In December of 2018, I published a twelve-day series of cross-site scripting tips, tricks, and payloads called the Twelve Days of XSSmas. Over the years I've had a ton of positive feedback on that one, with a number of people saying they still regularly reference it. Secure Ideas hasn't published a series in that format since. That is about to change in December 2022.
I'm excited to announce a new series, the Twelve Days of ZAPmas. This series of 12 daily segments will be targeted at non-traditional security roles (developers, dev team security champions, and QA automation folks), to accelerate their introduction to using OWASP Zed Attack Proxy (ZAP) to evaluate their own applications (with permission) and reproduce reported issues. Those familiar with Secure Ideas will probably know that we normally use Burp Suite as our interception proxy. I'm no exception to that, so I will be approaching ZAP as a noob, just like many developers and QA specialists. Example topics will include:
- Setting up ZAP to proxy your web traffic
- Considerations for testing other types of things, like mobile devices or APIs
- Basic techniques that everyone should know
- Best practices when testing
- Common behaviors to test for, and how to do it
- Tips and Tricks
At the end of the series, we will link a survey for readers to vote on their favorite topics. We will then take the most popular topics, and expand them into standalone deep dives in 2023.
