Woow… Awesome..!! This is what we felt when we got a mail from Mozilla Security Team stating that we were selected for Mozilla Winter of Security 2014 (MWoS). Our team Sumanth, Sudarshan and Sanjay were on cloud nine for getting selected as one among the 11 international teams for MWoS 2014 project. After a week we started our journey, we had our first meet with our Project Lead Simon Bennetts, which took place on 1st Aug 2014.
Key Points from the meet:
- The meet started with introducing ourselves, later Simon started giving his introduction about how he got into OWASP ZAP and focused on introducing these new topics to us. He explained what exactly we gonna deal in AMF(Action Message Format) Support the project for which we were selected for.
- Simon explained about the ZAP for a while and few great features it possess and their functionality and he provided us with reference links to get understand about OWASP, ZAP with AMF Support and gave information about the passive and active scanners (Features of ZAP).
- Later he gave us info about google+ OWASP developers groups and communications channels through IRC(#websectools channel) and also how we can interact with him through mails.
Activities done in the week:
What is OWASP ZAP?
OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
What are the features and functionalities of ZAP?
- Open Source.
- Cross platform.
- Easy to install (just requires java 1.7).
- Completely free.
- Ease of use a priority.
- Under active development by an international team of volunteers.
Few Functionalities of ZAP :
- ZAP spider is needed to crawl links that are not directly visible.
- It automatically discovers and explores the hidden links for a site.
- Newly discovered URLs are shown.
- URLs whose domain is different from target are also listed.
Active Scanner & Passive Scanner :
- Can select a site to be attacked under the ‘Attack’ section
- Tool actually attacks the application in all possible ways to find out all possible vulnerabilities.
- All findings shown under ‘Alerts’ tab.
- Passive scanning does not change any responses coming from server
- Only looks at responses to identify vulnerabilities
Some of the issues passive scanning looks for :
- Incomplete or no cache-control and pragma HTTP Header set
- Cross Site Request Forgery
- Password Autocomplete in browser
- Weak authentication
- Fuzzing is a technique of submitting lots of invalid or unexpected data to a target.
- ZAP allows you to fuzz any request still using a built in set of payloads.
- You can also search for strings in the fuzz results using the search tab
- Fuzzing is configured using the Options fuzzing screen
Follow updates on MWoS ZAP AMF Support Project from here on Mozilla Wiki.
Click here for other MWoS projects.
Click here to know more about ZAP.