ZAP in Ten Videos - feedback wanted

172 views
Skip to first unread message

psiinon

unread,
Feb 4, 2020, 11:23:57 AM2/4/20
to zaprox...@googlegroups.com, OWASP ZAP Developer Group
We now have 11 videos available via https://www.alldaydevops.com/zap-in-ten

And we'd like your feedback, eg:
  • Do you find them useful?
  • Are they pitched at the right level?
  • What else would you most like to see covered?
  • Anything else you'd like to say about them?
Please reply to this thread...

Many thanks,

Simon

--
OWASP ZAP Project leader

Wisam Almarany

unread,
Feb 5, 2020, 6:20:11 AM2/5/20
to OWASP ZAP User Group
They are good, i still do not know how to use ZAP to deal with a login issue in active scanning.

Op dinsdag 4 februari 2020 17:23:57 UTC+1 schreef psiinon:

Simon Bennetts

unread,
Feb 5, 2020, 7:46:18 AM2/5/20
to OWASP ZAP User Group
Yeah, we're going to work up to that, its non trivial as you've probably seen

Simon Bennetts

unread,
Feb 7, 2020, 4:06:39 AM2/7/20
to OWASP ZAP User Group
We recorded a couple more episodes yesterday so they should hopefully be available soon.
And we've decided to record some authentication sessions next week.

Does anyone here have online (or locally installable) examples of sites you've had problems configuring ZAP to authenticate with?
I can demo simple examples like bodgeit and Juice Shop but it would be good to have at least one more complicated example.
Sites that use (re)captcha type techs dont count ;)

Cheers,

Simon

Sarvesh Sonawane

unread,
Feb 7, 2020, 4:19:18 AM2/7/20
to OWASP ZAP User Group
Hi Simon

Thank you for such great tool, and continues support on it

Most of the pain is in, authentication in ScriptBasedAuthentication with AzureAD (or any such) where multi layer token transactions are happening between servers,  and as most of the corporate clients are using this protection, so addressing this in some tutorial will be really great.

Simon Bennetts

unread,
Feb 7, 2020, 4:53:12 AM2/7/20
to OWASP ZAP User Group
Thanks for the feedback :)

The problem is that I dont have access to these sort of systems, which means I cant really demo how to configure ZAP to handle them.
Thats why I'm asking for online / locally installable examples I can show how to configure ZAP with :)

Ted James

unread,
Mar 2, 2020, 12:00:51 AM3/2/20
to OWASP ZAP User Group
Simon,

I just finished watching all 11 videos. They are very useful. It's great having you explain the features in such detail. I can see there being a few hundred of these, eventually. I'm actually going back through the videos and documenting the steps for each function for my own use. Then I can practice at my own pace and use them in my work. The only thing I don't like is the volume of the intro and outtro sounds. It's way too loud compared to that of the rest of the video.

Can ZAP do credentialed scans? If so, I would love to see a demonstration.

Thanks for all of the hard work in making such a great and useful tool.

Ted

Simon Bennetts

unread,
Mar 2, 2020, 4:15:04 AM3/2/20
to OWASP ZAP User Group
Thanks Ted!

We've got a load more recorded, they just need tidying up and posting - I dont add the intro/outtro but I've passed on your feedback so hopefully they will be quieter :)
Some of those include simple authentication. We're working up towards scripting arbitrary authentication but for that I first want to cover a lot more about scripting.
Right now we've not set any limit on how many we'll produce, so yes, in time there could be 100s :D

Have you thought of publishing your notes on these videos on a blog?
I'm sure lots of other people would be interested in them:)

Many thanks,

Simon

Ted James

unread,
Mar 2, 2020, 11:59:55 AM3/2/20
to OWASP ZAP User Group
Simon,

Thanks for your reply. I definitely plan to share my notes. I just need to clean them up and test them. But I am happy to share them with the community. I'm also basing some of them on training I've found on Udemy and YouTube.

Thanks,

Ted

David Medinets

unread,
Mar 20, 2020, 11:55:23 AM3/20/20
to OWASP ZAP User Group
I'd love to watch the videos to learn more about ZAP but nothing happens when I click on them.

kingthorin+owaspzap

unread,
Mar 20, 2020, 5:27:59 PM3/20/20
to OWASP ZAP User Group
What browser/platform?

I just checked via Chrome on an Android tablet and it's slow for them to load the pinkish play button but then they seem to start fine.

David Medinets

unread,
Mar 21, 2020, 12:12:38 PM3/21/20
to OWASP ZAP User Group
I was using Brave. It is working fine today. Thanks for responding so quickly.

Simon Bennetts

unread,
Mar 23, 2020, 1:25:34 PM3/23/20
to OWASP ZAP User Group
And another 5 videos, introducing both authentication and scripting, are now available via https://www.alldaydevops.com/zap-in-ten

Ted James

unread,
Mar 23, 2020, 5:29:45 PM3/23/20
to zaprox...@googlegroups.com
Fantastic! Looking forward to watching them and learning!

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/fd98df61-b36e-4abe-ac55-331bdca91fef%40googlegroups.com.

