OWASP 2012 AppSec Dublin ZAP Intro

8 likes•5,540 views

The document provides an introduction to OWASP ZAP, a free and open-source web application penetration testing tool ideal for both beginners and professionals. It outlines the tool's main features, such as an intercepting proxy, scanners, and extensibility, along with details on its development, usage statistics, and collaborations. Additionally, it highlights the upcoming features in version 2.0, including enhanced scanning capabilities and new session management functionalities.

Technology

OWASP AppSec The OWASP Foundation
Dublin 2012 http://www.owasp.org

An Introduction to ZAP
OWASP
Zed Attack Proxy
Simon Bennetts

OWASP ZAP Project Lead
Mozilla Security Team
Copyright © The OWASP Foundation
psiinon@gmail.com
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

What is ZAP?
• An easy to use webapp pentest tool
• Completely free and open source
• An OWASP flagship project
• Ideal for beginners
• But also used by professionals
• Ideal for devs, esp. for automated security tests
• Becoming a framework for advanced testing

2

ZAP Principles
• Free, Open source
• Involvement actively encouraged
• Cross platform
• Easy to use
• Easy to install
• Internationalized
• Fully documented
• Work well with other tools
• Reuse well regarded components

3

Statistics
• Released September 2010, fork of Paros
• V 1.4.0 downloaded 19,000 times
• V 1.4.1 released in August
• Downloaded ~ 5,000 times
• Translated into 11 languages
• Mostly used by Professional Pentesters?
• Paros code: ~30% ZAP Code: ~70%

4

The Main Features
All the essentials for web application testing
• Intercepting Proxy
• Active and Passive Scanners
• Spider
• Report Generation
• Brute Force (using OWASP DirBuster code)
• Fuzzing (using fuzzdb & OWASP JBroFuzz)
• Extensibility

5

The Additional Features
• Auto tagging
• Port scanner
• Smart card support
• Session comparison
• Invoke external apps
• API + Headless mode
• Dynamic SSL Certificates
• Anti CSRF token handling

6

New in Version 1.4
• Syntax highlighting
• Fuzzdb integration
• Parameter analysis
• Enhanced XSS scanner
• Plugable extensions
• Reveal hidden fields
• Some of the Watcher checks
• Lots of bug fixes!

7

Extending ZAP
• Invoking applications directly
• REST API
• Filters
• Active Scan Rules
• Passive Scan Rules
• Full Extensions
https://code.google.com/p/zap-extensions/
8

SecurityRegression Tests

http://code.google.com/p/zaproxy/wiki/SecRegTests
9

Collaborations
• Dradis – ZAP upload plugin
• OWASP ModSecurity Core Rule Set
script – SpiderLabs
• ThreadFix – Denim Group
• Ultimate Obsolete File Detection
– Hacktics ASC, Ernst & Young
• Grey-box plugin – BCC Risk Advisory

10

●
New Spider plus Session awareness
Cosmin Stefan

●
New Spider plus Session awareness
Cosmin Stefan
●
Ajax Spider via Crawljax
Guifre Ruiz

●
New Spider plus Session awareness
Cosmin Stefan
●
Ajax Spider via Crawljax
Guifre Ruiz
●
WebSockets support
Robert Kock

MORE planned 2.0 features
• Session Scope
• Modes

21

MORE planned 2.0 features
• Session Scope
• Modes
• Script Console

23

MORE planned 2.0 features
• Session Scope
• Modes
• Script Console
• Authentication management

25

MORE planned 2.0 features
• Session Scope
• Modes
• Script Console
• Authentication management
• New / updated scanner rules
• Fine grain rule controls?
• Extension Marketplace?
• Full Scripting support?

27

Any Questions?
http://www.owasp.org/index.php/ZAP

More Related Content

ODP

OWASP 2013 EU Tour Amsterdam ZAP IntroSimon Bennetts

ODP

OWASP 2014 AppSec EU ZAP Advanced FeaturesSimon Bennetts

ODP

OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts

ODP

JoinSEC 2013 London - ZAP IntroSimon Bennetts

ODP

OWASP 2013 AppSec EU Hamburg - ZAP InnovationsSimon Bennetts

ODP

BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts

ODP

OWASP 2013 Limerick - ZAP: Whats even newerSimon Bennetts

ODP

JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts

OWASP 2013 EU Tour Amsterdam ZAP IntroSimon Bennetts

OWASP 2014 AppSec EU ZAP Advanced FeaturesSimon Bennetts

OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts

JoinSEC 2013 London - ZAP IntroSimon Bennetts

OWASP 2013 AppSec EU Hamburg - ZAP InnovationsSimon Bennetts

BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts

OWASP 2013 Limerick - ZAP: Whats even newerSimon Bennetts

JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts

What's hot (20)

