Skip to content

Zest and ZAP integration Introduction

Jump to bottom Edit New page
dscarson edited this page Aug 16, 2014 · 1 revision

####What is Zest ?

Zest is an experimental specialized scripting language developed by the 
Mozilla security team and is intended to be used in web oriented security tools.
https://developer.mozilla.org/en-US/docs/Zest

####What is ZAP ?

ZAP is an easy to use integrated penetration-testing tool for finding vulnerabilities 
in web applications, which has in-built functionality to run Zest Scripts.
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

####Quick Guide



####Installation




####How is this useful in OWTF ?


OWTF does a great job in finding vulnerabilities and building the report, 
but unfortunately in many cases developers and system administrators may lack 
the security knowledge to understand or reproduce the problem. 

Zest integration will facilitate the understanding of security issues by 
developers and system-administrators despite their potential lack of security knowledge 
or lack of skill to run penetration testing tools.

While it is necessary to describe vulnerabilities (using Reports), this project
will allow security teams to create reproducible test scripts (Zest Scripts), 
which they can then share with the developers. 

These scripts can be used by the developers to:
                             -Reproduce the issues
                             -Create their fixes
                             -Test the created fixes

Additionally this will allow OWTF to send HTTP requests(implemented) and Zest scripts (not implemented yet)
to third party tools, such as ZAP. 
ZAP will be able to run Zest scripts and send HTTP requests sent from OWTF. 
OWTF will be able to run Zest scripts and send HTTP requests on its own.

Ultimately, information exchange via HTTP requests and Zest scripts from OWTF to 
third-party tools will be feasible.
This will ensure that users can reproduce or verify vulnerabilities found by OWTF 
from any third party tool able to replay HTTP requests or run Zest scripts, 
such as ZAP.






####What features of Zest and ZAP are implemented in OWTF ?


    

  • Zest script creator module
    • 

  • Zest script creation from single HTTP transaction
    • 

  • Zest script creation from multiple HTTP transaction (macro of requests)
    • 

  • HTTP request editing window (from which you can replay the request)
    • 

  • Zest script Console
    • 

  • “ Record a Zest script ” functionality
    • 

  • Zest script Runner
    • 

  • Forward HTTP request to ZAP
    • 



####**Additional Information**


Video tutorial
More resources on Zest : 



              


              

                
                   Add a custom footer
              

          



  
          

            

              

                
                   Add a custom sidebar
              


            
Clone this wiki locally