Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Zed Attack Proxy (ZAP)

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    11

    Default Zed Attack Proxy (ZAP)

    The Zed Attack Proxy (ZAP) is a penetration test tool designed to be used to make web applications more secure.

    While ZAP can detect some security issues automatically, it is primarily designed to help you find security vulnerabilities manually.

    Unlike some security tools it is designed to be used by people with a wide range of security experience.

    As such it is ideal for developers and functional testers who a new to penetration testing.

    Some of ZAP's features:
    • Intercepting proxy
    • Automated scanner
    • Passive scanner
    • Spider


    Some of ZAP's characteristics:
    • Easy to install (just requires java 1.6)
    • Ease of use a priority
    • Comprehensive help pages
    • Under active development
    • Open source
    • Free (no paid for 'Pro' version)
    • Cross platform
    • Involvement actively encouraged

    ZAP is a fork of the well regarded Paros Proxy.
    Details of the changes made are here: 1.0.0

    Be great if you would consider including it on Backtrack.

    Many thanks,

    Psiinon

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Zed Attack Proxy (ZAP)

    Pros/Cons vs Google RatProxy& SkipFish or Fiddler2 /w Watcher.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    11

    Default Re: Zed Attack Proxy (ZAP)

    My comments about Ratproxy, skipfish and Fiddler2 + Watcher are based on my current understanding of these tools - please correct me if I'm wrong about anything

    To quote from RatproxyDoc - ratproxy - Project documentation - Project Hosting on Google Code "Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies...".
    It only provides a command line interface and does not provide an interactive UI .
    In the default mode it "may be safely employed against production systems".

    ZAP is more aggressive. While it can do some passive scanning the main scanning is active. It is typically run as an interactive UI and acts as an intercepting proxy, so you can change requests dynamically.
    I would not recommend running it against production systems

    Skipfish is a "A fully automated, active web application security reconnaissance tool".
    It only provides a command line interface and does not provide an interactive UI .

    So again ZAP is an interactive UI based tool. It is not really intended to run as a purely automated scanner.
    I would say that ZAP is not really a 'competitor' to Ratproxy or skipfish.

    Fiddler2 obviously is a much more interactive tool and does overlap with the functionality provided by ZAP.
    However as I understand it Fiddler2 + Watcher do not provide any active scanning.

    I would agree that the combination of Ratproxy, skipfish, Fiddler2 + Watcher exceed the functionality currently provided by ZAP.

    I guess ZAP could be seen as a integrated tool that provides all of the functionality required to perform a basic (but hopefully effective) pentest on a web application.
    As I mentioned before its suitable for people who are relatively new to pentesting.
    An experienced pentester will be well versed in the tools you mentioned, as well as tools like the Burp Suite and WebScarab.
    ZAP is not really aimed at such people, although I'm sure they can have a quick look at the functionality it provides and work out if it could fit into their toolbox. They might find it useful for an initial assessment before breaking out the specialist tools.

    Does that answer your question?

    Psiinon

  4. #4
    Just burned his ISO LVHLVH's Avatar
    Join Date
    Oct 2010
    Posts
    7

    Default Re: Zed Attack Proxy (ZAP)

    Quote Originally Posted by psiinon View Post
    My comments about Ratproxy, skipfish and Fiddler2 + Watcher are based on my current understanding of these tools - please correct me if I'm wrong about anything

    [snip]

    ZAP is not really aimed at such people, although I'm sure they can have a quick look at the functionality it provides and work out if it could fit into their toolbox. They might find it useful for an initial assessment before breaking out the specialist tools.

    Does that answer your question?
    Psiinon
    Just my 2 cents on the matter.

    You cannot (and should not) compare skipfish or ratproxy with ZAP, webscarab, burp, fiddler or any other intercepting proxy.

    Skipfish is a pattern recognition based scanner (much like nikto) with a focus on web apps. It tries to identify files with known vulnerabilities based on a fingerprint. As such it does not try to find issues based on request/response and it does not work well with custom software.

    Ratproxy does try to find vulnerabilities based on requests and responses but can only be used as a parallel scanner. So you start ratproxy, browse the website, stop the proxy and read the report. It is not possible to modify requests on-the-run and you have to stop the proxy before you can see the results.

