OWASP Zed
Testing tool for web application
網路攻防報告 李冠德
worldwide not-for-profit charitable organization focused on improving the security of software.
https://www.owasp.org/
Open Web Application Security Project
OWASP
How to build, design and test the security of web applications and web services.
Open Source
https://github.com/zaproxy/zaproxy/wiki/Downloads
Principle
◎ EASY TO USE
◎ OPEN SOURSE
PENTEST WEB APPLICATION
◎ ALL FREE
Main Feature
- Intercepting Proxy
- Active and Passive Scanners
- Spider
- Report Generation
- Brute Force
- Fuzzing
Other Feature
- Port scanner
- Parameter analysis
- Session comparision
- Invoke external apps (CORS)
- Dynamic SSL Certificates
- API + Headless mode (console)
Attack Proxy
Basic Test
http://muuuuu.org/
ClickJacking
萬惡 iframe:
Twitter Facebook API 誘騙點擊
手法
解法
X-Frame-Options
Fuzz Attack
字典攻擊
弱點偵測
手法
解法
captcha
SQL Injection
inurl:.php?id=
XSS
Reflected XSS (URL...)
Stores XSS (DB)
Dom-based XSS (document.cookie)
手法
解法
Encoding input/output
CSRF
偽造 Token / 傳送資料
手法
解法
Header 過濾網域 / Token 檢驗