SlideShare a Scribd company logo

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015

Download as ODP, PDF
G
gmaran23

The document discusses a tech talk by Prowareness on automating web application security testing using OWASP ZAP, highlighting its challenges, features, and benefits for developers. It outlines the importance of incorporating security testing early in the development lifecycle and presents the OWASP ZAP .NET API for automating these processes. Additionally, it provides resources for further learning and engagement with the OWASP community.

Technology
1 of 21
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Prowareness Tech Talk Tuesdays 22 Dec 2015 Automating Web Application Security Testing with OWASP ZAP DOT NET API The OWASP Zed Attack Proxy https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI Marudhamaran Gunasekaran Zap Contributor @gmaran23
2 Prelude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
3 Agenda • Application Security Program Challenges • Why OWASP ZAP? • Earlier episodes on Dot Net Security and OWASP ZAP • ZAP – Operating Modes • ZAP Demonstration – API • OWASP ZAP DOT NET API - Automating •
4 The problems • Most developers know very little about security • Most companies have very few application security folks • External consultants cost $$$$$ • Security testing is done late in the application development lifecycle (it at all is done)
5 Part of the Solution • Use a security tool like ZAP in development • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
6 Why ZAP? •An easy to use webapp pentest tool •Completely free and open source •Source code updated almost every day •One of the OWASP Flagship projects •Ideal for beginners, But also used by professionals • •Powerful API - for automated security tests
7 The app sec foundations • Vulnerability Analysis – Look for weak spots • Penetration Testing – Exploit the weaknesses • Security Testing – May involve both or just VA
8 The app sec tool foundations • Spider or Crawler – Gather information about what to attack • Passive Scan – Static analysis on the gathered information (HTTP requests and responses) • Active Scan – Send attack (potentially harmful) payloads to exploit / confirm weakness
9 Download ZAP • Download OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Prox
10 ZAP API demo Headless attack!
11 Introducing the OWASP ZAP DOT NET API https://www.nuget.org/packages/OWASPZAPDotNetAPI/
12 OWASP ZAP DOT NET API Source Code and Sampleshttps://github.com/zaproxy/zap-api-dotnet
13 Automating authenticated scans 1. Create a context in the name of the application 2. Choose the mode of authentication (for instance Forms Authentication) 3. Provide Authentication information 4. Spider 5. Scan 6. Verify 7. Fix
14 Security Regression Testing Well, let me watch you here!
15 Security Regression Testing Well, let me watch you here!
ZAP – Need Help? ZAP user group - https://groups.google.com/forum/#!forum/zaproxy-users ZAP Evangelists - https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists ZAP Developers group - https://groups.google.com/forum/#!forum/zaproxy-develo
ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”
Any Questions? http://www.owasp.org/index.php/ZAP
20 Postlude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
21 Postlude - Extended • OWASP App sec tutorial series https://www.youtube.com/user/AppsecTutorialSeries • OWASP ZAP – Ajax Spidering with Authentication http://wp.me/p323iP-en • Cross Site Scripting [XSS] http://wp.me/p323iP-es • XML – Attack surface and Defenses http://wp.me/p323iP-cU • Sql injection exploitation and prevention part 1 http://wp.me/p323iP-bi • Sql injection exploitation and prevention part 2 http://wp.me/p323iP-by

More Related Content

What's hot (20)

PDF
An Introduction To Automated API Testing
Sauce Labs
 
PPTX
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
PPTX
Robot Framework
Onur Baskirt
 
PPTX
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
PPTX
Understanding NMAP
Phannarith Ou, G-CISO
 
PPT
Source Code Analysis with SAST
Blueinfy Solutions
 
PDF
Form認証で学ぶSpring Security入門
Ryosuke Uchitate
 
PPTX
Introduction to Metasploit
GTU
 
PPSX
API Test Automation
SQALab
 
PPTX
OSINT for Proactive Defense - RootConf 2019
RedHunt Labs
 
PDF
Agileツール適合化分科会(テスト自動化ツール)
masanori kataoka
 
PDF
스프링 부트와 로깅
Keesun Baik
 
PPTX
Malware classification using Machine Learning
Japneet Singh
 
PDF
Api security-testing
n|u - The Open Security Community
 
PDF
Bug bounty null_owasp_2k17
Sagar M Parmar
 
PPT
Performance and load testing
sonukalpana
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
An introduction to Storm Crawler
Julien Nioche
 
PPTX
Introduction of ISHI-KAI with OpenMPW
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
An Introduction To Automated API Testing
Sauce Labs
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Robot Framework
Onur Baskirt
 
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Understanding NMAP
Phannarith Ou, G-CISO
 
Source Code Analysis with SAST
Blueinfy Solutions
 
Form認証で学ぶSpring Security入門
Ryosuke Uchitate
 
Introduction to Metasploit
GTU
 
API Test Automation
SQALab
 
OSINT for Proactive Defense - RootConf 2019
RedHunt Labs
 
Agileツール適合化分科会(テスト自動化ツール)
masanori kataoka
 
스프링 부트와 로깅
Keesun Baik
 
Malware classification using Machine Learning
Japneet Singh
 
Api security-testing
n|u - The Open Security Community
 
Bug bounty null_owasp_2k17
Sagar M Parmar
 
Performance and load testing
sonukalpana
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
An introduction to Storm Crawler
Julien Nioche
 
Introduction of ISHI-KAI with OpenMPW
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 

Viewers also liked (8)

