automating web application security testing with owasp zap dot net api - tech talk - dec 22 - 2015
TRANSCRIPT
Presentation Title
Prowareness Tech Talk Tuesdays22 Dec 2015Automating Web
Application Security Testing with OWASP ZAP DOT NET API
The OWASP Zed Attack Proxy
https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI
Marudhamaran Gunasekaran
Zap Contributor
@gmaran23
Prelude
This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP watch these first (use QR code to scan the urls)
Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO
OWASP ZAP Demonstration
http://wp.me/p323iP-fV
Dot Net Web Application Security
http://wp.me/p323iP-fS
http://wp.me/p323iP-ib
Agenda
Application Security Program Challenges
Why OWASP ZAP?
Earlier episodes on Dot Net Security and OWASP ZAP
ZAP Operating Modes
ZAP Demonstration API
OWASP ZAP DOT NET API - Automating
The problems
Most developers know very little about security
Most companies have very few application security folks
External consultants cost $$$$$
Security testing is done late in the application development lifecycle (it at all is done)
Part of the Solution
Use a security tool like ZAP in development
In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting
Why ZAP?
An easy to use webapp pentest tool
Completely free and open source
Source code updated almost every day
One of the OWASP Flagship projects
Ideal for beginners, But also used by professionals
Powerful API - for automated security tests
The app sec foundations
Vulnerability Analysis
Look for weak spots
Penetration Testing
Exploit the weaknesses
Security Testing
May involve both or just VA
The app sec tool foundations
Spider or Crawler
Gather information about what to attack
Passive Scan
Static analysis on the gathered information (HTTP requests and responses)
Active Scan
Send attack (potentially harmful) payloads to exploit / confirm weakness
Download ZAP
Download OWASP ZAP
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
ZAP API demo
http://www.chmag.in/system/files/imagecache/200xXX/header_14.pngHeadless attack!
Introducing the OWASP ZAP DOT NET API
https://www.nuget.org/packages/OWASPZAPDotNetAPI/
OWASP ZAP DOT NET API
Source Code and Samples
https://github.com/zaproxy/zap-api-dotnet
Automating authenticated scans
Create a context in the name of the application
Choose the mode of authentication (for instance Forms Authentication)
Provide Authentication information
Spider
Scan
Verify
Fix
Security Regression Testing
http://www2.htw-dresden.de/~s69366/SPiEGEL/vstfs_logo.pnghttp://deemable.com/media/2013/07/BrowserLogos.png
http://www.chmag.in/system/files/imagecache/200xXX/header_14.pngWell, let me watch you here!http://www.vyapin.com/Images/SupportingPlatform/windows-server-iis.png
Security Regression Testing
http://deemable.com/media/2013/07/BrowserLogos.png
http://icons.iconarchive.com/icons/fasticon/servers/128/web-server-icon.pnghttp://www.chmag.in/system/files/imagecache/200xXX/header_14.pngWell, let me watch you here!https://yt3.ggpht.com/-r8IAK02syjk/AAAAAAAAAAI/AAAAAAAAAAA/7-iGZNygfP8/s900-c-k-no/photo.jpghttps://wiki.jenkins-ci.org/download/attachments/72418012/Capture+d%E2%80%99%C3%A9cran+2014-04-08+%C3%A0+12.12.37.png?version=1&modificationDate=1397132281000http://blog.xebialabs.com/wp-content/uploads/2013/07/logo_teamcity.gifhttp://git-scm.com/images/[email protected]://svn.apache.org/repos/asf/subversion/trunk/notes/logo/256-colour/subversion_logo-384x332.pnghttp://www.vyapin.com/Images/SupportingPlatform/windows-server-iis.pnghttp://images.ukcs.net/15600/apache_logo_medium_copy.pnghttp://www2.htw-dresden.de/~s69366/SPiEGEL/vstfs_logo.pnghttp://codeduitest.com/wp-content/uploads/2013/04/finallogo.jpg
ZAP Need Help?
ZAP user group - https://groups.google.com/forum/#!forum/zaproxy-users
ZAP Evangelists - https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists
ZAP Developers group - https://groups.google.com/forum/#!forum/zaproxy-develop
ZAP - Get Involved
Use the tool
Recommend
Write Add-ons
Write Scanners / Scripts
Report bugs
Conclusion
Consider security at all stages of development cycle
OWASP ZAP is ideal for automating security tests
It is also a great way to learn about security
Man is a tool-using animal. Without tools he is nothing, with right set of tools he is all
Any Questions?
http://www.owasp.org/index.php/ZAP
Postlude
This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP watch these first (use QR code to scan the urls)
Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO
OWASP ZAP Demonstration
http://wp.me/p323iP-fV
Dot Net Web Application Security
http://wp.me/p323iP-fS
http://wp.me/p323iP-ib
Postlude - Extended
OWASP App sec tutorial series
https://www.youtube.com/user/AppsecTutorialSeries
OWASP ZAP Ajax Spidering with Authentication
http://wp.me/p323iP-en
Cross Site Scripting [XSS]
http://wp.me/p323iP-es
XML Attack surface and Defenses
http://wp.me/p323iP-cU
Sql injection exploitation and prevention part 1
http://wp.me/p323iP-bi
Sql injection exploitation and prevention part 2
http://wp.me/p323iP-by
Click to edit Master text styles
Presentation Title
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Click to edit Master title style
Click to edit Master subtitle style
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Click to edit Master title style
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Click to edit Master title style
Click to edit Master text styles
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Click to edit Master title style
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Click to edit Master title style
Click to edit Master text styles
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master text styles
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Click to edit Master title style
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Click to edit Master title style
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master text styles
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Click to edit Master title style
Click to edit Master text styles
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Presentation Title
Click to edit Master text styles
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master title style
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master title style
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master title style
Click to edit Master text styles
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master title style
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master title style
Click to edit Master text styles
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master text styles
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master title style
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master title style
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master text styles
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master title style
Click to edit Master text styles
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
2/23/2016
Click to edit Master text stylesSecond level
Third level
Fourth level
Fifth level