Simon Bennetts

unread,
Apr 3, 2020, 5:48:48 AM4/3/20
to OWASP ZAP User Group
2 more videos have been added to https://www.alldaydevops.com/zap-in-ten on passive and active scan scripts :)

It would be good to know what you think of these videos:
  • are they helpful?
  • do they include enough detail?
  • or too much??
  • what else would you like covered?
Cheers,

Simon

On Tuesday, 4 February 2020 16:23:57 UTC, Simon Bennetts wrote:

Debanjan Bhattacharjee

unread,
Apr 3, 2020, 7:12:34 AM4/3/20
to zaprox...@googlegroups.com
Hi Simon,
Just getting started with the ZAP in Ten. Here is my review comment on the first video:

ZAP in Ten : Welcome

  • Are they helpful? Yes, it is. This video comprehensively describes why to use ZAP, how it caters to testing of OWASP Top 10, the prefered manual /automated approach and where place ZAP in DevOps.
  • Do they include enough detail? Yes
  • Or too much? No, it was just perfect.
  • What else would you like covered? So far it's good to go.

Thanks and Regards
Debanjan

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

Simon Bennetts

unread,
Apr 3, 2020, 7:18:12 AM4/3/20
to OWASP ZAP User Group
Thanks Debanjan!
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.

Debanjan Bhattacharjee

unread,
Apr 3, 2020, 7:53:51 AM4/3/20
to zaprox...@googlegroups.com
Hi Simon,
Here is my review comment on the second video:

ZAP : Resource Downloads

  • Are they helpful? Yes, it was. 
  • Do they include enough detail? Yes
  • Or too much? No, it was just perfect.
  • What else would you like covered? The "The OWASP ZAP core project" GitHub earlier contained links to almost all the necessary links and documentations, which seems to have been moved somewhere else as of now. Can those items be brought back within The OWASP ZAP core project page?

Thanks and Regards
Debanjan

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c00b8384-70a3-4f48-a24a-03f698981af9%40googlegroups.com.

Simon Bennetts

unread,
Apr 3, 2020, 8:10:55 AM4/3/20
to OWASP ZAP User Group


On Friday, 3 April 2020 12:53:51 UTC+1, Debanjan Bhattacharjee wrote:
  • What else would you like covered? The "The OWASP ZAP core project" GitHub earlier contained links to almost all the necessary links and documentations, which seems to have been moved somewhere else as of now. Can those items be brought back within The OWASP ZAP core project page?

The main ZAP github repo links to https://www.zaproxy.org/ which is where we are centralizing all of our content - tbh it was a mess before.
Which links are you no longer able to find?
 

Thanks and Regards
Debanjan

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.

Debanjan Bhattacharjee

unread,
Apr 3, 2020, 8:18:18 AM4/3/20
to zaprox...@googlegroups.com
Hi Simon,

I have just started with your ZAP in Ten video series and in the second video you showed us about different links/sources/documents in the GitHub page which isn't there currently. So just updated you about it. As you redirected, this page https://www.zaproxy.org/ seems to contain some of those valuable links. That would do for now. Thanks again.

Regards
Debanjan


Thanks and Regards
Debanjan

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4dfbc178-ad09-487e-9fa1-eb9a74c13deb%40googlegroups.com.

Debanjan Bhattacharjee

unread,
Apr 6, 2020, 6:18:06 PM4/6/20
to zaprox...@googlegroups.com
Hi Simon,
Here is my review comment on the third video:

ZAP in Ten:Exploring Your Applications

  • Are they helpful? Extremely helpful. 
  • Do they include enough detail? Yes
  • Or too much? No, it was just perfect.
  • What else would you like covered? I would suggest updating the download links for JuiceShop and WebGoat applications within The OWASP ZAP core project page or any other relevant page, which can be of immense help to DevOps/QA engineers starting with OWASP ZAP.
Thanks and Regards
Debanjan  


Thanks and Regards
Debanjan

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4dfbc178-ad09-487e-9fa1-eb9a74c13deb%40googlegroups.com.

Debanjan Bhattacharjee

unread,
Apr 13, 2020, 9:16:45 AM4/13/20
to zaprox...@googlegroups.com
Hi Simon,
Here is my review comment on the third video:

ZAP HUD: An Intro

  • Are they helpful? This was awesome. 
  • Do they include enough detail? Yes
  • Or too much? No, it was just perfect.
  • What else would you like covered? I think it was just perfect. One point, looking at the Firefox browsing session spinned up by ZAP,I am sure the Firefox browser was spinned up using GeckoDriver. Now as I come from Selenium background, I am sure simply closing the browser manually will leave some orphaned GeckoDriver sessions which may eat up the memory/RAM. So, my question is, can we have a button within the Manual Explore page with text as Stop Browser which will gracefully stop/kill the initiated GeckoDriver and Firefox sessions both?
Thanks and Regards
Debanjan  

Virus-free. www.avast.com

Virus-free. www.avast.com

Richard Kellogg

unread,
Apr 14, 2020, 1:07:51 PM4/14/20
to OWASP ZAP User Group
My situation is a bit different in that I have 35+ years experience in I.T., but I'm a dinosaur from the mainframe era.  I have no experience in web apps in general and web app security in particular.  I struggle with the jargon and underlying technology.

The videos have the best production qualities I have seen, better than most YouTube videos.  The detail is good, but I could always use more.  What I like best is the ten-minute length and quick pace.  What I don't like is that I have no way to grep them.  What seems to work for me is to develop and follow a tutorial for each video to see the topic actually work on my computer.  I would rather have written tutorials than videos.  But I really appreciate all the effort you have put into this!

Sarvesh Sonawane

unread,
Apr 15, 2020, 5:13:16 AM4/15/20
to OWASP ZAP User Group
Hello Simon

I guess i can provide you sample Azure AD login website for demo purpose, please let me know
The flow will be - login button -> enter Azure AD Credentials on "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token....."

the login gets qualified.

please let me know, because most of the corporate clients need support tutorials on this authentication logic i believe
Reply all
Reply to author
Forward
0 new messages