Whiz! Bang! ZAP! An Introduction to OWASP’s Zed Attack Proxy

Version imprimable, PDF et e-mail

Sojourn To The West
Last week I escaped the frozen tundra of the northern mid-western United States to speak at the first OWASP AppSec California event in Santa Monica, California. By the events title alone, the conference gives the intimidating impression of being a web-application-developer-Google-Glass-wearing-fest discussing Hadoop optimizations and query parameterization.

The event was actually a very friendly open culture of knowledge sharing and interpersonal networking. I never heard Hadoop mentioned, but I did hear plenty of conversations on today’s best practices for protecting web apps. I’m happy to say I spoke with many interesting and approachable people and made several new professional connections.

Neil Matatall, the event coordinator and humble Twitter employee, took an impromptu survey of the attendee’s backgrounds during the opening comments. I was surprised to see that about half of the attendees were developers and the other half were pure Information Security professionals. Awesome!

ZAP’ing Bugs
One of the talks that connected with me the most was the name-fellow presentation shared with this article. Ben Walther, from Appropriate Control, provided a very engaging introduction to OWASP’s ZAP project. Briefly, ZAP (acronym for Zed Attack Proxy) is a project backed by many Mozilla developers with 30 contributors, many evangelists across the planet and supports 20 different languages, sadly none of them are Klingon.

One of the objectives of ZAP is to enable anyone with a rudimentary knowledge of how websites are structured to validate their web app’s security with a very intuitive penetration testing tool.

Features such an intercepting proxy, a spider, an active scanner, forceful browsing, a fuzzer, and break points for debugging and testing cookie injections are just the beginning. There is so much that OWASP ZAP can do to easily help find weaknesses in a web app that it earned the ToolsWatch.org’s best security tool for 2013 award #1 ranking.

ZAP includes a ‘Plug-n-Hack’ feature for Firefox 24 to configure proxying of your browser HTTP/S traffic through ZAP.

Ben Walther provided a mostly hands-on demonstration of the features mentioned above for folks interested in getting started with using ZAP. Walther was followed by Aaron Guzman, from Fonality, Inc. and a ZAP evangelist, who went deeper into the tool’s ability to use scripts, as well as, some other features.

If bacon didn’t already exist, ZAP could be served with a side of eggs.

Cost of doing nothing
cost of compliance
Assuming a vulnerability has been discovered on your web app and nothing is done to protect the information behind the web front-end. The penalties for failure to comply with PCI DSS requirements can quickly become greater than the cost to address the issues. Fines begin at $10,000 and can quickly grow based on the number of records compromised per incident.

The cost of a security breach will include consultants providing the required forensic investigation (DFIR), remedy to victims of fraudulent purchases, and privacy notification discloser to affected customers. The potential to have credit card processing privileges revoke is a reality.

Choices to remediate come down to deciding if you want to build or buy. The argument of build versus buy has many valid points for each side. If it’s your core business to find and fix software defects in web apps then the buy argument is senseless. For everyone else it’s really a no brainer. Ask yourself, should your developer spend time implementing query parameterization to prevent SQL injection when your site is also vulnerable to Cross-Site Request Forgery (CSRF) or save a copious amount of time for features and implement a Web Application Firewall (WAF)?

Wrap up
working together
Perhaps I’m a dreamer but it feels like the builders and the people telling them they are doing it wrong are working closer together at events such as OWASP AppSec California. In addition to the OWASP ZAP talk, there were many other outstanding presentations. Unfortunately, it was not humanly possible to attend them all, but fortunately for everyone they were recorded. Huzzah to Neil and friends!

If you do implement a Barracuda WAF to protect your web app, enable Adaptive Profiling for a couple days while having the ZAP spider feature crawl every inch of your application. This will help shake out any false positives and keep the augmented security from depreciating your customer’s experience.

Final note: I searched and found only one individual wearing Google Glass. I was hoping to see more people with a computer on their face.

Remonter en haut de page