UPDATE OWASP Zed Attack Proxy(ZAP) v 2.0.0 - an easy-to-use integrated penetration testing tool for finding vulnerabilities in Web applications
OWASP
Zed Attack Proxy (ZAP) is an easy-to-use integrated penetration testing
tool for finding vulnerabilities in Web applications. It is designed to
be used by people with a wide range of security experience and as such
is ideal for developers and functional testers who are new to
penetration testing as well as being a useful addition to an experienced
pen tester's toolbox. ZAP provides automated scanners as well as a set
of tools that allow you to find security vulnerabilities manually.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Some of ZAP's features:
Download version 2.0.0 from here
ZAP_2.0.0_Windows.exe
ZAP_2.0.0_Linux.tar.gz
ZAP_2.0.0_Mac_OS_X.zip
OWASP Zed Attack Proxy v 2.0.0 released on 30-Jan-2013
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Some of ZAP's features:
- Intercepting Proxy
- Active scanner
- Passive scanner
- Brute Force scanner
- Spider
- Fuzzer
- Port Scanner
- Dynamic SSL certificates
- API
- Beanshell integration
Some of ZAP's characteristics:
- Easy to install (just requires java 1.7)
- Ease of use a priority
- Comprehensive help pages
- Fully Internationalized
- Under active development
- Open source
- Free (no paid for 'Pro' version)
- Cross platform
- Involvement actively encouraged
It supports the following languages:
- English
- Brazilian Portuguese
- Chinese
- Danish
- Filipino
- French
- German
- Greek
- Indonesian
- Italian
- Japanese
- Persian
- Polish
- Russian
- Spanish
Download version 2.0.0 from here
ZAP_2.0.0_Windows.exe
ZAP_2.0.0_Linux.tar.gz
ZAP_2.0.0_Mac_OS_X.zip
OWASP Zed Attack Proxy v 2.0.0 released on 30-Jan-2013
There is a new version of the OWASP Zed Attack Proxy (ZAP) available right now, and there are so many changes in it that we’ve decided to call it version 2.0.0.
If you just want to get stuck in and download it then head over to http://code.google.com/p/zaproxy/downloads/list : it's available for Windows, Linux and Mac OS.
(Note that the Mac OS specific release is coming soon, but the Linux release is actually cross platform and will work fine on Macs)
And if you want to learn a bit more about the changes then read on...
We can only cover the new features at a high level in one blog post, but the plan is to host a Google hangout demonstrating many of these features at 17:00 UTC on Friday 8th Feb. Details to be announced via https://twitter.com/zaproxy
Simon will also be presenting a talk at FOSDEM on Feb 2nd: Practical Security for developers, using OWASP ZAP
A replacement for the 'standard' Spider
A new 'Ajax' spider
Web Socket support
Quick Start tab
Session awareness
User defined Contexts
Session scope
Different modes
A scripting console
Authentication handling
More API support
Fine grained scanning controls
New and improved active and passive scanning rules
Many stability and usability fixes
If you just want to get stuck in and download it then head over to http://code.google.com/p/zaproxy/downloads/list : it's available for Windows, Linux and Mac OS.
(Note that the Mac OS specific release is coming soon, but the Linux release is actually cross platform and will work fine on Macs)
And if you want to learn a bit more about the changes then read on...
We can only cover the new features at a high level in one blog post, but the plan is to host a Google hangout demonstrating many of these features at 17:00 UTC on Friday 8th Feb. Details to be announced via https://twitter.com/zaproxy
Simon will also be presenting a talk at FOSDEM on Feb 2nd: Practical Security for developers, using OWASP ZAP
New features
An integrated add-ons marketplace
ZAP
can be extended by add-ons that have full access to all of the ZAP
internals. Anyone can write add-ons and upload them to the ZAP Add-on
Marketplace (OK, so its a Google code project called zap-extensions, but
you get the idea).
More
importantly you can now browse, download and install those add-ons from
within ZAP. Most add-ons can be dynamically installed (and uninstalled)
so you wont even need a restart.
You
can choose to be notified of updates, and even be automatically
updated. And as the scan rules are now implemented as add-ons you can
get the latest rules as soon as they are published.
A replacement for the 'standard' Spider
The
‘old’ Spider was showing its age, so its been completely rewritten, and
is much faster and more comprehensive than the old one. This is still a
'traditional' spider that analyses the HTML code for any links it can
find.
A new 'Ajax' spider
In
addition to the 'traditional' spider we've added an Ajax spider which
is more effective with applications that make heavy use of JavaScript.
This uses the Crawljax project which drives a browser (using Selenium) and so can discover any links an application generates, even ones generated client side.
Web Socket support
ZAP
now supports WebSockets, so ZAP can now see all WebSocket messages sent
to and from your browser. As with HTTP based messages, ZAP can also
intercept WebSocket messages and allows you to change them on the fly.
You
can also fuzz WebSockets messages as well using all of the fuzzing
payloads included in ZAP from projects like JBroFuzz and fuzzdb. And of
course you can easily add your own fuzzing files.
Quick Start tab
The first main tab you will now see is a ‘Quick Start’ tab which allows you to just type in a URL and scan it with one click.
This
is an ideal starting point for people new to application security, but
experts can easily remove it if they find it distracting.
Session awareness
ZAP
is now session aware, so it can recognise and keep track of multiple
sessions. It allows you to create new sessions, switch between them, and
applies to all of the other components, like the Spider and Active
Scanner.
User defined Contexts
You
can now define any number of ‘contexts’ - related sets of URLs which
make up an application. You can then target all URLs in a context, for
example using the Spider or Active Scanner. You can also add the
contexts to the scope, and associate other information, such as
authentication details.
Session scope
The
session scope allows you to specify which contexts you are interested
at any one time. You can restrict what you see in various tabs to just
the URLs in scope, and prevent accidentally attacking URLs not in scope
by using the Protected mode.
Different modes
ZAP now supports 3 modes:
- Safe, in which no potentially dangerous operations permitted
- Protected, in which you can perform any actions on URLs in scope
- Standard, in which you can do anything to any URLs
A scripting console
This allows you to access any internal ZAP data structures dynamically using any scripting language that supports JSR 223,
Authentication handling
You
can now associate authentication details with any context, which allows
ZAP to do things like detect if and when you are logged out and
automatically log you back in again. This is especially useful when used
via the API in security regression tests.
More API support
The REST API has been significantly extended, giving you much more access to the functionality ZAP provides.
Fine grained scanning controls
The
active scan rules can now be tuned to adjust their strength (the number
of attacks they perform) and the threshold at which they report
potential issues.
New and improved active and passive scanning rules
We have uploaded the results from running ZAP 2.0.0 against wavsep (the most comprehensive open source evaluation project we are aware of) to the ZAP wiki: http://code.google.com/p/zaproxy/wiki/TestingWavsep
Source-
0 komentar:
Posting Komentar