Scripting OWASP ZAP

Simon Bennetts - Zed Attack Proxy Project Leader
19 Oct 2017
14:00 - 18:00
ALT/TAB room

Scripting OWASP ZAP

OWASP ZAP is one of the worlds most popular free and open source web application security tools. It has an extremely powerful scripting interface that provides full access to all of the ZAP code and data structures.

In this workshop Simon (the ZAP project lead) will introduce all of the different types of scripts that can be written in ZAP. He will then explain each type in detail, describe the situations in which you might choose to use them and demonstrate them in action. Attendees will be able to try the scripts out, try writing new ones and ask any questions that they have. ZAP scripts can be written in JavaScript, Python, Ruby and Zest – a graphical macro language on steroids. All of these will be covered.

Script types include:

  • Active Rules
  • Authentication
  • Fuzzer Http Processor
  • Fuzzer Websocket Processor
  • Http Sender
  • Passive Rules
  • Payload Generator
  • Payload Processor
  • Proxy
  • Script Input Vector
  • Sequence
  • Stand Alone
  • Targeted

Attendees should bring a laptop with the latest version of ZAP (2.6.0) installed. The optional Python and Ruby add-ons should be installed if attendees wish to use them. The ‘Check for Updates’ feature should be used to ensure that all of the installed add-ons are on the very latest version. A vulnerable web application to test against is also recommended.