1. Using OWASP ZAP to find
vulnerabilities in your web apps
David Epler
Security Architect
depler@aboutweb.com

2. About Me
• Primarily an Application Developer
• Contributor to Learn CF In a Week
• Created Unofficial Updater 2 to patch
Adobe ColdFusion 8.0.1 & 9.0.x
• OWASP Individual Member
• OWASP ZAP Evangelist

3. What is OWASP
Zed Attack Proxy (ZAP)?
• An easy to use web application
penetration testing tool
• Completely free and Open Source
• no paid PRO version
• OWASP flagship project
• Included in major security distributions
• Kali, Samurai WTF, etc.

4. Brief ZAP History
• Fork of Paros Proxy by Simon Bennetts
• Code: Paros ~20%, ZAP ~80%
• 1st Release September 2010
• Adopted by OWASP October 2010
• Now at 2.3.0, with roadmap to 2.4.0+
• Best Security Tool of 2013 as Voted by
ToolsWatch.org Readers

5. Why use ZAP?
• Ideal for beginners, developers
• also used by professional pen testers
• Point and shoot via Quick Start Tab
• Manual penetration testing
• As a debugger
• As part of larger security program
• Automated security regression tests

6. Main ZAP Features
• Intercepting Proxy
• Active and Passive Scanners
• Traditional and AJAX spiders
• Forced browsing
• using OWASP DirBuster
• Fuzzing
• using fuzzdb and OWASP JBroFuzz
• Cross Platform
• built on Java (requires 1.7)

7. More ZAP Features
• WebSockets support
• Authentication and session support
• Smart card and client digital certificate support
• Anti CSRF token handling
• Report generation
• Port scanner
• Invoke external applications
• Support for wide range of scripting
• JavaScript, Zest, Python, Groovy
• Online Add-ons Marketplace
• Translated into 20+ languages

8. Intercepting Proxy
Website

9. Intercepting Proxy
Website

10. Installing and
Configuring ZAP
• Download and Install
• https://code.google.com/p/zaproxy/
wiki/Downloads
• Configure browser to use ZAP as proxy
• FoxyProxy Standard plugin for Firefox
• Import OWASP ZAP Root CA
• needed for testing HTTPS sites/apps

11. Installing and
Configuring ZAP
Demo Time

12. Plug-n-Hack
• Configuring browser to work with security tool can be
difficult
• Proposed standard developed by Mozilla Security
Team
• Allows browsers and security tools to integrate more
easily
• Allows security tools to expose functionality to
browser
• Requires Firefox 24+ and plugin
• Other tools to support it
• Burp Suite, Kali

13. A Few Tips
• Can use Linux install on Windows, if don’t
have rights to install
• Don’t forget to import certificate
• If you get the following when trying HTTPS
• ZAP Error: handshake alert:
unrecognized_name
• Add to zap.sh/zap.bat
• !Djsse.enableSNIExtension=false

14. Testing for vulnerabilities
• Automated Testing
• Quick Start
• Active Scan

15. Testing for vulnerabilities
• Directed Testing
• Manual, using browser walk through
web app
• ZAP capturing responses then, testing
further by manipulating requests

16. Testing for vulnerabilities
Demo Time

17. Integrating ZAP
with other tools
• Run external applications
• Nikto
• sqlmap

18. Integrating ZAP
with other tools
• Generate ModSecurity virtual patching
rules from ZAP XML results
• zap2modsec.pl

19. Integrating ZAP
with other tools
Demo Time

20. • Please be sure to fill out evaluations
• Blog: http://www.dcepler.net
• Email: depler@aboutweb.com
• Twitter: @dcepler
Q&A - Thanks

21. • OWASP Zed Attack Proxy Project
• Plug-n-Hack
• Issue 704: ZAP Error: handshake alert:
unrecognized_name
• ModSecurity Advanced Topic of the
Week: Automated Virtual Patching using
OWASP Zed Attack Proxy
Resources