Tutorials for ZAP?

(Heather) #1

I was really lucky recently to get some training with Bill Matthews to get me started in security testing. Before the training we wanted to get to grips with ZAP a bit more. We started with a series on YouTube by Simon Bennetts.

Being honest we struggled a bit to set it up following the tutorials. Perhaps this was due to our set up in work. We split up the problems and spent a lot of time on Google (and swearing) trying to figure them out.

One thing we noticed when we searched was a lack of video tutorials for ZAP. Were we looking in the wrong places? How did you get started with ZAP?

(Michael) #2

Been starting to use ZAP myself for my role here. Have also found it difficult to get good material for it. The video by Simon was the best I found also.

Luckily enough though, managed to get it working fairly well here, set up was grand, as we don’t have too many restrictions in terms of network set up. Still haven’t really explored all the functionality in the tool, again, it’s because of lack of decent material out there. If you do need some help @heather_reid let’s know and I can try to help.

Have also been trying to get it to run with selenium, which it is possible, but again, lack of tutorials available online has made this very hard.

(Heather) #3

Thank you :slight_smile: I’m really lucky that the training with Bill came with post support which is cool.

I’m managing reasonably OK (I think) with it so far but I know there’s so much more can be done with it. Didn’t know about the selenium running though. What would you be looking to achieve with that?

(Michael) #4

No bother, could probably use some of that training myself to be honest!

Yeah its a nice tool, so much in there. From my understanding, you can launch the attack’s or the spiders etc. from selenium to run on a target webpage, record and present the results back via a HTML report. What I’m hoping to use that for is to have some security checks built into our regression checks, to give a little more piece of mind. And also build them into any smoke tests to get early site of any potential security issues.

And possibly in the future have it set up to run for a CI style environment. I know there is a Jenkins plug in, but want to see if we can get it set up without that dependency.

(Heather) #5

Definitely interested to hear how you get on with that! A blog post perhaps? :wink:

(Alastair) #6

If anyone has access to Pluralsight then there’s a getting started course here: https://www.pluralsight.com/courses/owasp-zap-web-app-pentesting-getting-started

I’ve not had much of a chance to play about with it, we’re just starting to use it here.

(Juha) #7

I use ZAP and similar tools (intercepting http proxies) on a daily basis when I do security testing. I don’t remember what the initial problems were that I was running into, so I couldn’t easily make a starter video. However there is a reason why there is no official video tutorials, and that is because most of the developers are busy developing the tool rather than writing documentation.

So far the best documentation are the questions asked in the user group and the issues raised on github. The search functionality of both is pretty good and most of my problems get solved by reading answers to other people’s problems.

The common question of “how do I use ZAP with tool X?” is usually pretty easily answered with “can you configure X to use an http proxy?”. After this the ZAP with default settings already does some passive scanning such as reading responses for stacktraces, error messages and oddities. This is the initial value one gets from using ZAP in combination with other testing frameworks.

Beyond this initial usage one can set scan policies, aggressiveness of the attacks and do, specify backend technologies to make attacks more relevant and accurate, etc.

ZAP is a complex tool (not necessarily complicated) because it supports almost any specific application security test case. There are recorded scripts, written scripts, and extensions that will do very specific and tightly scoped actions. Most of these are not useful for general testing or somebody who is just acquainted to the tool, but they might give an impression of a complicated interface.

Here’s some links to the user group, issues, and wiki. I’m also glad to answer questions and find out about the questions people have around ZAP.


(Heather) #8

Some replies from Twitter I’m a bit late posting

(Daniel) #9

I’ve got extensive experience with ZAP and BurpSuite. I’ve been looking at ways to get this knowledge out into the community. Videos are one thing, but practical experience is another.

It’s something I cover in my workshops, but not in great depth. Do you think there is scope for a full on proxy workshop. I ran a half day at TestBash 2016 but there was so much more to cover.

(Heather) #10

I’d say definitely. The huge wall for us was being terrified of breaking the application or doing something wrong. It needs hand holding early on to an extent I think.

(Amit) #11

I’m a bit late on this topic, but I’ve stumbled across this: http://owasp-academy.teachable.com/p/owasp-zap-tutorial

I’ve not yet looked into it, but I’m guessing that an OWASP project is a decent place to get information about ZAP