Scribd
Upload
40 views19 pages

Zap Attacks

The Zed Attack Proxy (ZAP) is a popular free web security tool maintained by volunteers, designed to find vulnerabilities in web applications. It offers various interfaces including desktop, API, and a Heads Up Display for ease of use and automation. The presentation covers ZAP's history, functionality, and resources for further exploration and usage.

Uploaded by

gkpalok
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views19 pages

Zap Attacks

The Zed Attack Proxy (ZAP) is a popular free web security tool maintained by volunteers, designed to find vulnerabilities in web applications. It offers various interfaces including desktop, API, and a Heads Up Display for ease of use and automation. The presentation covers ZAP's history, functionality, and resources for further exploration and usage.

Uploaded by

gkpalok
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Zed Attack Proxy (ZAP)

Daniel W – OWASP Chapter Lead


About me
• OWASP Dorset Chapter Lead
• Over a decade in Information Security
– Likes to solve root cause through Security
Architecture
• Any further questions over pizza and beer
The talk
• ZAP
– What is it?
– History
– Meet the ancestor
– How does it work
– Where to get ZAP
– How you can use it
– Who uses it
– Where to go next
What is it?

The world’s most popular free web security tool, actively


maintained by a dedicated international team of volunteers.
History
• Simon Bennetts • OWASP Flagship Project
• Find obvious • Supported internationally
vulnerabilities
automatically
• Get other developers
using security tools
Meet the ancestor
• Paros Proxy

• Zap started life as a fork


of the paros proxy.
How does it work?
In essence - a fancy proxy with some lovely extras.
Where to get ZAP

https://www.zaproxy.org/
https://owasp.org/www-project-zap/
https://github.com/zaproxy/zaproxy
How you can use it
• Three interfaces
– Desktop
– API
– Heads Up Display (HUD - new)
• Automation ready (API or docker)
Desktop
Automated scans
1. Start ZAP and click the Quick
Start tab of the Workspace
Window.
2. Click the large Automated
Scan button.
3. In the URL to attack text box,
enter the full URL of the web
application you want to attack.
4. Click the Attack

ZAP will proceed to crawl the web application with its spider and passively scan each page it finds.
Then ZAP will use the active scanner to attack all of the discovered pages, functionality, and
parameters.
Alerts
Manual Exploration
1. Start ZAP and click
the Quick Start tab of the
Workspace Window.
2. Click the large Manual
Explore button.
3. In the URL to explore text
box, enter the full URL of
the web application you
want to explore.
4. Select the browser you
would like to use
5. Click the Launch Browser
Spiders are powerful
API

https://www.zaproxy.org/docs/api/#api-catalogue
Heads Up Display (cool)
The Heads Up Display (HUD) is a new an
innovative interface that provides
access to ZAP functionality directly in
the browser.

The HUD is overlayed on top of the


target application in your browser when
enabled via the ‘Manual Explore’ screen
or toolbar option.

Only modern browsers such as Firefox


and Chrome are supported.
Reports (HTML, JSON or XML)
Where to go next
• Search for OWASP ZAP • Twitter @zaproxy
• Download ZAP and Java • https://www.zaproxy.org/
• Try some passive scans • https://owasp.org/www-
• Try active scan (with project-zap/
permission only) • https://github.com/zapro
• Try automation xy/zaproxy
Questions (if time allows)

You might also like