Writing a book about ZAP

[johanna curiel curiel]

Dear evangelists

I have an idea for Zap to collect some serious funds and use them for development

Write complete , extensive ZAP book ;-)

I'm willing to volunteer however I'm not an expert in all ZAP modules but if you are willing to review the technical information and provide me guidance we can create some serious book and sell it on amazon.

The focus is on Users

And a small section for developing your own scripts ==> this could become another book ;-)

Who wants to join?

regards

Johanna

[Simon Bennetts]

Very interesting :)
So the main writers would be paid for their work, reviewers 'just' credited and then profits fund ZAP development?

Cheers,

Simon

[johanna curiel curiel]

I don't need to get paid for the work, but we will need a technical editor

The credit on the book is enough for me ;-)

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Evangelists Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-evangel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Bennetts]

And any thoughts on the publisher, eg O'Reilly or Wiley?

[johanna curiel curiel]

That depends which offers the best deal. 

But I always think step by step. We make the book, get sponsorship for a Technical Editor(can help with that too) and then we can check which Publisher offers the best deal. You probably want to keep as much as you can for the Project so that is something you will need to evaluate later when the book is so far ready

[johanna curiel curiel]

If the book serve as awareness and attracts also potential sponsors, I think this will help ZAP to be promoted.

I'm also aware that selling a book can take many directions (profitable or not) but I'm willing to set the effort. 

The journey of writing the book is more interesting to me and getting it to a final release

On Wed, Jul 29, 2015 at 1:09 PM, Yvan Boily <yvan...@gmail.com> wrote:

I think the idea of a ZAP book is fantastic, but AFAIK most technical titles are not large on profits.  http://discuss.fogcreek.com/joelonsoftware/default.asp?cmd=show&ixPost=68599 has a bunch of anecdotes on the topic.

The main goal of writing a ZAP book should be to drive awareness and educate users on how the tool works and what they can do with it - any profit would be secondary.  My initial thought is that working with an established technical publisher could yield an advance that would cover all of the related writing costs, with the royalties, etc being paid into the ZAP project.

[Simon Bennetts]

Sounds great :)
Very happy to help with the technical reviewing (although I'm always up to my eyes with other things!).
But this should also be a great opportunity for other people to get involved - the more the merrier I would have thought (though I've not done this sort of thing before;).
I think it might be worth talking to publishers early - I would hope that good ones would be able to provide lots of useful advice and guidance.
Anyone on this list have experience in writing a commercial technical book?
We should probably check on the OWASP leaders list as well.

The 'rate of change' to ZAP could cause problems, but hopefully we wont have to make major UI changes so it will be more new features that can be added in later editions.

Many thanks,

Simon

[gmaran23]

Joanna, and Simon,

I volunteer as well. About eight months back I had the idea to write a book about ZAP (I even thought of some crazy names for the book:)) but I was thinking myself as the only author and I got lost in the maze of the scope of the book and the target audience.

I am open to discuss.

But here's what I had in mind:
Chapters dedicated to 

1. set up and configurations
2. starting options
3. fuzzing
4. spidering
5. scanning
6. UI tip/tricks/customizations
7. writing scripts
8. Most essential add ons
1. ajax spider
2. directory browsing
3. fuzzer
4. .
5. .
6. .
9. Automation
10. ZAP use cases 

Along with Hard copy publishers, we could also look at www.packtpub.com.

Maran

[johanna curiel curiel]

Hi Maran,

Awesome. There are 2 roads we can take here

• Focus on functionalities (as you already have presented in the chapters)
  
• Focus on how to test specific vulnerabilities with ZAP features==> ZAP use cases
  

I think If we would like for users and first time users to understand how to they can use ZAP at both fronts, I though about examples on how to test for specific vulnerabilities(sql injection, XSS,etc) and in this way they also understand how the functionalities and features works.

For the part of writing scripts, I would like to include a set of scripts targeted to specific vulnerabilities, kind of NMAP NSE scripting engine with a special package for vulnerabilities scripts written is Zest

I contacted Bill Sempf who is an experienced book author and he provided us some advice, even to put us in contact with Wiley publishers ;-)-. Advantage of publishers is promotion but we get a lot less from this deal. 

We go and publish directly through amazon for example, we can get more cut but we have all the editor work on our hands. Since it is not only about the money but promoting ZAP and helping users , I think we could try and talk with Wiley publishers.

This book can be offered at conference talks by Simon or the evangelists ;-). Also for training courses will be ideal.So I think the book can have a positive impact spreading ZAP image and further use of the tool.

