owasp zed attack proxy
TRANSCRIPT
![Page 1: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/1.jpg)
OWASP Zed Attack ProxyFADI ABDULWAHAB FABDULWAHAB.COM
![Page 2: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/2.jpg)
Overview
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Pen Testing tool for web applications Easy to install (required Java as prerequisites) Free and open source (World contribution) Ideal for beginners and professionals Support automation Cross platform(Windows , Linux and Mac) Fully documented and Integrated with other tools
![Page 3: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/3.jpg)
Overview
Intercepting tool Active /Passive scanning Spider to crawl the site (also support Ajax spider for heavy JavaScript applications) Report Generation with useful information and recommendation Brute force (based on OWASP DirBuster tool)
https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project It is now included in the ZAP Marketplace as a ZAP add-on rather than as a stand-alone tool to brute force directories and files names on web/application servers
Fuzzing (using fuzzdb and OWASP JBroFuzz) https://github.com/fuzzdb-project/fuzzdb https://www.owasp.org/index.php/JBroFuzz
![Page 4: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/4.jpg)
Overview
Auto tagging (hidden filed , cookie …) Port scanning Parameters analysis Support Web socket
http://browserquest.mozilla.org/ Support HTTP Sessions Has REST API (Tools >> Browse API) Has Dynamic SSL certificate to generate root certificate for browsers Support Anti-CSRF token Framework for other tools
![Page 5: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/5.jpg)
Overview
Quick Test No authentication Spider not covering everything
Add extensions/update as marketplace (Add-ons) Debug and breakpoints Support Context(Scopes)
Exclude/Include URLs Authentication
Modes Safe (passive), Protected(within scope) and Standard
You can scan Subtree only
![Page 6: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/6.jpg)
Overview
You can write Java or python codes ZAP embedded into ThreadFix (Denim Group) and Minion (Mozilla) Integrated with Firefox as Plug-in-Hack Intercept client side GET/POST requests Use less memory and has minimum false positive risks
![Page 7: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/7.jpg)
Installation and Configuration
Download it Install it Configure browser proxy (local proxy)
Run ZAP Browser your application manually (No one know the application functionalities
like you) Use spider for more hidden content (beside manual browsing also find logical
tests) Run Attacks to find vulnerabilities
![Page 8: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/8.jpg)
Initial Setup
Configure Proxy(Options >> Local Proxy…) Import SSL certificate (.cer) to certificate manger in your browser if you
need to intercept SSL websites (Options >> Dynamic SSL…) chrome://settings/search#ssl
Open Sites Tab to view resources which have been visited Check Request/Response Vulnerable Site https://github.com/psiinon/bodgeit
![Page 9: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/9.jpg)
Security Testing in Dev and QA
Consider security in all phases of project It’s a risk to postpone this testing at the end of project lifecycle Most important phases are Dev and QA Beside testing functionality test also inject ZAP for security Test https://github.com/zaproxy/zaproxy/wiki/SecRegTests
![Page 10: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/10.jpg)
Security Testing in Dev and QA
![Page 11: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/11.jpg)
Authentication
Context A set of URLs together Good to Categories your web applications
Session Management Cookie based HTTP Header based
Authentication methods Form , HTTP Header or oAuth authentication
User Management Define users and map them to HTTP sessions
![Page 12: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/12.jpg)
HTTP Sessions
Browser your site with different accounts All sessions are recorded to HTTP Session tab You can switch between them using “Set as active”
Refresh the page after switching the session Flag login page (username , password and indicators for login and
logout) Then click resend
![Page 13: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/13.jpg)
HTTP Sessions
Demo Browse the site anonymously Login from the browser
Go to login page and flag as Context Define Username , passwords
Create Users Spider the site as User
![Page 14: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/14.jpg)
HTTP Sessions
This force ZAP to login again Try to resend a page after removing session cookie from header You can add session manually
![Page 15: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/15.jpg)
HTTP Sessions
With Ajax site , maybe the session is not recorded You can identify it manually
Right click and Flag as Session token Right click and make it active Then logout from the site and login again
Sometime you need to exclude logout page to avoid session termination
![Page 16: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/16.jpg)
Attacks and Attacks Strength
You can control the attacks and attacks strength
![Page 17: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/17.jpg)
Statistics – ZAP Innovations
Released Sept 2010 ZAP 2.4.3 (Current Version) V 2.1 downloaded > 25k times Translated into 20+ languages Most Active OWASP project 28 active contributors
![Page 18: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/18.jpg)
Zest
Scripting language developed by Mozilla team Free and open source Represent JSON Included with ZAP from 2.0
![Page 19: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/19.jpg)
Fuzzing
Highlight the text (user input/parameters) Select Fuzz category Run it and see the browser You can use multiple fuzz payloads
![Page 20: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/20.jpg)
Injection
Highlight the found text You can get information from failed requests Also use your patterns
![Page 21: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/21.jpg)
Hashing and New UI
Included with ZAP
New UI: Hide or Show all tabs (also advanced options) You can add note and use filter in history tab Persistent Session to resume your work Define Scan policy to control the attacks
Don’t stick with one tool , use more because each one has its advantages
![Page 22: OWASP Zed Attack Proxy](https://reader034.vdocuments.mx/reader034/viewer/2022051006/587aa7a91a28abed218b4ca5/html5/thumbnails/22.jpg)
References
https://www.youtube.com/watch?v=eH0RBI0nmww&list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB