attack proxy
owasp zed attack proxy
zap features
zed attack proxy features
zap principles
zed attack proxy principles
installation of zap
installation of zed attack proxy
downloading and installing zap
downloading and installing zed attack proxy
implementation of zed attack proxy
implementation of zap
vulnerabilities with spider in zap
spider analysis
vulnerabilities with active scan in zap
vulnerabilities with fuzzer in zap
vulnerabilities with brute force in zap
advantages & disadvantages of zap
advantages & disadvantages of zed attack proxy
applications of zed attack proxy
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 4,054
- Slides 16
- Favorites 2
- Age 2666 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
28 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views