Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Zed Attack Proxy (ZAP)

  1. #1
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    11

    Default Zed Attack Proxy (ZAP)

    The Zed Attack Proxy (ZAP) is a penetration test tool designed to be used to make web applications more secure.

    While ZAP can detect some security issues automatically, it is primarily designed to help you find security vulnerabilities manually.

    Unlike some security tools it is designed to be used by people with a wide range of security experience.

    As such it is ideal for developers and functional testers who a new to penetration testing.

    Some of ZAP's features:
    • Intercepting proxy
    • Automated scanner
    • Passive scanner
    • Spider


    Some of ZAP's characteristics:
    • Easy to install (just requires java 1.6)
    • Ease of use a priority
    • Comprehensive help pages
    • Under active development
    • Open source
    • Free (no paid for 'Pro' version)
    • Cross platform
    • Involvement actively encouraged

    ZAP is a fork of the well regarded Paros Proxy.
    Details of the changes made are here: 1.0.0

    Be great if you would consider including it on Backtrack.

    Many thanks,

    Psiinon

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Zed Attack Proxy (ZAP)

    Pros/Cons vs Google RatProxy& SkipFish or Fiddler2 /w Watcher.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    11

    Default Re: Zed Attack Proxy (ZAP)

    My comments about Ratproxy, skipfish and Fiddler2 + Watcher are based on my current understanding of these tools - please correct me if I'm wrong about anything

    To quote from RatproxyDoc - ratproxy - Project documentation - Project Hosting on Google Code "Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies...".
    It only provides a command line interface and does not provide an interactive UI .
    In the default mode it "may be safely employed against production systems".

    ZAP is more aggressive. While it can do some passive scanning the main scanning is active. It is typically run as an interactive UI and acts as an intercepting proxy, so you can change requests dynamically.
    I would not recommend running it against production systems

    Skipfish is a "A fully automated, active web application security reconnaissance tool".
    It only provides a command line interface and does not provide an interactive UI .

    So again ZAP is an interactive UI based tool. It is not really intended to run as a purely automated scanner.
    I would say that ZAP is not really a 'competitor' to Ratproxy or skipfish.

    Fiddler2 obviously is a much more interactive tool and does overlap with the functionality provided by ZAP.
    However as I understand it Fiddler2 + Watcher do not provide any active scanning.

    I would agree that the combination of Ratproxy, skipfish, Fiddler2 + Watcher exceed the functionality currently provided by ZAP.

    I guess ZAP could be seen as a integrated tool that provides all of the functionality required to perform a basic (but hopefully effective) pentest on a web application.
    As I mentioned before its suitable for people who are relatively new to pentesting.
    An experienced pentester will be well versed in the tools you mentioned, as well as tools like the Burp Suite and WebScarab.
    ZAP is not really aimed at such people, although I'm sure they can have a quick look at the functionality it provides and work out if it could fit into their toolbox. They might find it useful for an initial assessment before breaking out the specialist tools.

    Does that answer your question?

    Psiinon

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Zed Attack Proxy (ZAP)

    Thanks Psiinon, good summary!
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Junior Member SWFu64's Avatar
    Join Date
    Jan 2010
    Posts
    97

    Default Re: Zed Attack Proxy (ZAP)

    I've started using this over paros proxy now. It's an invaluable tool when testing Flash applications for SQL Injection issues.
    "I do not know with what weapons World War III will be fought, but World War IV will be fought with sticks and stones."

    Albert Einstein

  6. #6
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    11

    Default Re: Zed Attack Proxy (ZAP)

    Quote Originally Posted by SWFu64 View Post
    I've started using this over paros proxy now. It's an invaluable tool when testing Flash applications for SQL Injection issues.
    Hi SWFu64,

    Glad you like it
    If you (or anyone else) have any feedback about ZAP I'd be really interested in hearing it, either via this thread or the developer group.
    e.g. what do you like, dislike?
    How do you think it could be improved?
    I've got a long list of ways I'd like to improve it (some of them documented here), but I also want it to be as widely used as possible, so I want the people who use it to have a big say in how it develops.

    Many thanks,

    Psiinon

  7. #7
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Zed Attack Proxy (ZAP)

    EDIT: Ok this was me being stupid.
    I got it to work thanks to the help of SWFu on irc.

    EDIT: This should be in the repos soon.
    Last edited by Archangel-Amael; 10-04-2010 at 06:25 PM.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  8. #8
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    11

    Default Re: Zed Attack Proxy (ZAP)

    Thats great

    FYI ZAP has now been accepted as an OWASP project, and its new home page is here: OWASP Zed Attack Proxy Project - OWASP

    Many thanks,

    Psiinon

  9. #9

    Default Re: Zed Attack Proxy (ZAP)

    just a quick note, anyone wondering why the zap.sh shell script is not working:

    Code:
    wget -q http://zaproxy.googlecode.com/files/ZAP_1.0.0b_installation.tar.gz
    cd /pentest/web && tar xf ZAP_1.0.0b_installation.tar.gz
    cd zap && dos2unix zap.sh
    sh zap.sh
    ...wonderful world of special characters
    /brtw2003
    Last edited by brtw2003; 10-05-2010 at 08:56 PM.

  10. #10
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Zed Attack Proxy (ZAP)

    Quote Originally Posted by brtw2003 View Post
    just a quick note, anyone wondering why the zap.sh shell script is not working:

    Code:
    wget -q http://zaproxy.googlecode.com/files/ZAP_1.0.0b_installation.tar.gz
    cd /pentest/web && tar xf ZAP_1.0.0b_installation.tar.gz
    cd zap && dos2unix zap.sh
    sh zap.sh
    ...wonderful world of special characters
    /brtw2003
    While that may help for those who download and install, this will not be necessary once this is in the repos.

    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

Page 1 of 2 12 LastLast

Similar Threads

  1. proxy-bt3
    By vanescar in forum Supporto Software
    Replies: 0
    Last Post: 04-27-2010, 10:50 PM
  2. NC Through Proxy?
    By wolf17 in forum OLD Newbie Area
    Replies: 3
    Last Post: 07-10-2009, 05:13 AM
  3. everything over Proxy
    By goon123 in forum OLD Specialist Topics
    Replies: 1
    Last Post: 07-06-2009, 12:44 AM
  4. using a proxy
    By ycpc55 in forum OLD Newbie Area
    Replies: 15
    Last Post: 04-22-2009, 04:58 AM
  5. How to use a proxy?
    By Schtekarn in forum OLD BT3final Support
    Replies: 19
    Last Post: 06-22-2008, 09:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •