Welcome to
All The Reader's
This is Akhil from "MOZILLA HYDERABAD" community today we gonna discuss about
the "ZAP" project.. The project is about the securing the web ..the project has gone for about 5weeks
on every saturday for about 6days...the event was a very different from the regular things were lots of new things were learnt by the participants
sorry reader's i didnt attend day 1 in this zap project..so let me gonna start with day2
Day 2:-
on the day 2 the event was started by our speaker cum trainer sumanth damarla at th Firefox community space "COLLAB HOUSE"...
The event started by the trainer sumanth where he has given introuction to the zap and he has covered the topics such as:
UI
Intercepting
Fuzzing concepts
Proxy concepts
Testing web application
participants had a hands on session for testing the web application on which they have tested on a demo site called
http://demo.testfire.net/
And today participants learnt about ZAP and the concepts regarding it , and they felt great when they were testing a web application for the first time , and the people around us were so curious to learn and the day was ended by distributing work sheet of Securing Web @ZAP day-2 , which was pretty interesting…!!
And finally the Day1 got ended up
Day 3:
The day 3 has started in a little different way as the participants had got an overview of the ZAP project they were curious to know the further things that are the part of the training..while the speaker sumanth has started about the discussion of day 2 worksheet and expalined the main terms present on it
The key terms which are present in the worksheet are as follows
2) X-Frame Options which offered a partial protection against clickjacking. There are three possible values for X-Frame-Options:-> Deny: The page cannot be displayed in a frame, regardless of the site attempting to do so.-> Sameorigin:The page can only be displayed in a frame on the same origin as the page itself.-> Allow-from uri:The page can only be displayed in a frame on the specified origin.
3) Port 80 & Port 443:
Port 80 is the port that the server "listens to" or expects to receive from a Web client, assuming that the default was taken when the server was configured or set up.
Port 443 is for SSL. Since SSL is "opaque" to outsiders, firewalls cannot see what is going inside it, and cannot do some transparent proxying.
4) Http & Https – The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed hypermedia information systems, and it is foundation of data communication for the World Wide Web. Https – it is everywhere a browser like Firefox & Chrome and it is extension where it encrypts our communications with many websites, making your browsing more secure.
5) Privilege level – A privilege level in the x86 instruction it sets the control where the access of program is currently running on the processor to resources such as memory regions and special instructions.
6) Third party API function – We can build our own cloud code module and by integrating with third-party APIs
7) Blacklisting – Its just a method to ignore the script or data contents where we do not enter into any applications.
8) Whitelisting – Its just a method of validation where we verify the given input is correct or not.
9) Input Validation can be used to detect unauthorized input before it is processed by the application. A Whitelist is testing a desired input against a list of possible correct input's. To do this you would compile a list of all the good input values/conditions, then verify that the input received IS one of this correct conditions.
DAY4
After 3Days also participants were not fed up as a long as the day inscreased the enthusisam has also increased rapidly..so finally day3 participation and collobration also started..this week some more things were learnt by the participants
Bodgeit
User Interface of ZAP
BodgeIt: The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
Open source
Easy to install - just requires Java and a Servlet engine, e.g. Tomcat
Cross platform
The Bodge It Store include the following significant vulnerabilities:
Cross Site Scripting
Application logic vulnerabilities
Cross Site Request Forgery
Debug code
Bodget store instillation:-
https://www.youtube.com/watch?v=DJmEwkz6DN0
2.User Interface of ZAP: Under User Interface of ZAP , one of the concept is Swing explorer it is used for the concept GUI programming, which is hard and it is a graphical tool , that lets us to inspect the internal structure , where it can help us to understand that how a user interface is composed.
DAY5:
After gaining a lots of knowledge through all this days of very long journey on the open web security unknowingly we have reached the day5
The day5 started by the discussion about the concepts of ZAP extensions and ZAP extensions into add-ons
ZAP EXTENSIONS:-
ZAP extensions can be done in five steps :
Download source code and Build ZAP
Create new extension
Define message.properties files(s)
Refresh and Run
Add New Libraries
ZAP extensions into add-ons:
Now that we have the example extension ready, you can proceed to make this extension and add on.Any new add on can be considered in the first development stage‘Alpha’ . There are indeed 3 development stages
alpha
beta
final(trunk)
DAY6:-
finally entered the 6th day of the zap project which is the final day of the zap project ....after a lot of hard work across all this days through the journey and after learning a hell of new things finally eagerly waiting to complete the mission
The day started by the discussion about the concepts of Internationalization-Crowdin .
The Internationalization-Crowdin was described by Sanjay and it is a localization project management platform and translation tool for developers and website owners. It makes easy to work with content being translated.