ODP

BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts

ODP

OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014gmaran23

ODP

Automating OWASP ZAP - DevCSecCon talk Simon Bennetts

ODP

2014 ZAP Workshop 1: Getting StartedSimon Bennetts

ODP

AllDayDevOps ZAP automation in CISimon Bennetts

ODP

OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..Simon Bennetts

ODP

2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts

ODP

OWASP 2013 APPSEC USA ZAP HackathonSimon Bennetts

PDF

Owasp zapColdFusionConference

ODP

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23

PDF

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23

PDF

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23

PDF

Zed Attack Proxy (ZAP)JAINAM KAPADIYA

ODP

2017 DevSecCon ZAP Scripting WorkshopSimon Bennetts

PDF

2021 ZAP Automation in CI/CDSimon Bennetts

PPTX

Security Testing - Zap ItManjyot Singh

PDF

Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert

PPTX

The OWASP Zed Attack ProxyAditya Gupta

ODP

2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts

PPTX

Scripts that automate OWASP ZAP as part of a continuous delivery pipelineSherif Mansour

BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts

OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014gmaran23

Automating OWASP ZAP - DevCSecCon talk Simon Bennetts

2014 ZAP Workshop 1: Getting StartedSimon Bennetts

AllDayDevOps ZAP automation in CISimon Bennetts

OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..Simon Bennetts

2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts

OWASP 2013 APPSEC USA ZAP HackathonSimon Bennetts

Owasp zapColdFusionConference

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23

Zed Attack Proxy (ZAP)JAINAM KAPADIYA

2017 DevSecCon ZAP Scripting WorkshopSimon Bennetts

2021 ZAP Automation in CI/CDSimon Bennetts

Security Testing - Zap ItManjyot Singh

Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert

The OWASP Zed Attack ProxyAditya Gupta

2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts

Scripts that automate OWASP ZAP as part of a continuous delivery pipelineSherif Mansour

Similar to OWASP 2012 AppSec Dublin ZAP Intro (20)

PPTX

ZAP @FOSSASIA2015Sumanth Damarla

PPT

AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan

ODP

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23

ODP

Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Tabăra de Testare

PDF

we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav

ODP

Simon Bennetts - Automating ZAP DevSecCon

PPTX

10 Useful Testing Tools for Open Source Projects @ TuxCon 2015Peter Sabev

PPTX

Security testing using zapConfiz Limited

PPTX

[Wroclaw #5] OWASP Projects: beyond Top 10OWASP

PPT

Owasp tools - OWASP SerbiaNikola Milosevic

PPT

Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran

PDF

DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00

KEY

Road towards Owasp Orizon 2.0 (November 2009 update)Paolo Perego

PDF

OWASP DefectDojo - Open Source Security SanityMatt Tesauro

PPTX

AppSec DC 2019 ASVS 4.0 Final.pptxJosh Grossman

PPTX

AppSec DC 2019 ASVS 4.0 Final.pptxTuynNguyn819213

PPTX

Owasptunisiawebday2011 120112072523-phpapp02Abwebnet

PPTX

Owasp tunisia web day 2011OWASPTunisia

PPTX

Artifacts management with DevOpsChen-Tien Tsai

PPTX

An Introduction to ZAP by Checkmarx - Official VersionSimon Bennetts

ZAP @FOSSASIA2015Sumanth Damarla

AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23

Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Tabăra de Testare

we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav

Simon Bennetts - Automating ZAP DevSecCon

10 Useful Testing Tools for Open Source Projects @ TuxCon 2015Peter Sabev

Security testing using zapConfiz Limited

[Wroclaw #5] OWASP Projects: beyond Top 10OWASP

Owasp tools - OWASP SerbiaNikola Milosevic

Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran

DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00

Road towards Owasp Orizon 2.0 (November 2009 update)Paolo Perego

OWASP DefectDojo - Open Source Security SanityMatt Tesauro

AppSec DC 2019 ASVS 4.0 Final.pptxJosh Grossman

AppSec DC 2019 ASVS 4.0 Final.pptxTuynNguyn819213

Owasptunisiawebday2011 120112072523-phpapp02Abwebnet

Owasp tunisia web day 2011OWASPTunisia

Artifacts management with DevOpsChen-Tien Tsai

An Introduction to ZAP by Checkmarx - Official VersionSimon Bennetts

Recently uploaded (20)

PDF

Tea4chat - another LLM Project by Kerem Atama0m0rajab1

PDF

The Future of Mobile Is Context-Aware—Are You Ready?iProgrammer Solutions Private Limited

PDF

Research-Fundamentals-and-Topic-Development.pdfayesha butalia

PPTX

Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...AgileNetwork

PDF

NewMind AI Weekly Chronicles - July'25 - Week IVNewMind AI

PPTX

Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...AndreeaTom

PDF

GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdfLuiz Carneiro

PPTX

AI and Robotics for Human Well-being.pptxJAYMIN SUTHAR

PPTX

Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...AgileNetwork

PDF

Responsible AI and AI Ethics - By Sylvester EbhonuSylvester Ebhonu

PPTX

cloud computing vai.pptx for the projectvaibhavdobariyal79

PPTX

Applied-Statistics-Mastering-Data-Driven-Decisions.pptxparmaryashparmaryash

PPTX

AI in Daily Life: How Artificial Intelligence Helps Us Every Dayvanshrpatil7

PDF

Google I/O Extended 2025 Baku - all pptsHusseinMalikMammadli

PDF

How Open Source Changed My Career by abdelrahman ismaila0m0rajab1

PPTX

Simple and concise overview about Quantum computing..pptxmughal641

PPTX

New ThousandEyes Product Innovations: Cisco Live June 2025ThousandEyes

PDF

Trying to figure out MCP by actually building an app from scratch with open s...Julien SIMON

