Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Zest and ZAP integration Introduction
####What is Zest ?
Zest is an experimental specialized scripting language developed by the Mozilla security team and is intended to be used in web oriented security tools. https://developer.mozilla.org/en-US/docs/Zest
####What is ZAP ?
ZAP is an easy to use integrated penetration-testing tool for finding vulnerabilities in web applications, which has in-built functionality to run Zest Scripts. https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
-Quick guide to get started -Video tutorial
####How is this useful in OWTF ?
OWTF does a great job in finding vulnerabilities and building the report, but unfortunately in many cases developers and system administrators may lack the security knowledge to understand or reproduce the problem. Zest integration will facilitate the understanding of security issues by developers and system-administrators despite their potential lack of security knowledge or lack of skill to run penetration testing tools. While it is necessary to describe vulnerabilities (using Reports), this project will allow security teams to create reproducible test scripts (Zest Scripts), which they can then share with the developers. These scripts can be used by the developers to: -Reproduce the issues -Create their fixes -Test the created fixes Additionally this will allow OWTF to send HTTP requests(implemented) and Zest scripts (not implemented yet) to third party tools, such as ZAP. ZAP will be able to run Zest scripts and send HTTP requests sent from OWTF. OWTF will be able to run Zest scripts and send HTTP requests on its own. Ultimately, information exchange via HTTP requests and Zest scripts from OWTF to third-party tools will be feasible. This will ensure that users can reproduce or verify vulnerabilities found by OWTF from any third party tool able to replay HTTP requests or run Zest scripts, such as ZAP.
####What features of Zest and ZAP are implemented in OWTF ?
- Zest script creator module
- Zest script creation from single HTTP transaction
- Zest script creation from multiple HTTP transaction (macro of requests)
- HTTP request editing window (from which you can replay the request)
- Zest script Console
- Record a Zest script functionality
- Zest script Runner
- Forward HTTP request to ZAP
More resources on Zest : (will be updated soon)