1 of 34

Intro to ZAP

A Fanboy’s Perspective

2 of 34

What is ZAP?

3 of 34

Zed Attack Proxy

HTTP Proxy
Scanning
Rich plugin marketplace to assist in analysis
(Relatively) easy to extend

Breakers

“The world’s most widely used web app scanner”
(Relatively) easy to automate
Wide range of deployment options

Builders

4 of 34

Project Overview

Apache 2 License

Free + Open Source

Enduring

OWASP Flagship

Simon Bennetts (psiinon)�Ricardo Pereira (thc202)�Rick Mitchell (kingthorin)

Great Community

Over 10 Years old!

OWASP Flagship Project

Projects that have demonstrated strategic value to OWASP and application security as a whole

Free and Open Source

Apache 2
Means that can be used for pretty much whatever, as long as long as you include copyright, license any changes as well as existing notices

Don’t hold liable or use the ZAP trademark

Obviously do your own research

The ZAP project began on September 6, 2010

Originally a fork of another open source proxy called Paros
It is one of the most active Open Web Application Security Project (OWASP) projects as of 2014

Leadership team

Longtime OWASP members and active infosec professionals
Actively contribute to ZAP, and other project such as the Web Application Testing Guide
Public communications and github community is very active, friendly and constructive
Do a great job and making sure user feedback is heard

Github -> Twitter bot
Great into videos
Very comprehensive docs
Release notes that actually say something

Take advantage of Google summer of code and season of docs

5 of 34

First Steps

6 of 34

What is a Proxy

Browser

Proxy

Application

TLS Connection to application

TLS Connection to proxy

ZAP issued Certificate

Twitter issued Certificate

7 of 34

Start Intercepting Traffic

8 of 34

Start Intercepting Traffic

9 of 34

Start Intercepting Traffic

10 of 34

Start Intercepting Traffic

11 of 34

Understanding ZAP’s Layout

12 of 34

Common Manual Testing Tasks

13 of 34

Targeting an Application

14 of 34

Intercepting Requests

15 of 34

Intercepting Requests

16 of 34

Repeating a Request

17 of 34

Sending a Lot of Requests

18 of 34

Decoding and Encoding Data

19 of 34

Decoding and Encoding Data But make it Fancy

20 of 34

Scripting in ZAP

21 of 34

HTTP Sender Scripts

22 of 34

Extender Scripts

23 of 34

Custom Scan Rules

24 of 34

Dealing with Callback Traffic

Payload triggers on backend

SSH Port Forwarding

25 of 34

Dealing with Callback Traffic

26 of 34

Dealing with Callback Traffic

27 of 34

Deploying as a Scanner

28 of 34

Deployment Options

29 of 34

API Features

30 of 34

Github Actions

31 of 34

Final Thoughts

32 of 34

Nice

Not Nice

Open Source
Costs $0
Fully Featured
Top notch customization
Exceptionally good community

User Interface takes some adjustment
Sometime requires additional effort
Occasionally takes longer to get new features

33 of 34

More ZAP Resources

ZAP Community Scripts�ZAP Deep Dive�ZAP in Ten�IRC�Contributing to ZAP�

34 of 34

Thanks!

jack.enders@owasp.org

@JackEnders

OWASP Toronto Youtube