How to use OWASP ZAP & Vulnerabilities Slikmap

OWASP ZAP @YuhoKameda 2019/9/14 in OWASP Nagoya

Agenda • • • OWASP
ZAP 2.8.0

1% /$-( • &% 0+> – ;;=7(*"/! •
. ,> – 84:2' )1 – 6=93<510+ .#/

%$#! • !%$ – **,' / •
– " • • (,&)+% – EOL%$ • • (,&)+%

• • • OS
• • (CMS)

!!$ • !!$ – # / $"# •
– $(RSS) – SNS – JPCERT/CCIPA / $"# – #

*-)+,(# ' • %! &(# ' – ( ("'*-)+,)(
– *-)+,$ – ("'( – &

=B:?A1 2 • =B:?A9 *7>@;< – #(8+9)0%- 4.$7 – .,&7'/#)
((85* )9.$7 • /2!… – 9)0%- .20 – "60 9 30 '/2

0 !+ • =I7BH$ '0," – '
0," – &"-58<0," • ).*"(D:I80 – 28;@19!#0& – >EIAGI30/%6D6D #?F4 CA&"-

# %@ • -/43"& )% – WordPress%1-5>9$ *?@ – Apache
Struts%&*?@ – *;.7;<'8;0.=,*?@ • 6>2:=), ( • +! ",(

'#40*..6&!$, • Pentester Skillmap Project JP ( WG) –
JNSA( -*,79$(#13+ ) ISOG-J((#13+ "/59%28) – OWASP Japan – PJ39)9: https://www.owasp.org/index.php/Pentester_Skillmap_Project_JP

&+ B=MHCGGNA<>E • @MFP(Silver) – -% • '$6Web;GL?P@JOS@BDI6&+Q 9R:(0 •
&+ 6:!1Q 54R – 3 • GoldKO>6%6#6/&+:(0 • '$IT@BDI6&+:(0 – 18) • IT@BDI:+182Q.R*5)7",:

37ZSea[``fYRT] • Vhe^(Gold) – ;2 • WebQ`dUhXcgkXZ\bJ37i O&%jP 4> •
37PWh_ZGCEDN' IDN – ' G • 37' P/+C=7<J)='.J= 71$J0%?MK8P4>BG@FAN • 37J !PC=5,H9 @FAN – #DN5(* • 37Wh_ZPDNJI6 H5L-:P "

4/A<6;;B3-08 • ;B3-08& – 4/A<6;E2?:4 • )!&$)%"( •
& & – .,9?,C • )!#'& – 5/=@7+ • Web*;@1D2>C) %"(#'&

84C@9>H7A=8 • + *84C, • %)+84C0"& – ()
– ( ) – () – (:GC) – D?G;1E6FB85 – F32<A2E • '$(-*#!B85/.

*'-/'1 • !# & % %
– ",+0! $ – ().

WebDTYL^MW\ #IE RXE\ • IERXE\%; – * : SQLE\NFJMW\ –
#C 4=1 : 4=6 – UE[^R]SP^\ : ‘ (M\KZJH^Q) – C!.$ : SXV^P^ – # • SXV^P^;:SP^\C3+YJGOQC' – 0,A • DB)(;GX^0"2BA/+ 7 09A – 09- • DB)(;GX^<"2B9- 8;:C ?&>/ 8.#3571:+8;@.: 35/

51=@80 • Web348;DWeb/:@2C3>A'"%' ,*)!& +.-51=@80'$% –
• 1. B • 2. 573>A • 3. 9?<C6C • 4. • 5. HTTPS • 6. cookie • 7. • 8. #(

OWASP ZAP

+H • (H%AQ& HYmd3KBI,c^akmWG @DHLZVhlR*9O9G@D<C?84 • `m\JH2N+ H3+-JH.); 7QBM3" J+RAQ>FI1=D<C?84
• Sl]UTiZ[ea;F@/R0AQ ';7P KA4 • +I3 #G5fj_Wagmb6R!@3+-HZ XmfR$G@B9:E!@D<C?84

OWASP ZAP4 • OWASP Zed Attack Proxy(ZAP) •
"! -+*13 &.2)'*(30 • Web$,/%3&.2 # • # !

2.0.0ZAP 2013 2013/01/30 ver 2.0.0 2013/04/18 ver 2.1.0 2013/09/11 ver
2.2.0 2013/09/27 ver 2.2.2 2013/11/04 ZAP Evangelist 2014 2014/03/17 AppSec APAC#++!),"+ 2014/03/27 ZAP Evangelist 2014/04/10 ver 2.3.0 2014/05/21 ver 2.3.1 2015 2015/04/14 ver 2.4.0 2015/07/30 ver 2.4.1 2015/08 ZAP(%!+ ! 2015/09/07 ver 2.4.2 2015/12/04 ver 2.4.3 2016 2016/06/03 ver 2.5.0 2016/06/03 bugcrowd$$+ %*'& 2017 2017/03/29 ver 2.6.0 2017/11/28 ver 2.7.0 2019 2019/6/8 ver 2.8.0 2019/8/28 ver 2.8.1 : Kali

