OWASP (BSWR)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 minutes
Difficulty
Intermediate
Video Transcription
00:00
>> Hello and welcome to another episode
00:00
>> of Breaking Stuff with Robert.
00:00
>> Today, we're going over OWASP ZAP.
00:00
Now, I'm going to give you a high-level overview
00:00
>> of some of the functions within OWASP ZAP
00:00
>> and some of its capabilities,
00:00
and give you a quick demo
00:00
>> of how it can be used
00:00
>> and how quickly you can get started
00:00
>> with scanning your web applications.
00:00
>> Some good things about ZAP is that
00:00
>> it does some automated scanning
00:00
>> and passive scanning with respect to how it works.
00:00
>> What that means is,
00:00
>> is that if you want to actively use
00:00
>> some attack types against a site,
00:00
>> you can do so.
00:00
>> You always want to make sure
00:00
>> that you have permission to do so.
00:00
>> Then passive scanning for this
00:00
>> particular application is interesting,
00:00
>> in that, by default it scans all HTTP messages,
00:00
>> meaning that it doesn't change your quest.
00:00
It doesn't respond in any way.
00:00
If you're generally just browsing through a site,
00:00
or looking at a site,
00:00
>> it's going to collect that data, evaluate it,
00:00
>> and in the background,
00:00
provide you with some contextual information,
00:00
>> if it finds those responses to be
00:00
>> particularly vulnerable to something.
00:00
>> Now, targeted audiences for this tool,
00:00
system administrators wanting to test
00:00
>> web pages for vulnerabilities,
00:00
>> web application developers looking to
00:00
test their applications for vulnerabilities,
00:00
and penetration testers looking to identify
00:00
>> weaknesses in web applications.
00:00
>> This tool is great if you're just getting started
00:00
>> with security testing or if you are
00:00
>> an advanced penetration tester,
00:00
>> web application developer,
00:00
whatever the case may be.
00:00
It has a place in that lifecycle with you.
00:00
Now, while not a requirement to view this information,
00:00
fundamental knowledge of web application attacks
00:00
would be beneficial,
00:00
and fundamental knowledge
00:00
>> of web application attack terminology,
00:00
>> so attack types and terminology there.
00:00
Again, we're not going to get into
00:00
>> the nitty-gritty of every term and tab, etc.
00:00
>> It would be good to understand at a high level
00:00
>> what we're looking at and what we're doing.
00:00
>> With that in mind,
00:00
let's go ahead and jump into our demo.
00:00
Everybody, welcome.
00:00
Before we get started, full disclosure here.
00:00
I updated OWASP to the current version 2.8,
00:00
>> because it's got some functions
00:00
>> and features that I like.
00:00
>> When I had to re-install
00:00
to the current role and distribution of Kali,
00:00
it actually runs 2.7,
00:00
which doesn't have some of these functions.
00:00
I actually went to the OWASP site
00:00
>> and downloaded the installer for this,
00:00
>> and ran it.
00:00
>> Even through the terminal,
00:00
I have to actually go in and start this up.
00:00
But that's just full disclosure here.
00:00
If you see something that's different
00:00
>> than what you're looking at,
00:00
>> that's the reason why.
00:00
>> The reason I wanted to do that is,
00:00
>> one, when you first get started,
00:00
>> it makes OWASP a lot easier to jump into.
00:00
Again, this is a web application vulnerability scanner
00:00
and pen-testing tool.
00:00
Whether you're a beginner
00:00
>> or you're an advanced penetration tester,
00:00
>> this tool just has a number of things
00:00
>> with respect to passive and active scanning,
00:00
>> as well as other functions such as WebSockets
00:00
>> and some fuzzing type functions
00:00
>> that it can do as well.
00:00
>> But that's just scratching the surface.
00:00
Again, this is a high-level overview of the tool.
00:00
We're not going to get super deep,
00:00
but I do want to show you around.
00:00
Now, as a part of this demonstration,
00:00
I did set up this little website here
00:00
>> using Metasploitable.
00:00
>> Again, since this has some
00:00
>> active scanning capabilities,
00:00
>> you just want to make sure that
00:00
>> if you're going to use the tool
00:00
>> on someone's site that you have
00:00
>> their permission to do so.
00:00
>> Let's jump in.
00:00
>> We're going to do an automated scan.
00:00
I'm just going to copy
00:00
>> and paste my URL information in here.
00:00
>> We'll take that off the end,
00:00
and then we'll just tell it to attack.
00:00
If you're like me,
00:00
I can be a little scattered when it comes
00:00
>> to all the different things that it puts up here.
00:00
>> But looking from left to right,
00:00
history gives you some information
00:00
>> on the sequence of events and the things
00:00
>> that you've looked at there.
00:00
>> You can search.
00:00
>> It gives you the alerts,
00:00
the yellow flags are low,
00:00
orange flags are medium,
00:00
and then it's got red flags
00:00
>> which are high,
00:00
>> outputs,
00:00
>> spidering activity as it crawls through
00:00
>> and tries to find information here,
00:00
>> and then active scan.
00:00
This finished pretty quickly
00:00
depending on the site in which you're doing.
00:00
It can take a lot longer to go through this process.
00:00
But as you can see,
00:00
>> it does some path traversal,
00:00
>> remote file inclusion.
00:00
>> It looks at things like SQL injection,
00:00
external redirects, buffer overflow.
