1 / 11

OWASP Zed Attack Proxy

OWASP Zed Attack Proxy. Project leader Simon Bennetts psiinon@gmail.com. December, 2010. The Introduction. The statement You cannot build secure web applications unless you know how to attack them The problem

hayley-ewing
Download Presentation

OWASP Zed Attack Proxy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Zed Attack Proxy Project leader Simon Bennetts psiinon@gmail.com December, 2010

  2. The Introduction • The statement • You cannot build secure web applications unless you know how to attack them • The problem • For many developers (including functional testers) ‘penetration testing’ is a black art • The solution • Teach basic penetration techniques to developers Thanks to Royston Robertson www.roystonrobertson.co.uk for permission to use his cartoon!

  3. The Caveat • This is in addition to: • Teaching secure coding techniques • Teaching about common vulnerabilities (e.g. OWASP top 10) • Secure Development Software Lifecycle • Static source code analysis • Code reviews • Professional pen testing • …

  4. What sort of tools? • Easy to use • Well documented • Functional • Free • Maintained • Cross platform • Open source • Internationalized

  5. Introducing OWASP ZAP • An integrated penetration testing tool for finding vulnerabilities in web applications. • Ease of use a priority • Comprehensive help pages • Free • Open source • Cross platform • Mostly internationalized ;) • A fork of the well regarded Paros Proxy • Under active development • Involvement actively encouraged

  6. The Features • All the essentials for web application testing • Intercepting proxy • Active scanner • Passive scanner • Spider • Brute force (using OWASP DirBuster code) • Port Scanner • Plus lots of useful things: • Auto tagging • Report generation • Session comparison • Smart card support

  7. The screenshot

  8. Suggested use • Explore the application using your browser (via ZAP) • Spider to find missed content • Brute force to find unreferenced content • Active scan to find basic vulnerabilities • Examine the requests and responses for more subtle issues • Use the OWASP Testing Guide!

  9. The Future • Fuzzing (using OWASP JBroFuzz) • Enhanced scanners to detect more vulnerabilities • Technology detection • Parameter analysis • Better help • Full internationalization • More localization(all offers gratefully received!) • What do you want?? 

  10. Summary • Ideal for developers new to penetration testing • Useful addition to experienced pen testers toolbox • Get involved: • Try it out • Find vulnerabilities in your apps  • Report bugs • Localize • Suggest improvements • Implement improvements  • http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

  11. Questions

More Related