OWASP ZAP @YuhoKameda 2019/9/14 in OWASP Nagoya

Agenda • • • OWASP ZAP 2.8.0

1% /$-( • &% 0+> – ;;=7(*"/! • .,> – 84:2' )1 – 6=93<510+ .#/

%$#! • !%$ – **,' / • – " • • (,&)+% – EOL%$ • • (,&)+%

• • • OS • • (CMS)

!!$ • !!$ – # / $"# • – $(RSS) – SNS – JPCERT/CCIPA / $"# – #

*-)+,(# ' • %!&(# ' – ( ("'*-)+,)( – *-)+,$ – ("'( – &

=B:?A12 • =B:?A9*7>@;< – #(8+9)0%- 4.$7 – .,&7'/#) ((85* )9.$7 • /2!… – 9)0%- .20 – "609 30 '/2

0!+ • =I7BH$'0," – ' 0," – &"-58<0," • ).*"(D:I80 – 28;@19!#0& – >EIAGI30/%6D6D #?F4 CA&"-

#%@ • -/43"& )% – WordPress%1-5>9$*?@ – Apache Struts%&*?@ – *;.7;<'8;0.=,*?@ • 6>2:=), ( • +!",(

'#40*..6&!$, • Pentester Skillmap Project JP ( WG) – JNSA( -*,79$(#13+ ) ISOG-J((#13+ "/59%28) – OWASP Japan – PJ39)9: https://www.owasp.org/index.php/Pentester_Skillmap_Project_JP

&+B=MHCGGNA<>E • @MFP(Silver) – -% • '$6Web;GL?P@JOS@BDI6&+Q 9R:(0 • &+ 6:!1Q 54R – 3 • GoldKO>6%6#6/&+:(0 • '$IT@BDI6&+:(0 – 18) • IT@BDI:+182Q.R*5)7",:

37ZSea[``fYRT] • Vhe^(Gold) – ;2 • WebQ`dUhXcgkXZ\bJ37iO&%jP 4> • 37PWh_ZGCEDN' IDN – ' G • 37' P/+C=7BG@FAN • 37J !PC=5,H9 @FAN – #DN5(* • 37Wh_ZPDNJI6H5L-:P "

4/A<6;;B3-08 • ;B3-08& – 4/A<6;E2?:4 • )!&$)%"( • & & – .,9?,C • )!#'& – 5/=@7+ • Web*;@1D2>C) %"(#'&

84C@9>H7A=8 • +*84C, • %)+84C0"& – () – ( ) – () – (:GC) – D?G;1E6FB85 – F32

*'-/'1 • !# & % % – ",+0! $ – ().

WebDTYL^MW\ #IE RXE\ • IERXE\%; – * : SQLE\NFJMW\ – #C 4=1 : 4=6 – UE[^R]SP^\ : ‘ (M\KZJH^Q) – C!.$ : SXV^P^ – # • SXV^P^;:SP^\C3+YJGOQC' – 0,A • DB)(;GX^0"2BA/+ 7 09A – 09- • DB)(;GX^<"2B9- 8;:C ?&>/ 8.#3571:+8;@.: 35/

51=@80 • Web348;DWeb/:@2C3>A'"%' ,*)!& +.-51=@80'$% – • 1. B • 2. 573>A • 3. 9?

OWASP ZAP

+H • (H%AQ& HYmd3KBI,c^akmWG @DHLZVhlR*9O9G@DFI1=D

OWASP ZAP4 • OWASP Zed Attack Proxy(ZAP) • "! -+*13 &.2)'*(30 • Web$,/%3&.2 # • # !

2.0.0ZAP 2013 2013/01/30 ver 2.0.0 2013/04/18 ver 2.1.0 2013/09/11 ver 2.2.0 2013/09/27 ver 2.2.2 2013/11/04 ZAP Evangelist 2014 2014/03/17 AppSec APAC#++!),"+ 2014/03/27 ZAP Evangelist 2014/04/10 ver 2.3.0 2014/05/21 ver 2.3.1 2015 2015/04/14 ver 2.4.0 2015/07/30 ver 2.4.1 2015/08 ZAP(%!+ ! 2015/09/07 ver 2.4.2 2015/12/04 ver 2.4.3 2016 2016/06/03 ver 2.5.0 2016/06/03 bugcrowd$$+ %*'& 2017 2017/03/29 ver 2.6.0 2017/11/28 ver 2.7.0 2019 2019/6/8 ver 2.8.0 2019/8/28 ver 2.8.1 : Kali

