OWASP Zed

Testing tool for web application

網路攻防報告 李冠德

worldwide not-for-profit charitable organization focused on improving the security of software.

https://www.owasp.org/

Open Web Application Security Project

OWASP

 How to build, design and test the security of web applications and web services. 

Open Source

https://github.com/zaproxy/zaproxy/wiki/Downloads

Principle

◎ EASY TO USE

◎ OPEN SOURSE

PENTEST WEB APPLICATION

◎ ALL FREE

Main Feature

• Intercepting Proxy
• Active and Passive Scanners
• Spider
• Report Generation
• Brute Force
• Fuzzing

Other Feature

• Port scanner
• Parameter analysis
• Session comparision
• Invoke external apps (CORS)
• Dynamic SSL Certificates
• API + Headless mode (console)

 Attack Proxy

Basic Test

http://muuuuu.org/

 ClickJacking

萬惡 iframe：
Twitter Facebook API 誘騙點擊

手法

解法

X-Frame-Options

Fuzz Attack

字典攻擊
弱點偵測

手法

解法

captcha

 SQL Injection

inurl:.php?id=

XSS

Reflected XSS (URL...)
Stores XSS (DB)
Dom-based XSS (document.cookie)

手法

解法

Encoding input/output

CSRF

偽造 Token / 傳送資料

手法

解法

Header 過濾網域  / Token 檢驗

API attack

The End