SlideShare a Scribd company logo

2014 ZAP Workshop 2: Contexts and Fuzzing

Download as ODP, PDF
Simon Bennetts
Simon Bennetts

The document outlines an OWASP ZAP workshop on contexts and fuzzing. The plan is to demonstrate ZAP features, allow participants to experiment with them, and answer any questions. Contexts allow assigning characteristics like scope and authentication to groups of URLs. Practicals involve creating contexts, fuzzing input fields, using multi-fuzz tools, and advanced scanning options. Future sessions could cover other ZAP topics like scripts, Zest, the API, and marketplace add-ons.

Internet
1 of 14
Downloaded 100 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
The OWASP Foundation http://www.owasp.org OWASP ZAP Workshop 2: Contexts and Fuzzing Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com Copyright © The OWASP Foundation OWASP Canberra 2014 Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The plan • The main bit • Demo feature • Let you play with feature • Answer any questions • Repeat • Plans for the future sessions 2
Contexts • Assign characteristics to groups of URLs • Like an application: – Per site: • http://www.example.com – Site subtree: • http://www.example.com/app1 – Multiple sites: • http://www.example1.com • http://www.example2.com
Practical 1 • Create and edit a Context definition • Add and remove context to scope • Try using ZAP with different modes and scopes 4
Contexts • Allow you to define: – Scope – Session handling – Authentication – Users – 'Forced user' – Structure – with more coming soon
Practical 2 • Define a context for an app with authentication • Configure the authentication method, logged in/out indicator and 1+ users(s) • Spider / scan using the Forced User mode 6
Basic Fuzzing • Current 'basic' fuzzing: – Sending attack vectors at 1 selected target – Just supports files of attack vectors – JbroFuzz files included by default – FuzzDb and SVN Digger files on Marketplace – You can add your own files – Handles anti CSRF tokens – Results can be searched
Practical 3 • Fuzz input fields • Fuzz input fields in forms with an anti CRSF token • Search fuzzing results • Download and use FuzzDb and SVN Digger files 8
Advanced Fuzzing • 'MultiFuzz' on the Marketplace: – Sending attack vectors at multiple selected targets – Range of attack vectors, not just files – Supports graphing of results – Google Summer of Code Project – Alpha quality
Practical 4 • Download MultiFuzz • Try out all of its features • Provide feedback :) 10
Advanced Scanning • Accessed from: – Right click Attack menu – Tools menu – Key board shortcut (default Ctrl-Alt-A) • Gives you fine grained control over: – Scope – Input Vectors – Custom Vectors – Policy
Practical 5 • Scan one URL with one scan rule • Play with the thresholds and strengths • Scan custom input vectors • Create, save and load Policies 12
13 Future Sessions? • Scripts • Zest • The API • Websockets • Marketplace add-ons • Intro to the source code? • What do you want?? 
Any Questions? http://www.owasp.org/index.php/ZAP

More Related Content

What's hot (20)

ODP
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
ODP
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
ODP
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
ODP
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
ODP
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
ODP
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
ODP
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
ODP
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
ODP
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
PPTX
The OWASP Zed Attack Proxy
Aditya Gupta
 
PPTX
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Sherif Mansour
 
PDF
Owasp zap
ColdFusionConference
 
PDF
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
PDF
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
PPTX
Security Testing - Zap It
Manjyot Singh
 
PDF
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
ODP
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
PPTX
Zap vs burp
Tomasz Fajks
 
ODP
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
PDF
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
The OWASP Zed Attack Proxy
Aditya Gupta
 
Scripts that automate OWASP ZAP as part of a continuous delivery pipeline
Sherif Mansour
 
Owasp zap
ColdFusionConference
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
Security Testing - Zap It
Manjyot Singh
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
Zap vs burp
Tomasz Fajks
 
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 

Similar to 2014 ZAP Workshop 2: Contexts and Fuzzing (20)

PDF
Spring Roo Add-On Development & Distribution
Stefan Schmidt
 
PPTX
Version Control and Continuous Integration
Geff Henderson Chang
 
PPTX
Chris OBrien - Pitfalls when developing with the SharePoint Framework (SPFx)
Chris O'Brien
 
PPTX
Simulate and Detect threat in Splunk - Splunk Mumbai User Group Session
AjitNayak55
 