ZAP &6% • Twitter (ZAP)5%) – https://twitter.com/zaproxy • ZAP Blog
( ) – https://zaproxy.blogspot.jp/ • ZAP User Guide (" -*03) – https://github.com/zaproxy/zap-core-help/wiki • ZAP Introduction Wiki ( 525-*03) – https://github.com/zaproxy/zaproxy/wiki/Introduction • ZAP User Group (16$".0*') – https://groups.google.com/group/zaproxy-users • Crowdin ZAP GUI translation (GUI!36,) – https://crowdin.com/project/owasp-zap • Crowdin ZAP User Guide Translation (User Guide !36,) – https://crowdin.com/project/owasp-zap-help • Open Hub (OSS ".0*'#() – https://www.openhub.net/p/zaproxy • Bountysource (ZAP +!+5',4!2/) – https://www.bountysource.com/teams/zap/issues • ZAP-*03 Ver.2.1.0 () – https://docs.google.com/file/d/0B1e1Cma1GUllazNUNVp6OWdGYzg/edit

ZAP • Active Scan • Passive Scan • &("'
• ( • AJAX( • $ • #'"%( • • '(/( • &"( • • Fuzzer • Web Sockets • Replacer • Zest • %!

ZAP" / • " %$&/
• !#% $& / • "

ZAP* • (/$)$*" – 4620+ (") • (315/!) %.315
– &.':<;/78* %.315) • (#/ ) * – 8891),- )

ZAP= • ()(/.).= , – JLHF?! ;&,< • (IGK/+) 3CIGK
– " 5C8PRQEMN= 3CIGK< • (-/ )&*= – %NNOG <@B&*< JLHF6;1A&104:D, ,7>2/D<*D ' *<@B#$;* *<@B' *9CB=

OWASP ZAP 2.8.0 • 2019/6/8

The Heads Up Display • ZAP https://github.com/zaproxy/zap-hud

*>C4 ; @76 ; @ 7 %$Kr^anr ; @\jpUcr\9 khr\
aDGl GpNlrTip '& #" ^XaD Kr^ranr NnURG\ UNkbZFpO(XSS) NnURG\ kNIU\ aJrTHkr (CSRF) DoS(Rr`U:0) 1B#"(nOGp) 1B#"(VXSip8 ) 1B#"([FmN\k/aDGl) 1B#"(NmTX\Lr]) QpZpYqUbraFpO ., Rr^rA5eU EbkPrSipA5eU https://github.com/zaproxy/zaproxy/blob/develop/zap/src/main/dist/lang/vulnerabilities_ja_JP.xml [FmN\kAGp[XNSpO ; @aDGlSUZfA_r eXSip Credential and Session Prediction SQL GpTHNSip ; @ / Insufficient Anti automation ; @ / XML GpTHNSip HTTPkNIU\A HTTPmUcpUA HTTP kNIU\UdOkpO HTTP Response Smuggling Null ^G\ GpTHNSip LDAP GpTHNSip grl Qdp] GpTHNSip OSQdp] GpTHNSip Routing Detour _U \j^rRl !-3@kWrUA2 SOAP Array Abuse SSI GpTHNSip VXSip aFNVrSip URL Redirector Abuse XPath GpTHNSip Insufficient Process Validation XML Attribute Blowup +3A0 XML External Entities XML Entity Expansion aFpMr bkp\ XQuery GpTHNSip ; @VXSip()< ?@=Gp[XNU ; @_Uor]

Active Scan Rule • #"),*-* • Release / Beta
/ Alpha – Release$'!*% ,#%-* – Beta( +-& – Release

Active Scan Rule • Active Scan Rules

Active Scan Rule • ! ! •

Active Scan Rule • CVE

Passive Scan Rule • (2/-4).,57#686 • Release / Beta /
Alpha – Release#%03+61!*7.186 – Beta$&' ( – (&" ( – " ) (Release)

Passive Scan Rule • https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules

Http "# • ! "# •
"#

Http •

ZAP • .2+%,/4- – Protect Mode • (&4.(&3+$(,)
– Context • 141 – Active Scan Rules – Passive Scan Rules • )*'03 !#"3, – Http)*'03

ZAP • (&!%#' ) • Custom Fuzzer #' )$(
!"

9"9 • ;!)1*:/64 – #4JTCNS'8 – /02 ;
2(: • D@QLFKKRC>AH – D@QLFKUBOJD – ?=IO=S – E@MPG< • OWASP ZAP 2.8.0 – ZAP;4$+3./65; ,&7% – D@QLFKKRC>AH5 ;-7%

Profile • Mail : [email protected] • Twitter : @YuhoKameda •
WebSite () : – https://www.owasp.org/index.php/User:Yuho_Kameda – https://speakerdeck.com/ykame

How to use OWASP ZAP & Vulnerabilities Slikmap

How to use OWASP ZAP & Vulnerabilities Slikmap

More Decks by Yuho Kameda

Other Decks in Technology

Featured

Transcript