“That's the plan,” the hacker told Motherboard in an email. “Like subverso says in the lyrics of the song at the end of the video, ‘el que comparte lo que aprende, es peligroso.’”
In fairness, this chaval didn't even use the active scanners in zap. He tried a few evaluation expressions manually to find the injection point. He could have achieved the same effect with the developer tools in the browser, in fact. There is not much to worry about from a reputational point of view for ZAP, in my opinion.
This video should be on the curriculum in computer security courses. There are so many lessons to be learned from it, it's insane.
C.
----
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Evangelists Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-evangel...@googlegroups.com.
Obligatory car analogy:Imagine a pitch dark car park and a thief uses a torch to find the cars that have been designed without windows and doors and with the keys in the ignition. Is the problem with the torch? or with the thief? or with the vehicle manufacturer who builds cars without windows and doors?Stealing cars, whether they have windows or doors is illegal so clearly the thief is shoulders the bulk of the responsibility.But those who built the cars without even basic security measures should share some of the blame here.Where does that leave the torch? The torch was never used to break into anything, it was only used to find the cars that were already broken through bad design.In fact, it would probably be better if we had more torches so that the whole car park was illuminated and everyone could see which cars were broken by design.
On Fri, May 20, 2016, 00:38 johanna curiel curiel <johanna...@owasp.org> wrote:Hello everyoneI got some bad and good newsA known hacker has released a video hacking a real police department....using ZAP!Look, on one side the tool is so good hackers like this guy are using itOn the other hand he is using ZAP for the wrong reasons and showing how he actually hacked the police department...I'm seriously concern about this--Johanna CurielOWASP Volunteer--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Evangelists Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-evangel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-evangelists+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
A hammer is a hammer. It could be used by a carpenter to build a nice strong and secure home, or a teenager to bust out windows in an attempt to break in to the same home. Can't blame the hammer.I actually think this is a good thing for ZAP. I'd bet a lot of people in the industry who had never heard of it before are looking into it right now. Would be interesting to see if the number of downloads jumps up due to this.Another important think to keep in mind. ZAP isn't a script kiddie tool. The person using it has to have a good understanding of the results it outputs. If someone understands how to use ZAP to its fullest power, then they know how to the same thing manually.On Fri, May 20, 2016 at 8:17 AM Colm O'Flaherty <colm.p.o...@gmail.com> wrote:ZAP does help application security. I'm honestly surprised that you don't seem to think that. I use ZAP in an offensive way pretty much every day to help increase application security where I work. We also need "fixers", but without first knowing what needs to be fixed, those "fixers" are not going to be very productive.If you think OWASP needs more defender/fixer projects, then the obvious way to go (to me at least) is to go do something about it. Telling people "it shouldn't be this way" doesn't help anyone, not least of all those people who have put in lots of work to make ZAP great at its job. Any tool in the wrong hands is dangerous, but i don't recall anyone urging the designers/manufacturers of torches (from the previous example) to instead focus on designing brighter cities and houses. It's a different competency, and the wrong audience for the message, in my opinion.C
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-evangelists+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Johanna CurielOWASP Volunteer
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.