PDF
Proactive Security AppSec Case Study
Andy Hoernecke
 
PPTX
Fluo CICD OpenStack Summit
Miguel Zuniga
 
PPTX
DC612 Day - Hands on Penetration Testing 101
dc612
 
PPTX
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
PDF
Inspec: Turn your compliance, security, and other policy requirements into au...
Kangaroot
 
PPTX
InSpec - June 2018 at Open28.be
Mandi Walls
 
PDF
Metasploitation part-1 (murtuja)
ClubHack
 
PPTX
Sas 2015 event_driven
Sascha Möllering
 
PPTX
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
BrianFraser29
 
PPTX
Power of Azure Devops
Azure Riyadh User Group
 
PDF
COMMitMDE'18: Eclipse Hawk: model repository querying as a service
Antonio García-Domínguez
 
PPTX
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
drewz lin
 
PPTX
Automatize everything
Boris Bucha
 
PPTX
Monkey space 2013
Miguel de Icaza
 
PDF
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
KEY
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Stephen Donner
 
Spring Roo Add-On Development & Distribution
Stefan Schmidt
 
Version Control and Continuous Integration
Geff Henderson Chang
 
Chris OBrien - Pitfalls when developing with the SharePoint Framework (SPFx)
Chris O'Brien
 
Simulate and Detect threat in Splunk - Splunk Mumbai User Group Session
AjitNayak55
 
Proactive Security AppSec Case Study
Andy Hoernecke
 
Fluo CICD OpenStack Summit
Miguel Zuniga
 
DC612 Day - Hands on Penetration Testing 101
dc612
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Kangaroot
 
InSpec - June 2018 at Open28.be
Mandi Walls
 
Metasploitation part-1 (murtuja)
ClubHack
 
Sas 2015 event_driven
Sascha Möllering
 
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
BrianFraser29
 
Power of Azure Devops
Azure Riyadh User Group
 
COMMitMDE'18: Eclipse Hawk: model repository querying as a service
Antonio García-Domínguez
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
drewz lin
 
Automatize everything
Boris Bucha
 
Monkey space 2013
Miguel de Icaza
 
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Stephen Donner
 
Ad

Recently uploaded (20)

PPTX
西班牙武康大学毕业证书{UCAMOfferUCAM成绩单水印}原版制作
Taqyea
 
PDF
DevOps Design for different deployment options
henrymails
 
PPTX
INTEGRATION OF ICT IN LEARNING AND INCORPORATIING TECHNOLOGY
kvshardwork1235
 
PPT
Computer Securityyyyyyyy - Chapter 1.ppt
SolomonSB
 
PPTX
Orchestrating things in Angular application
Peter Abraham
 
PPTX
本科硕士学历佛罗里达大学毕业证(UF毕业证书)24小时在线办理
Taqyea
 
PPTX
sajflsajfljsdfljslfjslfsdfas;fdsfksadfjlsdflkjslgfs;lfjlsajfl;sajfasfd.pptx
theknightme
 
PPTX
英国假毕业证诺森比亚大学成绩单GPA修改UNN学生卡网上可查学历成绩单
Taqyea
 
PPTX
unit 2_2 copy right fdrgfdgfai and sm.pptx
nepmithibai2024
 
PPTX
PM200.pptxghjgfhjghjghjghjghjghjghjghjghjghj
breadpaan921
 
PPTX
Optimization_Techniques_ML_Presentation.pptx
farispalayi
 
PPT
Computer Securityyyyyyyy - Chapter 2.ppt
SolomonSB
 
PPTX
Research Design - Report on seminar in thesis writing. PPTX
arvielobos1
 
PPTX
Presentation3gsgsgsgsdfgadgsfgfgsfgagsfgsfgzfdgsdgs.pptx
SUB03
 
PPTX
原版西班牙莱昂大学毕业证(León毕业证书)如何办理
Taqyea
 
PDF
Build Fast, Scale Faster: Milvus vs. Zilliz Cloud for Production-Ready AI
Zilliz
 
