Zap api and scripting

Information about Zap api and scripting

Published on October 26, 2018

Author: PraveenKumar3037



1. An overview of some of the hidden gems of the world’s favorite open source security platform OWASP ZAP - WHAT’S UNDER THE HOOD

2. Agenda ● Brief Overview of ZAP(Zed Attack Proxy) ● The ZAP API ○ Automating security scans with ZAP API ○ ZAP API Clients ○ Accessing ZAP via the API Client ● Scripting with ZAP ○ Why Scripting With ZAP? ○ Types of Scripts ○ Useful modules ○ Writing Passive Scan rules ■ Looking for AWS Secrets ○ Writing Active Scan rules ■ Looking for JWT Vulnerability

3. The Zed Attack Proxy • Free and Open Source Web Application Scanner • ZAP is a OWASP Flagship Project • Community Support - Scripts, Plugins, Add-ons • Extensive API and Highly Scriptable

4. Running ZAP Daemon Mode User Interface

5. The ZAP API • Well Defined and Documented REST API • ails • API can be accessed at: • http://zap • http://localhost:<proxy port> • API can also be accessed through the client implementations.

6. Authenticated Scan Through API ZAP API User Interface or Daemon Mode Get context Info Perform Authenticated Actions Saved Context Authentication information List of URL List of Users admin Low Priv User ZAP UI Session

7. Authenticated Scan Through API - Demo


9. ZAP API Clients

10. ZAP API Client ZAP API Client Python - DEMO pip install python-owasp-zap-v2.4

11. ZAP Scripting ● Changes to the way ZAP works ● Develop Scripts Inside ZAP ● Access to all internal aspects

12. Types of scripts ● Stand alone ○ Independent scripts to run manually ● Targetted ○ Independent script that can be run on a specific target ● Proxy ○ Changing Request and Response at proxy ● HTTP sender ○ Running on all requests and response.

13. Types of scripts ● Passive Scan Rule ○ Rules tested as part of Passive scan ● Active Scan Rule ○ Rules tested as part of Active scan ● Authentication ○ To perform authentication for context

14. Useful Modules - ZAP Scripting with Python(Jython) msg #the message object that is acted upon to parse/manipulate msg.getRequestHeader() #Request Header Object msg.getRequestHeader().getURI() #fetches the URI from the request header msg.getRequestBody() #Fetches the request body from the request msg.getResponseBody() #Fetches the request body from the request msg.setRequestBody() #Sets a different request body from the one in the original request

15. Passive Scan Rule - Demo Find AWS Secret Keys Exposed!

16. Active Scan Rule - JWT Vulnerability • Application allowing “none” algorithm in JWT tokens • Attacker can create own token with any payload

17. Active Scan Rule - Demo

18. Useful Links Download ZAP : ZAP Help : Community Scripts:

19. @praveen756 [email protected] Don’t be shy, get in touch!

20. Q & A

#the presentations

Related presentations