PDF

AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdfArtjoker Software Development Company

PDF

Presentation about Hardware and Software in Computersnehamodhawadiya

Tea4chat - another LLM Project by Kerem Atama0m0rajab1

The Future of Mobile Is Context-Aware—Are You Ready?iProgrammer Solutions Private Limited

Research-Fundamentals-and-Topic-Development.pdfayesha butalia

Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...AgileNetwork

NewMind AI Weekly Chronicles - July'25 - Week IVNewMind AI

Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...AndreeaTom

GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdfLuiz Carneiro

AI and Robotics for Human Well-being.pptxJAYMIN SUTHAR

Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...AgileNetwork

Responsible AI and AI Ethics - By Sylvester EbhonuSylvester Ebhonu

cloud computing vai.pptx for the projectvaibhavdobariyal79

Applied-Statistics-Mastering-Data-Driven-Decisions.pptxparmaryashparmaryash

AI in Daily Life: How Artificial Intelligence Helps Us Every Dayvanshrpatil7

Google I/O Extended 2025 Baku - all pptsHusseinMalikMammadli

How Open Source Changed My Career by abdelrahman ismaila0m0rajab1

Simple and concise overview about Quantum computing..pptxmughal641

New ThousandEyes Product Innovations: Cisco Live June 2025ThousandEyes

Trying to figure out MCP by actually building an app from scratch with open s...Julien SIMON

AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdfArtjoker Software Development Company

Presentation about Hardware and Software in Computersnehamodhawadiya

OWASP 2012 AppSec Dublin ZAP Intro

1. OWASP AppSec The OWASP Foundation Dublin 2012 http://www.owasp.org An Introduction to ZAP OWASP Zed Attack Proxy Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team Copyright © The OWASP Foundation [email protected] Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

2. What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • An OWASP flagship project • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Becoming a framework for advanced testing 2

3. ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components 3

4. Statistics • Released September 2010, fork of Paros • V 1.4.0 downloaded 19,000 times • V 1.4.1 released in August • Downloaded ~ 5,000 times • Translated into 11 languages • Mostly used by Professional Pentesters? • Paros code: ~30% ZAP Code: ~70% 4

5. The Main Features All the essentials for web application testing • Intercepting Proxy • Active and Passive Scanners • Spider • Report Generation • Brute Force (using OWASP DirBuster code) • Fuzzing (using fuzzdb & OWASP JBroFuzz) • Extensibility 5

6. The Additional Features • Auto tagging • Port scanner • Smart card support • Session comparison • Invoke external apps • API + Headless mode • Dynamic SSL Certificates • Anti CSRF token handling 6

7. New in Version 1.4 • Syntax highlighting • Fuzzdb integration • Parameter analysis • Enhanced XSS scanner • Plugable extensions • Reveal hidden fields • Some of the Watcher checks • Lots of bug fixes! 7

8. Extending ZAP • Invoking applications directly • REST API • Filters • Active Scan Rules • Passive Scan Rules • Full Extensions https://code.google.com/p/zap-extensions/ 8

9. SecurityRegression Tests http://code.google.com/p/zaproxy/wiki/SecRegTests 9

10. Collaborations • Dradis – ZAP upload plugin • OWASP ModSecurity Core Rule Set script – SpiderLabs • ThreadFix – Denim Group • Ultimate Obsolete File Detection – Hacktics ASC, Ernst & Young • Grey-box plugin – BCC Risk Advisory 10

11. ZAP 2.0

12. ● New Spider plus Session awareness Cosmin Stefan

14. ● New Spider plus Session awareness Cosmin Stefan

15. ● New Spider plus Session awareness Cosmin Stefan ● Ajax Spider via Crawljax Guifre Ruiz

17. ● New Spider plus Session awareness Cosmin Stefan ● Ajax Spider via Crawljax Guifre Ruiz

18. ● New Spider plus Session awareness Cosmin Stefan ● Ajax Spider via Crawljax Guifre Ruiz ● WebSockets support Robert Kock

20. ● New Spider plus Session awareness Cosmin Stefan ● Ajax Spider via Crawljax Guifre Ruiz ● WebSockets support Robert Kock

21. MORE planned 2.0 features • Session Scope • Modes 21

23. MORE planned 2.0 features • Session Scope • Modes • Script Console 23

25. MORE planned 2.0 features • Session Scope • Modes • Script Console • Authentication management 25

27. MORE planned 2.0 features • Session Scope • Modes • Script Console • Authentication management • New / updated scanner rules • Fine grain rule controls? • Extension Marketplace? • Full Scripting support? 27

28. Any Questions? http://www.owasp.org/index.php/ZAP