PPT
Agilent Optoelectronic Solutions for Mobile Application
andreashenniger2
 
PPTX
Cost_of_Quality_Presentation_Software_Engineering.pptx
farispalayi
 
PDF
𝐁𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓
hokimamad0
 
PPTX
一比一原版(SUNY-Albany毕业证)纽约州立大学奥尔巴尼分校毕业证如何办理
Taqyea
 
西班牙武康大学毕业证书{UCAMOfferUCAM成绩单水印}原版制作
Taqyea
 
DevOps Design for different deployment options
henrymails
 
INTEGRATION OF ICT IN LEARNING AND INCORPORATIING TECHNOLOGY
kvshardwork1235
 
Computer Securityyyyyyyy - Chapter 1.ppt
SolomonSB
 
Orchestrating things in Angular application
Peter Abraham
 
本科硕士学历佛罗里达大学毕业证(UF毕业证书)24小时在线办理
Taqyea
 
sajflsajfljsdfljslfjslfsdfas;fdsfksadfjlsdflkjslgfs;lfjlsajfl;sajfasfd.pptx
theknightme
 
英国假毕业证诺森比亚大学成绩单GPA修改UNN学生卡网上可查学历成绩单
Taqyea
 
unit 2_2 copy right fdrgfdgfai and sm.pptx
nepmithibai2024
 
PM200.pptxghjgfhjghjghjghjghjghjghjghjghjghj
breadpaan921
 
Optimization_Techniques_ML_Presentation.pptx
farispalayi
 
Computer Securityyyyyyyy - Chapter 2.ppt
SolomonSB
 
Research Design - Report on seminar in thesis writing. PPTX
arvielobos1
 
Presentation3gsgsgsgsdfgadgsfgfgsfgagsfgsfgzfdgsdgs.pptx
SUB03
 
原版西班牙莱昂大学毕业证(León毕业证书)如何办理
Taqyea
 
Build Fast, Scale Faster: Milvus vs. Zilliz Cloud for Production-Ready AI
Zilliz
 
Agilent Optoelectronic Solutions for Mobile Application
andreashenniger2
 
Cost_of_Quality_Presentation_Software_Engineering.pptx
farispalayi
 
𝐁𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓
hokimamad0
 
一比一原版(SUNY-Albany毕业证)纽约州立大学奥尔巴尼分校毕业证如何办理
Taqyea
 
Ad

2014 ZAP Workshop 2: Contexts and Fuzzing

  • 1. The OWASP Foundation http://www.owasp.org OWASP ZAP Workshop 2: Contexts and Fuzzing Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team [email protected] Copyright © The OWASP Foundation OWASP Canberra 2014 Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 2. The plan • The main bit • Demo feature • Let you play with feature • Answer any questions • Repeat • Plans for the future sessions 2
  • 3. Contexts • Assign characteristics to groups of URLs • Like an application: – Per site: • http://www.example.com – Site subtree: • http://www.example.com/app1 – Multiple sites: • http://www.example1.com • http://www.example2.com
  • 4. Practical 1 • Create and edit a Context definition • Add and remove context to scope • Try using ZAP with different modes and scopes 4
  • 5. Contexts • Allow you to define: – Scope – Session handling – Authentication – Users – 'Forced user' – Structure – with more coming soon
  • 6. Practical 2 • Define a context for an app with authentication • Configure the authentication method, logged in/out indicator and 1+ users(s) • Spider / scan using the Forced User mode 6
  • 7. Basic Fuzzing • Current 'basic' fuzzing: – Sending attack vectors at 1 selected target – Just supports files of attack vectors – JbroFuzz files included by default – FuzzDb and SVN Digger files on Marketplace – You can add your own files – Handles anti CSRF tokens – Results can be searched
  • 8. Practical 3 • Fuzz input fields • Fuzz input fields in forms with an anti CRSF token • Search fuzzing results • Download and use FuzzDb and SVN Digger files 8
  • 9. Advanced Fuzzing • 'MultiFuzz' on the Marketplace: – Sending attack vectors at multiple selected targets – Range of attack vectors, not just files – Supports graphing of results – Google Summer of Code Project – Alpha quality
  • 10. Practical 4 • Download MultiFuzz • Try out all of its features • Provide feedback :) 10
  • 11. Advanced Scanning • Accessed from: – Right click Attack menu – Tools menu – Key board shortcut (default Ctrl-Alt-A) • Gives you fine grained control over: – Scope – Input Vectors – Custom Vectors – Policy
  • 12. Practical 5 • Scan one URL with one scan rule • Play with the thresholds and strengths • Scan custom input vectors • Create, save and load Policies 12
  • 13. 13 Future Sessions? • Scripts • Zest • The API • Websockets • Marketplace add-ons • Intro to the source code? • What do you want?? 