Commitment is necessary. I'm willing to dedicate  the coming 6 months of  my entire spare time to make this book happen and to get credit on the book I expect no less hard work whether reviewing it or working on some chapters ;-). 

Keep in mind that by the time we publish, some sections could be outdated, therefore we need to focus in explaining those feature that most likely wont change drastically in the coming 6 months. 

Regards

Johanna

Regards

Johanna

[johanna curiel curiel]

Forgot to mention some advantages/disadvantages 

Advantages of having an editor as described by Bill and also some I found out:

• Editor work covered by publisher
  
• Publisher takes care of layout, etc
  
• Can get a payment for the work done (but this is no riches around USD5000)
• Promotion through their channel
• Text and layout will have a standard industry quality

Disadvantages

• Less earnings from the book (a big chuck goes to the publisher)
  
• You cannot distribute the book as you want(only through their channels)
  
• it will be more expensive to users
  
• Book becomes outdated after a while
  
• Book is not dynamically updated as through Lulu or own publishing

Difficult decision if you look at this, but if I think  about the costs, I think Wiley is an option

[gmaran23]

I though about examples on how to test for specific vulnerabilities(sql injection, XSS,etc) and in this way they also understand how the functionalities and features works.

Reminds me of https://www.owasp.org/index.php/ZAPpingTheTop10 :)

I Agree. If we focus on how to test specific vulnerabilities, we would have covered the features.

In case we want to cover a particular feature in depth, then we could think of dedicating a chapter for exclusive coverage.

[gmaran23]

I though about examples on how to test for specific vulnerabilities(sql injection, XSS,etc) and in this way they also understand how the functionalities and features works.

Reminds me of https://www.owasp.org/index.php/ZAPpingTheTop10 :)

I Agree. If we focus on how to test specific vulnerabilities, we would have covered the features.

In case we want to cover a particular feature in depth, then we could think of dedicating a chapter for exclusive coverage.

On Thursday, July 30, 2015 at 3:36:41 PM UTC+5:30, johanna.curiel wrote:

[johanna curiel curiel]

Hey Maran,  We are in the same frequency ;-)

I'll setup a github branch for the book. This branch will have limited access.(It will be private) since we have not decided yet if we go with a publisher .

>The Book structure that you guys discussed need to be brainstormed also by Simon and other Evangelists whether they want to promote entire functionality of book or just identifying vulnerabilities. I remember book Web Application Hacker's Handbook why Burp's Founder he discusses vulnerabilities and how to automate then with Burp.

Hi Ammar. Thank you for your support. I would love to have the feedback of everyone but the important thing at the moment is having people writing. We start agile with this book and we build and adapt from there.

We will allow access to evangelist that want to volunteer and have the time to review and provide us feedback through github, but in the end , if we want to make this book a reality and not just an idea we have to write and get the work done.

regards

Johanna

[Zack Syn]

Hi guys,

This is a great idea ! I'll help with whatever i can : Writing, editing and promoting.

I started drafting an android testing tutorial using ZAP, i think. Also, presenting some exclusive scripts in the book could be a game changer.

Cheers,

Zack

[Simon Bennetts]

I think that a user focused approach would be best.

The user guide is essentially focused on the basic functionality: https://github.com/zaproxy/zap-core-help/wiki/HelpIntro
And the source for that is here: https://github.com/zaproxy/zap-core-help/tree/master/src/help/zaphelp
so you can just send PR's to help improve it :)

Cheers,

Simon

[johanna curiel curiel]

Hi all

The first important thing is to define the audience

The audience we have in mind is developers and penetration testers first time exposed to ZAP.

The book is not about zap features but how to use zap features to execute a pen testing with them.

It has to be exciting and entertaining. Simon gave me an idea: why not make it about pen testing with bug hunting, and explain this process with actual examples 

No book has done this so far so we have a big hook and selling proposition 😁

We want to make sure everyone that participates gets their recognition based on their input. But anything you can help us on from reviewing to writing we make sure you get your acknowledgement in the book

I'll do a research regarding copyrights in case we go through a publisher but like I mentioned to Simon, I do not want to own this, I think Simon can manage those rights better cuz this book(if it becomes reality) will not exist if ZAP didn't. 

If we go open source, well is easy. Is free and open ;-)

Title of the Book: 

Bug Bounty with ZAP

A practical and real pen testing adventure with ZAP

Example first Draft TOC

What is ZAP?

