This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "2015-08-ZAP-ScriptingCompetition"
From OWASP
| Line 7: | Line 7: | ||
* Write ZAP scripts! | * Write ZAP scripts! | ||
* Submit them via Pull Requests to the [https://github.com/zaproxy/community-scripts community scripts] repo during August 2015 | * Submit them via Pull Requests to the [https://github.com/zaproxy/community-scripts community scripts] repo during August 2015 | ||
| − | * Claim the relevant bounty on [https://www.bountysource.com/teams/zap/ | + | * Claim the relevant bounty on [https://www.bountysource.com/teams/zap/bounties Bountysource] - note that only one script per script type will be awarded the bounty (see below for more details) |
| − | * Prizes will be awarded via [https://www.bountysource.com/teams/zap/ | + | * Prizes will be awarded via [https://www.bountysource.com/teams/zap/bounties Bountysource] in September 2015 |
== What script types will we award prizes for?== | == What script types will we award prizes for?== | ||
| Line 47: | Line 47: | ||
=== The fine print === | === The fine print === | ||
| − | * Prizes of $50 will be awarded to the best script of each supported type by ZAP via [https://www.bountysource.com/teams/zap/ | + | * Prizes of $50 will be awarded to the best script of each supported type by ZAP via [https://www.bountysource.com/teams/zap/bounties Bountysource] |
| − | * Prizes will only be paid via [https://www.bountysource.com/teams/zap/ | + | * Prizes will only be paid via [https://www.bountysource.com/teams/zap/bounties Bountysource] - no alternative payment options will be available. |
* Scripts must be submitted via Pull Requests to the [https://github.com/zaproxy/community-scripts community scripts] repo during August 2015. | * Scripts must be submitted via Pull Requests to the [https://github.com/zaproxy/community-scripts community scripts] repo during August 2015. | ||
* Scripts must have been merged into the [https://github.com/zaproxy/community-scripts community scripts] repo - scripts will only be merged once any significant issues have been fixed. | * Scripts must have been merged into the [https://github.com/zaproxy/community-scripts community scripts] repo - scripts will only be merged once any significant issues have been fixed. | ||
Revision as of 12:26, 31 July 2015
ZAP Scripting Competition
We will be awarding prizes of $50 for the best OWASP ZAP scripts written during August 2015!
How can you take part?
- Download and install the latest version of ZAP: 2.4.1 (if you havn’t already)
- Write ZAP scripts!
- Submit them via Pull Requests to the community scripts repo during August 2015
- Claim the relevant bounty on Bountysource - note that only one script per script type will be awarded the bounty (see below for more details)
- Prizes will be awarded via Bountysource in September 2015
What script types will we award prizes for?
All of the ones ZAP supports:
- Stand Alone - scripts that are self contained and are only run when you start them manually
- Active Rules - these run as part of the Active Scanner and can be individually enabled
- Passive Rules - these run as part of the Passive Scanner and can be individually enabled
- Proxy - these run 'inline', can change every proxied request and response and can be individually enabled. They can also trigger break points
- HTTP Sender - these run 'inline', can change every request and response (both proxied and those initiated by other ZAP components) and can be individually enabled.
- Targeted - scripts that invoked with a target URL and are only run when your start them manually
- Authentication - scripts that invoked when authentication is performed for a Context. To be used, they need to be selected when configuring the Script-Based Authentication Method for a Context.
- Input Vectors - scripts for defining exactly what ZAP should attack
- HTTP Fuzzer Processor - scripts that can control the HTTP fuzzer and manage its results
- Payload Generator - scripts that can generate payloads to be used in fuzzer
- Payload Processor - scripts that can change the payloads before being used in the fuzzer.
- Sequence - Zest scripts that define sequences of requests that perform a specific task in an application. These are used by the optional Sequence add-on available on the ZAP Marketplace
We will also be awarding additional $50 prizes for:
- The best Zest script (of any type)
- The best overall script (of any type and scripting language, including Zest)
This means there will be 14 prizes totalling $700. At least one script will win $100, and if its written in Zest it will win $150!
Additional Info
By default ZAP supports JavaScript and Zest scripts ‘out of the box’, but it also supports Jython and JRuby via the ZAP Marketplace.
The ZAP help includes some information about scripting: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts
And theres more info on the ZAP internals on the wiki: https://github.com/zaproxy/zaproxy/wiki/InternalDetails
For active and passive rules you should also see the Hacking ZAP series of blog posts.
We're looking for scripts that will be useful for developers, functional testers and pentesters, but we'll also consider scripts that are just fun.
Scripts that help with specific technologies or target specific deliberately vulnerable applications will also appreciated.
Have a look at the scripts that come with ZAP and those currently in the community scripts repo - they will help you get started and may give you ideas of whats possible.
And if you have any problems or questions then please ask on the ZAP Developer Group.
Good luck and get hacking!
The fine print
- Prizes of $50 will be awarded to the best script of each supported type by ZAP via Bountysource
- Prizes will only be paid via Bountysource - no alternative payment options will be available.
- Scripts must be submitted via Pull Requests to the community scripts repo during August 2015.
- Scripts must have been merged into the community scripts repo - scripts will only be merged once any significant issues have been fixed.
- Scripts must work with the latest released version of ZAP (currently 2.4.1)
- Scripts must be licensed as Apache v2
- Scripts must include a clear description of what they do in English (and optionally other languages)
- Scripts must not be obfuscated
- All supported script languages (currently JavaScript, Zest, Jython and JRuby are eligible for prizes)
- Other script languages will also be eligible if they are supported via an add-on made available in the ZAP Marketplace during August 2015.
- Anyone can take part in this competition, apart from the judges of course.
- If none of the scripts submitted for one type are deemed to be worthy of a prize then that prize may be awarded to an additional script of another type. If we decide not to transfer the prize then the money will be used for prizes in the near future.
- The judges decision is final.
The scripts will be judged by:
- Simon Bennetts (ZAP Project Lead)
- Freakyclown (Senior Penetration Tester at https://www.portcullis-security.com/)
- Thc202 (ZAP Core developer)
