Thursday 13 August 2015

Securing web @ZAP

After an interesting session of Mozilla Hackathon on app and web development, The CMRIT Firefox club once again has come forward with a further more interesting two-day session on securing the web using OWASP ZAP.
About OWASP ZAP:
 ZAP stands for Zed Attack Proxy and is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
Some of the built in features include: Intercepting proxy server, Traditional and AJAX Web crawlers,Automated scanner, Passive scanner, Forced browsing, Fuzzer, WebSocketsupport, Scripting languages, and Plug-n-Hack support. It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added.
First day:




The enthralling two-day session began at CMRIT with the Mozilla representatives and FSAs Sudarshan, Sanjay, Kalyan, Giridhar, Akshay Tiwari and Sumanth. The session began with Akshay Tiwari giving a brief intro about why Mozilla and the importance of web privacy and browsing the web without being tracked. He mentioned the importance of net neutrality and surfing the web safely. The speech was followed by Sumanth Damarla, also a Mozillian giving an introduction about Zed Attack Proxy and its features. A power point presentation was presented by Sumanth which highlighted the agenda of OWASP ZAP and also enlightened the students with it’s features such as fuzzer, scanner and web crawlers etc. As ‘all work and no play makes Jack a dull boy’, the organizers went ahead with conducting an ice-breaking activity where numerous questions from different fields were asked, thereby making the session a bit more interesting and enjoyable. The Mozillians and participants decided to head for lunch break.
After the lunch break, the session resumed with Sumanth Damarla continuing about the introduction of ZAP tools and features like forced browsing and Plug-n-Hack. After the explanation, the session went ahead with participants being explained about installation of the Zed Attack Proxy into their systems to carry out the tasks given. After making sure that the installation was successful and every student had the software, the Mozillians went ahead with explaining a few basics of the tool and few how-to-dos. After this, it was called a day. The students looked forward for the second day session to implement their knowledge practically.


Second day:




The second day began with Bharat Chauhan and Shashank, of Firefox team brushing up all the things that were explained in the first day session including OWASP ZAP and XAMPP which is an easy-to-install apache distribution containing MYSQL,PHP AND perl. It is a simple, lightweight Apache distribution that makes it extremely easy for developers to create a local web server for testing purposes. The students were made to install XAMPP control panel for tomcat. Tomcat is an application server from the Apache Software Foundation that executes Java servlets and renders Web pages that include Java Server Page coding. BodgeIt is a vulnerable web application.  It consists of a wide variety of vulnerabilities and is not intended to be hosted on a production environment.  After the completion of installation of all required software, using OWASP ZAP was used for finding the vulnerabilities on the BodgeIt web application.  These vulnerabilities were avoided using the software. Also the AJAX spider was introduced to the students which can discover the pages and dynamic-built links of a targeted web application, whose results can be later used by ZAP to find its vulnerabilities.
Later the Mozillians showed a demonstration on finding the vulnerabilities of the official CMRIT college website and how it could be fixed. They were successful in finding a number of vulnerabilities of the website using the OWASP ZAP and fixed a few. By the end of the two-day session, the participants were very much enlightened with the whole concept of securing web with ZAP and to find the vulnerabilities of any web application. The session ended on a happy note and really cool swags were distributed to the participants who were successful on avoiding the maximum number of vulnerabilities. Swags were then distributed among all the participants followed by a photo session with all the participants by the photographer Stephen.
A huge thanks for contributing to the event and making it a success. The CMRIT Firefox club is planning for regular meetups starting from the next week. Hope to see you all there!
Did you like the event? Do let us know. For any feedbacks or queries, do ping us.
CMRIT firefox team:
Abhilash
Sistla Madhukar
Bharat Chauhan
Ajay
Sreenivas
Manoj.
Photo credits: Stephen Daniel
Article credits: Tejaswi Srinivas Reddy