00:00
It's hitting on all of those high points
00:00
>> with respect to vulnerabilities
00:00
>> we'd want to find on websites
00:00
>> and the common ones
00:00
>> that are associated with websites.
00:00
>> The reason I wanted to do the update
00:00
>> was to show you this function,
00:00
>> when you right-click a link,
00:00
you can actually go to Open in URL.
00:00
There's a number of other options here,
00:00
but you can open in URL and open Firefox.
00:00
This helps me to focus and wrap my brain around
00:00
>> what I'm looking at and what I'm doing.
00:00
>> I like this interface.
00:00
I just continue to the target here,
00:00
because it takes the components
00:00
that you were looking at in OWASP
00:00
and it gives you the site,
00:00
>> so you can see exactly what it is
00:00
>> that it's referencing with respect to the page.
00:00
>> You've got page alerts that are specific to the page,
00:00
>> again, low, medium, high,
00:00
>> and then site alerts which is across the site,
00:00
>> low, medium, high.
00:00
>> The other thing that I like about this
00:00
>> is that you've got this Show/Enable.
00:00
>> If there were fields on this
00:00
>> that maybe were hidden or enabled
00:00
>> that you can manipulate or have input to put into,
00:00
>> this would allow you to do so.
00:00
You can see the history down here at the bottom.
00:00
It shows you everything that it did.
00:00
You can go back and actually see
00:00
>> what OWASP was doing with respect
00:00
>> to the request it made to this particular URL,
00:00
>> and then the response that it got.
00:00
>> You can do that for any given area here as well.
00:00
If I go to Page Alerts,
00:00
it breaks it down by that low,
00:00
medium, half of the page,
00:00
and then it gives us this X-Frame was not set.
00:00
Then we can go into the actual link
00:00
>> and it pulls up a description of the information,
00:00
>> what it is,
00:00
>> why it has the risk scores that it has,
00:00
it provides some reference IDs
00:00
and information, and then a solution.
00:00
This makes it a lot cleaner to navigate OWASP.
00:00
I still am a fan of the traditional panel here.
00:00
You can find everything
00:00
>> I'm looking at here within that.
00:00
>> But it's just for me, it's a lot cleaner
00:00
>> to be able to see it in this format.
00:00
>> The other thing that I like here
00:00
>> is you can hit that plus sign down on the bottom,
00:00
>> and do this Show HTML Report,
00:00
>> which provides this button.
00:00
Then you could produce
00:00
>> the actual report for the scan.
00:00
>> If you're like me,
00:00
I like being able to do my research
00:00
at the computer, get everything I need.
00:00
But then I might generate a PDF report
00:00
>> or something like that,
00:00
>> and then I like to read it and flip through it,
00:00
>> maybe go sit somewhere else
00:00
>> and just wrap my brain around
00:00
>> what's going on within the report
00:00
>> and what next steps I could take from there,
00:00
>> but it does that.
00:00
>> Then you can do print the PDF on this
00:00
>> and then have it as a reference
00:00
>> for evidence or a report elsewhere as well.
00:00
>> But again, for site alerts, we've got low.
00:00
This breaks everything down within that.
00:00
You can go into each of these different areas,
00:00
and it gives you the referenced link
00:00
and additional information on the description,
00:00
as well as some parameters, etc.
00:00
Now, the other thing that
00:00
you can do here is that if this
00:00
>> were out of scope and you didn't want
00:00
>> certain things to happen there,
00:00
as you can see automatically,
00:00
>> it has this such.
00:00
>> You can add it to scope
00:00
>> and that allows you to take advantage
00:00
>> of some additional functions and features,
00:00
>> or if it needs to be out of scope,
00:00
you can remove it from that,
00:00
>> so that you don't accidentally do
00:00
>> anything you shouldn't be doing.
00:00
>> I know that that's not very deep
00:00
and there's a lot of additional
00:00
information that this has,
00:00
but this is an excellent starting point
00:00
>> with respect to this tool.
00:00
>> You could easily,
00:00
>> without knowing anything about it now,
00:00
>> jump in, do a scan of a site that you own,
00:00
>> and then start to look through the information
00:00
>> for vulnerabilities that it flags
00:00
>> and additional information that it provides.
00:00
>> With that in mind,
00:00
let's go ahead
00:00
>> and jump back over to our slides.
00:00
>> Well, I hope you enjoyed that
00:00
>> high-level overview of OWASP ZAP.
00:00
>> This video, we primarily focused on
00:00
the automated and passive scanning capabilities
00:00
>> and that neat GUI interface
00:00
>> that we can lay over the site
00:00
>> to view the alerts and site-related activities
00:00
>> as they come up.
00:00
>> We didn't touch too heavily
00:00
>> on the fuzzier capabilities,
00:00
>> forced browsing, WebSockets,
00:00
and things of that nature
00:00
>> that are also a part of OWASP ZAP.
00:00
>> Again, this tool is very extensive
00:00
>> and has some unique capabilities
00:00
>> that you can customize and shape
00:00
>> to fit your needs and use cases.
00:00
>> I encourage you to do additional research
00:00
>> on the tool and find some ways
00:00
>> that it can fit maybe into your practice
00:00
>> or your day-to-day operations.
00:00
>> Well, with that in mind,
00:00
I want to thank you for your time today
00:00
>> and I look forward to seeing you again soon.