    ZAP is an intercepting proxy and should be compared with other intercepting proxies (as mentioned before). If you look at the 'competition' I think ZAP can claim a good spot in the market. Paros (free (on which ZAP is based)) hasn't had an update in ages and although nightly builds for webscarab are being greated each night no real new functionalities have been added for the last year (correct me if I'm wrong on this one, but looking at the java package I cannot find any).
    Burp is being maintained fairly well, but you need to buy a (although cheap) license to really unleash it's power. Fiddler/watcher is nice, but targeted at a Windows/IE platform and does indeed not include an active scanner.

    Concluding; I think ZAP has great potential and is not just a 'beginners' tool. I think with a few releases it will outperform paros, webscarab, and fiddler and will only have Burp Suite Pro as it's master ...

    (for the record; I am not involved whatsoever in the development of ZAP, webscarab or any other tool but I am speaking from professional experience with the tools).
    Last edited by LVHLVH; 10-08-2010 at 11:39 AM. Reason: typo

  5. #5
    Junior Member SWFu64's Avatar
    Join Date
    Jan 2010
    Posts
    97

    Default Re: Zed Attack Proxy (ZAP)

    "I do not know with what weapons World War III will be fought, but World War IV will be fought with sticks and stones."

    Albert Einstein

  6. #6
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    11

    Default Re: Zed Attack Proxy (ZAP)

    Quote Originally Posted by SWFu64 View Post
    You beat me to it!

    Significant changes in 1.2.0:

    • Memory leaks have been fixed in the active scanner and spider
    • External applications can now be invoked from the Sites and History tabs
    • The passive scanner now looks for vulnerabilities


    More details here: http://code.google.com/p/zaproxy/wiki/HelpReleases1_2_0

    Thanks,

    Psiinon

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Zed Attack Proxy (ZAP)

    Thanks Psiinon, good summary!
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  8. #8
    Junior Member SWFu64's Avatar
    Join Date
    Jan 2010
    Posts
    97

    Default Re: Zed Attack Proxy (ZAP)

    I've started using this over paros proxy now. It's an invaluable tool when testing Flash applications for SQL Injection issues.
    "I do not know with what weapons World War III will be fought, but World War IV will be fought with sticks and stones."

    Albert Einstein

  9. #9
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    11

    Default Re: Zed Attack Proxy (ZAP)

    Quote Originally Posted by SWFu64 View Post
    I've started using this over paros proxy now. It's an invaluable tool when testing Flash applications for SQL Injection issues.
    Hi SWFu64,

    Glad you like it
    If you (or anyone else) have any feedback about ZAP I'd be really interested in hearing it, either via this thread or the developer group.
    e.g. what do you like, dislike?
    How do you think it could be improved?
    I've got a long list of ways I'd like to improve it (some of them documented here), but I also want it to be as widely used as possible, so I want the people who use it to have a big say in how it develops.

    Many thanks,

    Psiinon

  10. #10
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Zed Attack Proxy (ZAP)

    EDIT: Ok this was me being stupid.
    I got it to work thanks to the help of SWFu on irc.

    EDIT: This should be in the repos soon.
    Last edited by Archangel-Amael; 10-04-2010 at 06:25 PM.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

Page 1 of 2 12 LastLast

Similar Threads

  1. proxy-bt3
    By vanescar in forum Supporto Software
    Replies: 0
    Last Post: 04-27-2010, 10:50 PM
  2. NC Through Proxy?
    By wolf17 in forum OLD Newbie Area
    Replies: 3
    Last Post: 07-10-2009, 05:13 AM
  3. everything over Proxy
    By goon123 in forum OLD Specialist Topics
    Replies: 1
    Last Post: 07-06-2009, 12:44 AM
  4. using a proxy
    By ycpc55 in forum OLD Newbie Area
    Replies: 15
    Last Post: 04-22-2009, 04:58 AM
  5. How to use a proxy?
    By Schtekarn in forum OLD BT3final Support
    Replies: 19
    Last Post: 06-22-2008, 09:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •