Web Testing with OWASP ZED Application Proxy (ZAP)

@MikeLandeck

CactusCon 2014

How ZAP Works

Tester enters input

Browser directs

input to ZAP

ZAP proxies to web server

Tester views

response in ZAP

ZAP proxies to Browser

Web Server

Responds

Launch Ice Weasel

Or you can simply type “iceweasel” at the command prompt

ZAP Set-up

1. From Iceweasel, open the Preferences console by clicking Edit Preferences

2. Click the Network Tab3. Click Settings

Configure the Proxy

1. Select “Manual proxy configurations”2. HTTP Proxy = 127.0.0.13. Port = 8080

Open ZAP

Applications Kali Linux Web Applications Web Application Proxies owasp-zap

Or you can just type “zap” at the command line

ZAP Demo’s

1. Options Menu1. Active Scan Settings2. Authentication

2. Manual Inspection1. Sites2. Alerts

3. Encode/Decode4. Active Scan5. Forced Browse6. Save7. Report

ZAP Report

Rule Out False Positives

You may not be able to rule all the false positives yourself.

As a tester, it is completely acceptable to request a developer, architect, system admin or application admin to help you make sense of a finding.