1. Using OWASP ZAP to find
vulnerabilities in your web apps
David Epler
Security Architect
depler@aboutweb.com
2. About Me
• Primarily an Application Developer
• Contributor to Learn CF In a Week
• Created Unofficial Updater 2 to patch
Adobe ColdFusion 8.0.1 & 9.0.x
• OWASP Individual Member
• OWASP ZAP Evangelist
3. What is OWASP
Zed Attack Proxy (ZAP)?
• An easy to use web application
penetration testing tool
• Completely free and Open Source
• no paid PRO version
• OWASP flagship project
• Included in major security distributions
• Kali, Samurai WTF, etc.
4. Brief ZAP History
• Fork of Paros Proxy by Simon Bennetts
• Code: Paros ~20%, ZAP ~80%
• 1st Release September 2010
• Adopted by OWASP October 2010
• Now at 2.3.0, with roadmap to 2.4.0+
• Best Security Tool of 2013 as Voted by
ToolsWatch.org Readers
5. Why use ZAP?
• Ideal for beginners, developers
• also used by professional pen testers
• Point and shoot via Quick Start Tab
• Manual penetration testing
• As a debugger
• As part of larger security program
• Automated security regression tests
6. Main ZAP Features
• Intercepting Proxy
• Active and Passive Scanners
• Traditional and AJAX spiders
• Forced browsing
• using OWASP DirBuster
• Fuzzing
• using fuzzdb and OWASP JBroFuzz
• Cross Platform
• built on Java (requires 1.7)
7. More ZAP Features
• WebSockets support
• Authentication and session support
• Smart card and client digital certificate support
• Anti CSRF token handling
• Report generation
• Port scanner
• Invoke external applications
• Support for wide range of scripting
• JavaScript, Zest, Python, Groovy
• Online Add-ons Marketplace
• Translated into 20+ languages
10. Installing and
Configuring ZAP
• Download and Install
• https://code.google.com/p/zaproxy/
wiki/Downloads
• Configure browser to use ZAP as proxy
• FoxyProxy Standard plugin for Firefox
• Import OWASP ZAP Root CA
• needed for testing HTTPS sites/apps
12. Plug-n-Hack
• Configuring browser to work with security tool can be
difficult
• Proposed standard developed by Mozilla Security
Team
• Allows browsers and security tools to integrate more
easily
• Allows security tools to expose functionality to
browser
• Requires Firefox 24+ and plugin
• Other tools to support it
• Burp Suite, Kali
13. A Few Tips
• Can use Linux install on Windows, if don’t
have rights to install
• Don’t forget to import certificate
• If you get the following when trying HTTPS
• ZAP Error: handshake alert:
unrecognized_name
• Add to zap.sh/zap.bat
• !Djsse.enableSNIExtension=false
15. Testing for vulnerabilities
• Directed Testing
• Manual, using browser walk through
web app
• ZAP capturing responses then, testing
further by manipulating requests