Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP)...
Transcript of Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP)...
![Page 1: Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP) @MikeLandeck CactusCon 2014. How ZAP ... Applications Kali Linux Web Applications](https://reader031.fdocuments.net/reader031/viewer/2022021420/5aa7a4d67f8b9a54748c58d3/html5/thumbnails/1.jpg)
Web Testing with OWASP ZED Application Proxy (ZAP)
@MikeLandeck
CactusCon 2014
![Page 2: Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP) @MikeLandeck CactusCon 2014. How ZAP ... Applications Kali Linux Web Applications](https://reader031.fdocuments.net/reader031/viewer/2022021420/5aa7a4d67f8b9a54748c58d3/html5/thumbnails/2.jpg)
How ZAP Works
Tester enters input
Browser directs
input to ZAP
ZAP proxies to web server
Tester views
response in ZAP
ZAP proxies to Browser
Web Server
Responds
![Page 3: Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP) @MikeLandeck CactusCon 2014. How ZAP ... Applications Kali Linux Web Applications](https://reader031.fdocuments.net/reader031/viewer/2022021420/5aa7a4d67f8b9a54748c58d3/html5/thumbnails/3.jpg)
Launch Ice Weasel
Or you can simply type “iceweasel” at the command prompt
![Page 4: Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP) @MikeLandeck CactusCon 2014. How ZAP ... Applications Kali Linux Web Applications](https://reader031.fdocuments.net/reader031/viewer/2022021420/5aa7a4d67f8b9a54748c58d3/html5/thumbnails/4.jpg)
ZAP Set-up
1. From Iceweasel, open the Preferences console by clicking Edit Preferences
2. Click the Network Tab3. Click Settings
![Page 5: Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP) @MikeLandeck CactusCon 2014. How ZAP ... Applications Kali Linux Web Applications](https://reader031.fdocuments.net/reader031/viewer/2022021420/5aa7a4d67f8b9a54748c58d3/html5/thumbnails/5.jpg)
Configure the Proxy
1. Select “Manual proxy configurations”2. HTTP Proxy = 127.0.0.13. Port = 8080
![Page 6: Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP) @MikeLandeck CactusCon 2014. How ZAP ... Applications Kali Linux Web Applications](https://reader031.fdocuments.net/reader031/viewer/2022021420/5aa7a4d67f8b9a54748c58d3/html5/thumbnails/6.jpg)
Open ZAP
Applications Kali Linux Web Applications Web Application Proxies owasp-zap
Or you can just type “zap” at the command line
![Page 7: Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP) @MikeLandeck CactusCon 2014. How ZAP ... Applications Kali Linux Web Applications](https://reader031.fdocuments.net/reader031/viewer/2022021420/5aa7a4d67f8b9a54748c58d3/html5/thumbnails/7.jpg)
ZAP Demo’s
1. Options Menu1. Active Scan Settings2. Authentication
2. Manual Inspection1. Sites2. Alerts
3. Encode/Decode4. Active Scan5. Forced Browse6. Save7. Report
![Page 8: Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP) @MikeLandeck CactusCon 2014. How ZAP ... Applications Kali Linux Web Applications](https://reader031.fdocuments.net/reader031/viewer/2022021420/5aa7a4d67f8b9a54748c58d3/html5/thumbnails/8.jpg)
ZAP Report
![Page 9: Web Testing with OWASP ZED Application Proxy (ZAP) Testing with OWASP ZED Application Proxy (ZAP) @MikeLandeck CactusCon 2014. How ZAP ... Applications Kali Linux Web Applications](https://reader031.fdocuments.net/reader031/viewer/2022021420/5aa7a4d67f8b9a54748c58d3/html5/thumbnails/9.jpg)
Rule Out False Positives
You may not be able to rule all the false positives yourself.
As a tester, it is completely acceptable to request a developer, architect, system admin or application admin to help you make sense of a finding.