Download and Installation

  Preparing the environment

  Windows

  Mac

  Linux

  Zap ready to launch

   Kali Linux/Backtrack

   OWASP Web Testing Environment Project

Browser configuration

  Firefox

  Chrome

  More on help

  

Getting ready for the Hunt

  Our targets: The vulnerable applications

   Ethical hacking websites for fun and profit

     Bugcrowd

     List of Bug Bounty Programs

    Bountysource

  

ZAP: the man in the middle 

 Choose your Bounty program

 Preparing the attack

   Meet the Spider:Crawling all the way

   Checking HTTP Requests and Responses

    Analysing Requests

    Analysing Responses

    Modifying Request with the Fuzzer

  

The first assignment for the people that want to participate in this book adventure is:

• Help us define the TOC chapters with this perspective for the book
  
• Send the proposal of those chapters here
  
• Define which one(s) you are willing to write
  
• I'll provide access to the Github account: https://github.com/marylinh/zapbook
• Set deadline for writing a piece, scrumming every 2 weeks
  

Thank you all for your time and consideration and hope to hear from you soon ;-)

regards

Johanna

 

[gmaran23]

Johanna,

User focussed approach and bug bounty adventure is a great idea and good selling proposition.

What vulnerable applications do you have in mind? Are we considering sites that are hosted on the internet like testfire.net?  https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=On-Line_apps

Taking the lead on initial TOC has set the stage and motivating as well.

Using the first draft TOC as a  foundation, here's some edits to consider: [Feel free to criticize or make it better:)]

Title of the Book: 

Bug Bounty with ZAP

A practical and real pen testing adventure with ZAP

What is ZAP?

Download and Installation

  Preparing the environment

  Windows

  Mac

  Linux

  ZAP ready for zapping(ZAP ready to launch is good as well)

   Kali Linux/Backtrack

   OWASP Web Testing Environment Project

Browser configuration

  Firefox

  Chrome

  More on help

  

Getting ready for the Hunt

  Our targets: The vulnerable applications

   Ethical hacking websites for fun and profit

     Bugcrowd

     List of Bug Bounty Programs

    Bountysource

  

ZAP: the man in the middle 

 Choose your Bounty program
 Understanding the application
 Sniffing for the low hanging fruits / Spotting the holes

    Checking HTTP Requests and Responses

    Analysing Requests

    Analysing Responses
 Discovering the unconspicuous

    Meet the Spider:Crawling all the way

    Busting hidden directories
  

 Preparing the attack
    Choosing your payload

    Modifying Request with the Fuzzer
    

  

Just like you mentioned, the TOC is good enough to start with and we could let it evolve as we go.

Maran

[johanna curiel curiel]

Hi Maran

Excellent propositions. I'll add you to the github branch

Let me know which section would you like to start writing about

Add your name next to the TOC

We'll keep on working from now on there. Please provide me with your Github account to add you.

Regards

Johanna

[Mateo Martinez]

Hi,

I want to help with:

Getting ready for the Hunt

  Our targets: The vulnerable applications

   Ethical hacking websites for fun and profit

Best,

Mateo

[johanna curiel curiel]

Hi Mateo

Thx for volunteering

Please provide me with your github account , I'll add you.

Regards

Johanna

[johanna curiel curiel]

>Will we be going with Vulnerabilities or Methodology? OWASP Testing Guide was great for me when learning Web Pen-testing and as well as serving as checklist when testing.

Methodology on how to do the bug hunting but feel free to mention also the OWASP testing guide and use specific tests mentioned here.

>I was reading Bugcrowd and Hackerone disclosures, the researchers always come with something new. What are your thoughts on creating self vulnerable web app?

You mean that we create one?

The focus is that you pick one out of the possible Bounty programs like this:

http://www.tripwire.com/state-of-security/vulnerability-management/11-essential-bug-bounty-programs-of-2015/

Example: you pick Testla motors and focus your testing examples and methodology using their site.

If in the making of the book someone finds a bug, you claim it. We can publish that you found bugs during the program(not exactly which one)

Since the Book's focus is about Bug Bounty hunting and using ZAP as a pen testing tool, the applications used in the examples should be the ones listed in the Bug bounty program of your choice.

On Fri, Jul 31, 2015 at 10:02 AM, Ammar Brohi <brohi...@gmail.com> wrote:

Hello All,

I like your idea on Bug Hunting and I really wanted a book like this before when I was getting started. 

Will we be going with Vulnerabilities or Methodology? OWASP Testing Guide was great for me when learning Web Pentesting and as well as serving as checklist when testing.

and as Maran, These are very basic vulnerable web apps, and to make great impact on audience we need to come with something awesome. I was reading Bugcrowd and Hackerone disclosures, the researchers always come with something new. What are your thoughts on creating self vulnerable web app?

Thanks,

Ammar

--