Arachni & OWASP Zed Attack Proxy - ISWATlab
1y ago
21 Views
1 Downloads
811.30 KB
21 Pages
Report/dmca
Download PDF

Transcription

1 2 1Arachni & OWASP Zed Attack ProxyCourse:Sicurezza delle reti e deisistemi softwareAA: 2016/2017

Arachni2 2 1 http://www.arachni-scanner.com/Multi-Platform (MS Windows, Mac OS X and Linux)Support highly complicated web applicationsCoded in RubyDifferent approach in scanningKey Point: free simple distribuited intelligent

Arachni DistributedArchitecture3 2 1 Using deployed agents on remote serversDesigned to integrate in existing infrastructureREST API interoperability with non-Ruby systems JSON messages polling for progress RPC API MessagePack GridRPC

4 2 1Arachni Example

5 2 1Arachni Web UI

Arachni GitHub6 2 1 https://github.com/ArachniTasos LaskosWikiArachni Framework Master (stable) Experimental (alpha) Arachni UI Web

Arachni CLI7 2 1 interfaceChecks --checks *,-csrf --checks xss* Default --checks * Audit --audit-{audit name} Disabled by default Template audit type expects a pattern

Arachni CLI Customization8 2 1 GenericScopeOutputHTTPInputSessionReportPlugin

Arachni CLI Plugin9 2 1 arachni--plugins-list Login arachni http://10.10.30.25:90--plugin autologin:url http://10.10.30.25:90,parameters "name user&pass user&form build id formPW9ju5rKh7OXU5uGnk dGrVGw9AHCtDt2TF65yyhHZQ&form id user login block&op Log in",check "My account"

Arachni CLI Messages1 0 2 1 [*] [ ] [ ] [v] [!] [-]are status messagesare informational messagesare success messagesare verbose messagesare debug messagesare error messages

1 1 2 1 Arachni Reportarachni reporter reportName.afr -–reporter type:outfile output.type XML (experimental branch) HTML (zip) Text JSON Stdout arachni reporter --reporters-list

1 2 2 1Arachni Report Example

1 3 2 1Arachni Report Example (2)

1 4 2 1 OWASP Zed Attack Proxywww.owasp.org/index.php/OWASP Zed Attack Proxy ProjectOpen-Source Web Application Security ScannerLinux, Windows, OS XFully translated over 25 languagesRaspberry Pi! supportedGood communityZAP is a fork of Paros Proxy

1 5 2 1 OWASP Zed Attack ProxyFunctionallyIntercepting ProxyTraditional and AJAX spidersAutomated scannerPassive scannerForced browsingFuzzerDynamic SSL certificatesAuthentication and session support

1 6 2 1OWASP Zed Attack ProxyUser Interface

1 7 2 1OWASP Zed Attack ProxyContext

1 8 2 1OWASP Zed Attack ProxyAPI

OWASP Zed Attack ProxyAPI Programming Language1 9 2 1 Java (official)Python (official)Node.js (in progress)PHP (in progress)Ruby (no information)

Paros2 0 2 1 https://sourceforge.net/projects/paros/ Java based HTTP/HTTPS proxy Assessing web application vulnerability Tampering request Spider Intelligent scanning for XSS and SQL injections Client certificate

2 1 2 1Any Questions?

Automated scanner Passive scanner . Assessing web application vulnerability

Related Books

OWASP Top 10 - 2013

OWASP Top 10 - 2013

Web Application Security with ASP / MVC & OWASP

Web Application Security with ASP / MVC & OWASP

New Privacy in Android 11 and OWASP Mobile Security

New Privacy in Android 11 and OWASP Mobile Security

Tom Brennan OWASP Foundation tomb@owasp DC 2010

Tom Brennan OWASP Foundation tomb@owasp DC 2010

OWASP Testing Guide v2 - Isaca Roma

OWASP Testing Guide v2 - Isaca Roma

REST API Penetration Testing Report for [CLIENT] - UnderDefense

REST API Penetration Testing Report for [CLIENT] - UnderDefense

OWASP Top 10 - 2010

OWASP Top 10 - 2010

Wprowadzenie do kryptografii i bezpieczeństwa

Wprowadzenie do kryptografii i bezpieczeństwa

Penetration Testing with Selenium - OWASP Foundation

Penetration Testing with Selenium - OWASP Foundation

OWASP Testing Guide v4

OWASP Testing Guide v4

Secure Development: Models and Best Practices - OWASP

Secure Development: Models and Best Practices - OWASP

PopularTags

Recent Views