PDF
Automation testing API in Java
Wix.com
 
PDF
Pragmatic Java Test Automation
Dmitry Buzdin
 
PPTX
Deploy and Destroy Complete Test Environments
Bas Dijkstra
 
PDF
2015-StarWest presentation on REST-assured
Eing Ong
 
PDF
Api testing
test test
 
PDF
4 Major Advantages of API Testing
QASource
 
PDF
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
PPTX
Api testing
Keshav Kashyap
 
Automation testing API in Java
Wix.com
 
Pragmatic Java Test Automation
Dmitry Buzdin
 
Deploy and Destroy Complete Test Environments
Bas Dijkstra
 
2015-StarWest presentation on REST-assured
Eing Ong
 
Api testing
test test
 
4 Major Advantages of API Testing
QASource
 
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
Api testing
Keshav Kashyap
 
Ad

Similar to Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015 (20)

PDF
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
PDF
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
PDF
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
ODP
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
ODP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
ODP
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
ODP
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
ODP
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
ODP
Simon Bennetts - Automating ZAP
DevSecCon
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
PDF
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
PDF
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
PDF
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
PDF
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
PDF
Automating OWASP Tests in your CI/CD
rkadayam
 
PDF
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
PDF
ISC2: AppSec & OWASP Primer
ThreatReel Podcast
 
PDF
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
ODP
CiNPA Security SIG - AppSec Presentation
ThreatReel Podcast
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Simon Bennetts - Automating ZAP
DevSecCon
 
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
Automating OWASP Tests in your CI/CD
rkadayam
 
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
ISC2: AppSec & OWASP Primer
ThreatReel Podcast
 
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
CiNPA Security SIG - AppSec Presentation
ThreatReel Podcast
 
Ad

More from gmaran23 (14)

PDF
First Software Security Netherlands Meet Up - Delft - 18 May 2017
gmaran23
 
PPTX
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
gmaran23
 
PDF
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
gmaran23
 
PDF
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
gmaran23
 
PDF
Performance Appraisals in Agile Environment Nagesh Sharma
gmaran23
 
PPTX
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
gmaran23
 
PPTX
What Can I Learn From You?
gmaran23
 
PPTX
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
PPTX
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
ODP
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
PPTX
Six steps for securing offshore development
gmaran23
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
PPTX
Devouring Security XML Attack surface and Defences
gmaran23
 
PPT
Devouring Security Sqli Exploitation and Prevention
gmaran23
 
First Software Security Netherlands Meet Up - Delft - 18 May 2017
gmaran23
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
gmaran23
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
gmaran23
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
gmaran23
 
Performance Appraisals in Agile Environment Nagesh Sharma
gmaran23
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
gmaran23
 
What Can I Learn From You?
gmaran23
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
Six steps for securing offshore development
gmaran23
 
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Devouring Security XML Attack surface and Defences
gmaran23
 
Devouring Security Sqli Exploitation and Prevention
gmaran23
 

Recently uploaded (20)

PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech Talk - Dec 22 - 2015

  • 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Prowareness Tech Talk Tuesdays 22 Dec 2015 Automating Web Application Security Testing with OWASP ZAP DOT NET API The OWASP Zed Attack Proxy https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI Marudhamaran Gunasekaran Zap Contributor @gmaran23
  • 2. 2 Prelude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
  • 3. 3 Agenda • Application Security Program Challenges • Why OWASP ZAP? • Earlier episodes on Dot Net Security and OWASP ZAP • ZAP – Operating Modes • ZAP Demonstration – API • OWASP ZAP DOT NET API - Automating •
  • 4. 4 The problems • Most developers know very little about security • Most companies have very few application security folks • External consultants cost $$$$$ • Security testing is done late in the application development lifecycle (it at all is done)
  • 5. 5 Part of the Solution • Use a security tool like ZAP in development • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
  • 6. 6 Why ZAP? •An easy to use webapp pentest tool •Completely free and open source •Source code updated almost every day •One of the OWASP Flagship projects •Ideal for beginners, But also used by professionals • •Powerful API - for automated security tests
  • 7. 7 The app sec foundations • Vulnerability Analysis – Look for weak spots • Penetration Testing – Exploit the weaknesses • Security Testing – May involve both or just VA
  • 8. 8 The app sec tool foundations • Spider or Crawler – Gather information about what to attack • Passive Scan – Static analysis on the gathered information (HTTP requests and responses) • Active Scan – Send attack (potentially harmful) payloads to exploit / confirm weakness
  • 9. 9 Download ZAP • Download OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Prox
  • 11. 11 Introducing the OWASP ZAP DOT NET API https://www.nuget.org/packages/OWASPZAPDotNetAPI/
  • 12. 12 OWASP ZAP DOT NET API Source Code and Sampleshttps://github.com/zaproxy/zap-api-dotnet
  • 13. 13 Automating authenticated scans 1. Create a context in the name of the application 2. Choose the mode of authentication (for instance Forms Authentication) 3. Provide Authentication information 4. Spider 5. Scan 6. Verify 7. Fix
  • 16. ZAP – Need Help? ZAP user group - https://groups.google.com/forum/#!forum/zaproxy-users ZAP Evangelists - https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists ZAP Developers group - https://groups.google.com/forum/#!forum/zaproxy-develo
  • 17. ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
  • 18. Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”
  • 20. 20 Postlude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
  • 21. 21 Postlude - Extended • OWASP App sec tutorial series https://www.youtube.com/user/AppsecTutorialSeries • OWASP ZAP – Ajax Spidering with Authentication http://wp.me/p323iP-en • Cross Site Scripting [XSS] http://wp.me/p323iP-es • XML – Attack surface and Defenses http://wp.me/p323iP-cU • Sql injection exploitation and prevention part 1 http://wp.me/p323iP-bi • Sql injection exploitation and prevention part 2 http://wp.me/p323iP-by