how to use proxy in security testingwhat is owasp zed attack proxy (zap) • web application...
TRANSCRIPT
![Page 1: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/1.jpg)
How to use proxy in security testing
OWASP Zed Attack Proxy (ZAP)
![Page 2: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/2.jpg)
What is Proxy (Server)
![Page 3: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/3.jpg)
What is HTTP Proxy Server
![Page 4: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/4.jpg)
What is Security Testing (and why it is important)
![Page 5: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/5.jpg)
Our lab for today1. Raspberry Pi (as IoT
device with sensors) is sending data to remote (cloud)
server
2. Remote server have web dashboard for accessing sensors
data and configuration
3. Using OWASP ZAP we will access and test this
web dashboard
![Page 6: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/6.jpg)
What is OWASP
![Page 7: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/7.jpg)
What is OWASP Top Ten
![Page 8: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/8.jpg)
What is OWASP Zed Attack Proxy (ZAP)
• Web application penetration testing tool
• Free and open source
• An OWASP flagship project
• Ideal for beginners but also used by professionals
• Interesting for developers and automated security testing
![Page 9: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/9.jpg)
ZAP Principles• Free, open source
• Cross platform
• Easy to use and easy to install
• Internationalized
• Fully documented
• Work well with other tools
• Reuse well regarded components
• Involvement is actively encouraged
![Page 10: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/10.jpg)
ZAP main features• Intercepting proxy
• Active and passive scanners
• Spider
• Report generation
• Brute-forcing
• Fuzzing
• Extensibility
![Page 11: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/11.jpg)
ZAP additional features• Auto Tagging
• Port scanner
• Parameter analysis
• Smart card support
• Session comparison
• Invoke external applications and tools
• API + headless mode
• Dynamic SSL certificates
![Page 12: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/12.jpg)
Hand’s on time
• Install ZAP
• Configure ZAP
• Configure Mozilla Firefox to use ZAP as proxy server
• Learn ZAP interface
• Explore vulnerable web application via ZAP
![Page 13: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/13.jpg)
Capture The Flag using ZAP
![Page 14: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/14.jpg)
Questions
![Page 15: How to use proxy in security testingWhat is OWASP Zed Attack Proxy (ZAP) • Web application penetration testing tool • Free and open source • An OWASP flagship project • Ideal](https://reader033.vdocument.in/reader033/viewer/2022052408/5f0b635e7e708231d4304600/html5/thumbnails/15.jpg)
Thank you for your time!
You can contact me via e-mail:
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV