The OWASP Foundation http://www.owasp.org Bust a cap in a web app with OWASP ZAP Adrien de Beaupré GSEC, GCIH, GPEN, GWAPT, GCIA, GXPN ZAP Evangelist Intru-Shun.ca Inc. SANS Instructor, Penetration Tester, and Consultant Adapted from slides written by Simon Bennetts (psiinon) Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org About me 32+, 22+, 14+ years Contributor to OSSTMM 3 Contributor to Hacking Exposed, Linux 3 rd Ed Contributor to SANS Incident Handling Guide Certified SANS Instructor; 503, 504, 542, 560 ZAP, Nikto, Watcher, OSSAMS and other FOSS projects Black belt in Gōjū-ryū Okinawan karate Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. 2013 Intru-Shun.ca Inc.
Why use ZAP? The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
What is ZAP? An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Becoming a framework for advanced testing Included in all major security distributions Not a silver bullet!
ZAP Principles Free, Open source Involvement actively encouraged Cross platform Easy to use Easy to install Internationalized Fully documented Work well with other tools Reuse well regarded components
Statistics V 2.3.1 released in May 2014 V 2.2.2 released in Sept 2013 V 2.1.0 downloaded > 25K times Released September 2010, fork of Paros Translated into 20+ languages Over 50 translators Paros code: ~20% ZAP Code: ~80%
Ohloh Statistics Very High Activity The most active OWASP Project 29 active contributors 279 years of effort Source: http://www.ohloh.net/p/zaproxy
The Main Features All the essentials for web application testing Intercepting Proxy Active and Passive Scanners Traditional and Ajax Spiders WebSockets support Forced Browsing (using OWASP DirBuster code) Fuzzing (using fuzzdb & OWASP JBroFuzz) Online Add-ons Marketplace
Some Additional Features Auto tagging Port scanner Script Console Report generation Smart card support Contexts and scope Session management Invoke external apps Dynamic SSL Certificates
More new stuff New add-ons: Technology detection using Wappalyzer HTTPS Info New / updated Scan rules: Command injection Code injection Xpath injection SQL injection (inc a port of SQLMap core)
Even more new stuff New active scan targets and formats HTTP headers + Cookies Multipart Forms XML JSON Google Web Toolkit OData
New features and improvements: OWTF - Zest support and ZAP integration Advanced access control testing and user access comparison Advanced Fuzzing SOAP web service scanning
OWTF - Zest support and ZAP integration This project will improve integration between the OWTF and external tools such as ZAP. This will be accomplished by adding the features such as Sending HTTP requests/zest scripts from OWTF to third party tools. Zest scripts will provide an automated mechanism to replicate exploitation of security vulnerabilities in a format that facilitates information exchange between external tools which can reproduce the same vulnerabilities in their own environment. Deep Shah
Advanced access control testing and user access comparison OWASP ZAP already has the capability to allow users to configure authentication methods, session management methods and Users for a web-application in order to automate the authentication/reauthentication process during scans. This project aims to enhance ZAP s capabilities by adding a set of access control testing features and tools. Cosmin Stefan
Advanced Fuzzing Throughout this project the fuzzing tool of the OWASP ZAP Attack Proxy is going to be reworked to implement several features that have been requested by users. This involves the completion and clean up of the existing packages as well as the implementation of several new ones on top of that. Sebastian Schulze
SOAP web service scanning The purpose of this project is to implement vulnerability scanning functionality for SOAP Web Services into the OWASP ZAP tool, since its current capabilities are very limited for this tasks. Alberto 1
Scripting Previously just supported 'run now' scripts Scripting is now embedded into ZAP Different types of scripts Stand alone As now Targeted Specify URLs to run against Active Run in Active scanner Passive Run in Passive scanner Proxy Run 'inline'
Zest - Overview An experimental scripting language Developed by Mozilla Security Team Free and open source (of course) Format: JSON designed to be represented visually in security tools Tool independent can be used in open and closed, free or commercial software Is included by default in ZAP from 2.2.0 Will replace filters Alessandro's project
Zest Use cases Reporting vulnerabilities to companies Reporting vulnerabilities to developers Defining tool independent active and passive scan rules Deep integration with security tools
How can you use ZAP? Point and shoot the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests (headless) As a debugger As part of a larger security program
Methodology Logistics and Planning Open Source Information Gathering Reconnaissance Identification / Enumeration / Mapping Research Vulnerability Identification / Discovery Validation / Exploitation Reporting 2013 Intru-Shun.ca Inc.
Penetration Testing Requires methodology AND creativity. Requires performing a vulnerability assessment correctly first. Finding alternate means to access functionality or data. Finding alternate functionality. Should be goal oriented. There is no such thing as cheating in a pentest. 2013 Intru-Shun.ca Inc.
Identification / Enumeration / Mapping Purpose: Gaining an understanding of the application and its underlying components / infrastructure / technologies. Inputs: systems and applications known to be live/available. Outputs: Application map, technology fingerprints. Tools: Nmap, Nessus, ZAP, Burp, diagramming tool... 2013 Intru-Shun.ca Inc.
Vulnerability Identification / Discovery Purpose: identify known or previously unknown vulnerabilities in the identified technologies / application. Inputs: IP addresses, ports, services, applications. Outputs: listing of potential vulnerabilities. Tools: interception proxy and scanners such as Skipfish, Burp, W3AF, ZAP 2013 Intru-Shun.ca Inc.
Validation / Exploitation Purpose: assign a confidence value and validate potential vulnerabilities. Have FUN!! Inputs: listing of all potential vulnerabilities. Outputs: listing of validated vulnerabilities and confidence rating values. Tools: penetration testing (Metasploit, Core Impact, Canvas ), manual validation, ZAP, Burp... 2013 Intru-Shun.ca Inc.
Pillaging. Exploitation! Identification of previously unknown vulnerabilities through fuzzing. Post exploitation and pivoting. Iterative process, returning to mapping, discovery, exploitation... The best hack is just logging in... Tools: brain power 2013 Intru-Shun.ca Inc.
Laziness. Why Automate? Consistent results over time. Allows for scheduling and trending. Embed into the dev/build process Streamlined and more efficient. Engineering a process that can be run and maintained by an operational group. Allows the test team to concentrate on the areas that are not automated. 2013 Intru-Shun.ca Inc.
Workflow Methodology is broken down into modules. Output from one is the input to the next. Unfortunately most tools do not follow the methodology flow precisely, or may not allow for data extraction / sharing / integration between modules. Which means that either we must run each tool multiple times with different configurations, or different tools for each module. 2013 Intru-Shun.ca Inc.
Demo Time 2
Conclusion ZAP is changing rapidly New features are being introduced which exceed the capabilities of other tools We're implementing functionality so that it can be reused in other tools It s a community based tool get involved! We want feedback - fill in the Questionnaire! (linked off ZAP homepage) Use ZAP to bust a cap in your web apps!
Questions? https://www.owasp.org/index.php/zap
THANK YOU! ADRIEN@INTRU-SHUN.CA TWITTER @ADRIENDB 613 797-3912