Zed Attack Proxy (ZAP)

[psiinon]

The Zed Attack Proxy (ZAP) is a penetration test tool designed to be used to make web applications more secure.

While ZAP can detect some security issues automatically, it is primarily designed to help you find security vulnerabilities manually.

Unlike some security tools it is designed to be used by people with a wide range of security experience.

As such it is ideal for developers and functional testers who a new to penetration testing.

Some of ZAP's features:

• Intercepting proxy
• Automated scanner
• Passive scanner
• Spider

Some of ZAP's characteristics:

• Easy to install (just requires java 1.6)
• Ease of use a priority
• Comprehensive help pages
• Under active development
• Open source
• Free (no paid for 'Pro' version)
• Cross platform
• Involvement actively encouraged

ZAP is a fork of the well regarded Paros Proxy.
Details of the changes made are here: 1.0.0

Be great if you would consider including it on Backtrack.

Many thanks,

Psiinon

[thorin]

Pros/Cons vs Google RatProxy& SkipFish or Fiddler2 /w Watcher.

[psiinon]

My comments about Ratproxy, skipfish and Fiddler2 + Watcher are based on my current understanding of these tools - please correct me if I'm wrong about anything

To quote from RatproxyDoc - ratproxy - Project documentation - Project Hosting on Google Code "Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies...".
It only provides a command line interface and does not provide an interactive UI .
In the default mode it "may be safely employed against production systems".

ZAP is more aggressive. While it can do some passive scanning the main scanning is active. It is typically run as an interactive UI and acts as an intercepting proxy, so you can change requests dynamically.
I would not recommend running it against production systems

Skipfish is a "A fully automated, active web application security reconnaissance tool".
It only provides a command line interface and does not provide an interactive UI .

So again ZAP is an interactive UI based tool. It is not really intended to run as a purely automated scanner.
I would say that ZAP is not really a 'competitor' to Ratproxy or skipfish.

Fiddler2 obviously is a much more interactive tool and does overlap with the functionality provided by ZAP.
However as I understand it Fiddler2 + Watcher do not provide any active scanning.

I would agree that the combination of Ratproxy, skipfish, Fiddler2 + Watcher exceed the functionality currently provided by ZAP.

I guess ZAP could be seen as a integrated tool that provides all of the functionality required to perform a basic (but hopefully effective) pentest on a web application.
As I mentioned before its suitable for people who are relatively new to pentesting.
An experienced pentester will be well versed in the tools you mentioned, as well as tools like the Burp Suite and WebScarab.
ZAP is not really aimed at such people, although I'm sure they can have a quick look at the functionality it provides and work out if it could fit into their toolbox. They might find it useful for an initial assessment before breaking out the specialist tools.

Does that answer your question?

Psiinon

[thorin]

Thanks Psiinon, good summary!

[SWFu64]

I've started using this over paros proxy now. It's an invaluable tool when testing Flash applications for SQL Injection issues.

[psiinon]

I've started using this over paros proxy now. It's an invaluable tool when testing Flash applications for SQL Injection issues.

Hi SWFu64,

Glad you like it
If you (or anyone else) have any feedback about ZAP I'd be really interested in hearing it, either via this thread or the developer group.
e.g. what do you like, dislike?
How do you think it could be improved?
I've got a long list of ways I'd like to improve it (some of them documented here), but I also want it to be as widely used as possible, so I want the people who use it to have a big say in how it develops.

Many thanks,

Psiinon

[Archangel-Amael]

EDIT: Ok this was me being stupid.
I got it to work thanks to the help of SWFu on irc.

EDIT: This should be in the repos soon.

[psiinon]

Thats great

FYI ZAP has now been accepted as an OWASP project, and its new home page is here: OWASP Zed Attack Proxy Project - OWASP

Many thanks,

Psiinon

[brtw2003]

just a quick note, anyone wondering why the zap.sh shell script is not working:

Code:

wget -q http://zaproxy.googlecode.com/files/ZAP_1.0.0b_installation.tar.gz
cd /pentest/web && tar xf ZAP_1.0.0b_installation.tar.gz
cd zap && dos2unix zap.sh
sh zap.sh

...wonderful world of special characters
/brtw2003

[Archangel-Amael]

just a quick note, anyone wondering why the zap.sh shell script is not working:

Code:

wget -q http://zaproxy.googlecode.com/files/ZAP_1.0.0b_installation.tar.gz
cd /pentest/web && tar xf ZAP_1.0.0b_installation.tar.gz
cd zap && dos2unix zap.sh
sh zap.sh

...wonderful world of special characters
/brtw2003

While that may help for those who download and install, this will not be necessary once this is in the repos.