ZAP &6% • Twitter (ZAP)5%) – https://twitter.com/zaproxy • ZAP Blog () – https://zaproxy.blogspot.jp/ • ZAP User Guide (" -*03) – https://github.com/zaproxy/zap-core-help/wiki • ZAP Introduction Wiki ( 525-*03) – https://github.com/zaproxy/zaproxy/wiki/Introduction • ZAP User Group (16$".0*') – https://groups.google.com/group/zaproxy-users • Crowdin ZAP GUI translation (GUI!36,) – https://crowdin.com/project/owasp-zap • Crowdin ZAP User Guide Translation (User Guide !36,) – https://crowdin.com/project/owasp-zap-help • Open Hub (OSS ".0*'#() – https://www.openhub.net/p/zaproxy • Bountysource (ZAP +!+5',4!2/) – https://www.bountysource.com/teams/zap/issues • ZAP-*03 Ver.2.1.0 () – https://docs.google.com/file/d/0B1e1Cma1GUllazNUNVp6OWdGYzg/edit

ZAP • Active Scan • Passive Scan • &("' • ( • AJAX( • $ • #'"%( • • '(/( • &"( • • Fuzzer • Web Sockets • Replacer • Zest • %!

ZAP" / • " %$&/ • !#% $& / • "

ZAP* • (/$)$*" – 4620+ (") • (315/!) %.315 – &.':<;/78* %.315) • (#/) * – 8891),- )

ZAP= • ()(/.).= , – JLHF?! ;&,< • (IGK/+)3CIGK – "5C8PRQEMN=3CIGK< • (-/ )&*= – %NNOG <@B&*< JLHF6;1A&104:D, ,7>2/D<*D ' *<@B#$;* *<@B' *9CB=

OWASP ZAP 2.8.0 • 2019/6/8

The Heads Up Display • ZAP https://github.com/zaproxy/zap-hud

*>C4 ; @76 ; @ 7 %$Kr^anr ; @\jpUcr\9 khr\ aDGl GpNlrTip '& #" ^XaD Kr^ranr NnURG\ UNkbZFpO(XSS) NnURG\ kNIU\ aJrTHkr (CSRF) DoS(Rr`U:0) 1B#"(nOGp) 1B#"(VXSip8) 1B#"([FmN\k/aDGl) 1B#"(NmTX\Lr]) QpZpYqUbraFpO ., Rr^rA5eU EbkPrSipA5eU https://github.com/zaproxy/zaproxy/blob/develop/zap/src/main/dist/lang/vulnerabilities_ja_JP.xml [FmN\kAGp[XNSpO ; @aDGlSUZfA_r eXSip Credential and Session Prediction SQL GpTHNSip ; @ / Insufficient Anti automation ; @ / XML GpTHNSip HTTPkNIU\A HTTPmUcpUA HTTP kNIU\UdOkpO HTTP Response Smuggling Null ^G\ GpTHNSip LDAP GpTHNSip grl Qdp] GpTHNSip OSQdp] GpTHNSip Routing Detour _U \j^rRl !-3@kWrUA2 SOAP Array Abuse SSI GpTHNSip VXSip aFNVrSip URL Redirector Abuse XPath GpTHNSip Insufficient Process Validation XML Attribute Blowup +3A0 XML External Entities XML Entity Expansion aFpMr bkp\ XQuery GpTHNSip ; @VXSip()< ?@=Gp[XNU ; @_Uor]

Active Scan Rule • #"),*-* • Release / Beta / Alpha – Release$'!*% ,#%-* – Beta( +-& – Release

Active Scan Rule • Active Scan Rules

Active Scan Rule • ! ! •

Active Scan Rule • CVE

Passive Scan Rule • (2/-4).,57#686 • Release / Beta / Alpha – Release#%03+61!*7.186 – Beta$&' ( – (&" ( – " ) (Release)

Passive Scan Rule • https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules

Http "# • ! "# • "#

Http •

Http •

ZAP • .2+%,/4- – Protect Mode • (&4.(&3+$(,) – Context • 141 – Active Scan Rules – Passive Scan Rules • )*'03 !#"3, – Http)*'03

ZAP • (&!%#' ) • Custom Fuzzer#' )$( !"

9"9 • ;!)1*:/64 – #4JTCNS'8 – /02 ;2(: • D@QLFKKRC>AH – D@QLFKUBOJD – ?=IO=S – E@MPG< • OWASP ZAP 2.8.0 – ZAP;4$+3./65; ,&7% – D@QLFKKRC>AH5 ;-7%

Profile • Mail : [email protected] • Twitter : @YuhoKameda • WebSite () : – https://www.owasp.org/index.php/User:Yuho_Kameda – https://speakerdeck.com/ykame