Technical documentation:
The technical documentation was described by Sumanth damarla , as the part of Internationalization-Crowdin , we all made a task that is , translating English to Hindi ( जैप का नाया रुप !! ) , and it was a good experience for us
Brainstorming session :
After completing technical documentation , we had a brain storming session by the speaker and participants about the previous sessions of ZAP
Hope You like this article Thank You Readers Thts all for today have a good day :) :) :)
THE ZAP PROJECT #OWASP #ZAP #FSA #MOZILLA #OPENWEB #SECURING THE WEB
All The Reader's
This is Akhil from "MOZILLA HYDERABAD" community today we gonna discuss about
the "ZAP" project.. The project is about the securing the web ..the project has gone for about 5weeks
on every saturday for about 6days...the event was a very different from the regular things were lots of new things were learnt by the participants
Day 2:-
on the day 2 the event was started by our speaker cum trainer sumanth damarla at th Firefox community space "COLLAB HOUSE"...
The event started by the trainer sumanth where he has given introuction to the zap and he has covered the topics such as:
UI
Intercepting
Fuzzing concepts
Proxy concepts
Testing web application
participants had a hands on session for testing the web application on which they have tested on a demo site called
http://demo.testfire.net/
And finally the Day1 got ended up
Day 3:
The day 3 has started in a little different way as the participants had got an overview of the ZAP project they were curious to know the further things that are the part of the training..while the speaker sumanth has started about the discussion of day 2 worksheet and expalined the main terms present on it
- Click jacking
- X-ray frame option
- Port 80 & Port 443
- HTTP & HTTPS
- Privilege level
- Third party API function
- Blacklisting
- Whitelisting
2) X-Frame Options which offered a partial protection against clickjacking. There are three possible values for X-Frame-Options:-> Deny: The page cannot be displayed in a frame, regardless of the site attempting to do so.-> Sameorigin:The page can only be displayed in a frame on the same origin as the page itself.-> Allow-from uri:The page can only be displayed in a frame on the specified origin.
3) Port 80 & Port 443:
Port 80 is the port that the server "listens to" or expects to receive from a Web client, assuming that the default was taken when the server was configured or set up.
Port 443 is for SSL. Since SSL is "opaque" to outsiders, firewalls cannot see what is going inside it, and cannot do some transparent proxying.
4) Http & Https – The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed hypermedia information systems, and it is foundation of data communication for the World Wide Web. Https – it is everywhere a browser like Firefox & Chrome and it is extension where it encrypts our communications with many websites, making your browsing more secure.
5) Privilege level – A privilege level in the x86 instruction it sets the control where the access of program is currently running on the processor to resources such as memory regions and special instructions.
6) Third party API function – We can build our own cloud code module and by integrating with third-party APIs
7) Blacklisting – Its just a method to ignore the script or data contents where we do not enter into any applications.
8) Whitelisting – Its just a method of validation where we verify the given input is correct or not.
9) Input Validation can be used to detect unauthorized input before it is processed by the application. A Whitelist is testing a desired input against a list of possible correct input's. To do this you would compile a list of all the good input values/conditions, then verify that the input received IS one of this correct conditions.
DAY4
After 3Days also participants were not fed up as a long as the day inscreased the enthusisam has also increased rapidly..so finally day3 participation and collobration also started..this week some more things were learnt by the participants
Bodgeit
User Interface of ZAP
BodgeIt: The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
Open source
Easy to install - just requires Java and a Servlet engine, e.g. Tomcat
Cross platform
The Bodge It Store include the following significant vulnerabilities:
Cross Site Scripting
Application logic vulnerabilities
Cross Site Request Forgery
Debug code
Bodget store instillation:-
https://www.youtube.com/watch?v=DJmEwkz6DN0
2.User Interface of ZAP: Under User Interface of ZAP , one of the concept is Swing explorer it is used for the concept GUI programming, which is hard and it is a graphical tool , that lets us to inspect the internal structure , where it can help us to understand that how a user interface is composed.
For more info follow this links:
After gaining a lots of knowledge through all this days of very long journey on the open web security unknowingly we have reached the day5
The day5 started by the discussion about the concepts of ZAP extensions and ZAP extensions into add-ons
Zap extensions are java packages that extend the existing functionality within OWASP ZAP. This concept could be called the “Extension Mechanism” which provides a standard way to create custom features or API’s to Java applications.
ZAP extensions can be done in five steps :
Download source code and Build ZAP
Create new extension
Define message.properties files(s)
Refresh and Run
Add New Libraries
ZAP extensions into add-ons:
Now that we have the example extension ready, you can proceed to make this extension and add on.Any new add on can be considered in the first development stage‘Alpha’ . There are indeed 3 development stages
alpha
beta
final(trunk)
finally entered the 6th day of the zap project which is the final day of the zap project ....after a lot of hard work across all this days through the journey and after learning a hell of new things finally eagerly waiting to complete the mission
The day started by the discussion about the concepts of Internationalization-Crowdin .
Internationalization-Crowdin:
The Internationalization-Crowdin was described by Sanjay and it is a localization project management platform and translation tool for developers and website owners. It makes easy to work with content being translated.
Technical documentation:
The technical documentation was described by Sumanth damarla , as the part of Internationalization-Crowdin , we all made a task that is , translating English to Hindi ( जैप का नाया रुप !! ) , and it was a good experience for us
After completing technical documentation , we had a brain storming session by the speaker and participants about the previous sessions of ZAP
Hope You like this article Thank You Readers Thts all for today have a good day :) :) :)
No comments:
Post a Comment