WTEU-52 – Revealing security problems with OWASP ZAP

WTEU-52 – Revealing security problems with OWASP ZAP

Date: Sunday 21st December 2014
Time: 3.30pm – 5.30pm GMT
Facilitators: Dan Billing, Amy Phillips and Neil Studd
Participants: Trisha Agarwal, Rakesh Bhandarkar, Christopher Chant, Milan Gabor, Simon Knight, Jignesh Nayi, Pushpa Raj, Marine Serré, Aleksandar Simic

The final Weekend Testing Europe session of 2014 was a true festive affair. Appropriately for the season, we suffered from a number of Gremlins at the start! (It turns out that Skype and Google Hangouts are both limited to a maximum of 10 attendees in a video chat. Who knew? Not us, it seems!)

For those who were lucky enough to join the discussion, we were experimenting with a slightly different format to normal. This was a continuation of our WTEU-50 session from October, when we took an introductory tour through the world of security testing with guest facilitator Dan Billing. In that previous session, we had analysed several different types of security vulnerability, and manually explored a demo application to see whether it was susceptible to these problems.

This time around, we were taking a more structured approach (and utilising a different demo application) to our security testing activities. Dan led the group through a video demonstration of OWASP Zed Attack Proxy (known as ZAP for short), a free tool which allows users to perform scripted or batch security attacks against our test environments. As with our previous security session, we were reminded that we should always seek approval from our teams before undertaking such activities; there’s a very thin line between proactive threat detection, and being accidentally viewed as an internal attacker! Plus, when you unleash an automated tool such as ZAP (for instance, in its spidering mode), you could find that it does irreparable damage to your test environment; it’s wise to check that you have working backups before undertaking this sort of activity.

Dan guided the group through a number of Zed Attack Proxy’s features, including:

  • ZAP’s user interface
  • How to exclude sites from the proxy/atttack
  • Passive and active scanning
  • Reviewing the proxy history
  • Using the Alerts tab to analyse issues
  • Manipulating traffic using the Request/Response tabs
  • The Technology plugin
  • Fuzzing (and the multi-fuzzing plugin)
  • Using the ZAP API

For the demo, we used Troy Hunt‘s “Supercar Showdown” website (thanks Troy for giving us permission to use this). The site is part of an excellent training course on Pluralsight, called Hack Yourself First. The course is focused on Fiddler rather than ZAP, but the skills are transferable and as Pluralsight has a free 10-day trial, it’s well worth a few hours of your time over the festive period!

And with that, WTEU 2014 draws to a close. It’s been an exciting six months since we restarted the chapter, and we thank everybody who’s participated so far. We’re always trying to come up with new ways of keeping things fresh, and different tools & techniques to explore; if there’s anything you’d like to see us tackle in 2015, please get in touch with us!

Happy Holidays!

Further Reading:

About the Author

Neil is a tester from the United Kingdom who has been testing desktop, mobile and web applications for the past ten years, working in a range of agile roles for organisations as varied as Oracle and Last.fm. In his spare time, he participates in freelance and beta testing projects, as a way of learning and developing new approaches to testing.