OWASP ZAP

What is OWASP ZAP?

ZAP stands for - Zed Attack Proxy.

ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually

Before I continue, I feel obligated to warn you that you should use this tool only with an application you’re hosting yourself, or one you’ve been given explicit permission to test, as ZAP attempts to modify data and insert malicious scripts in the web application.

ZAP can scan through the web application and detect issues related to:

SQL injection 
Broken Authentication 
Sensitive data exposure 
Broken Access control 
Security misconfiguration 
Cross Site Scripting (XSS) 
Insecure Deserialization 
Components with known vulnerabilities 
Missing security headers

ZAP is a free open-source tool which is easy to setup and use, (You have probably heard of the Burp community as well, which is free, and the pro version that you need to purchase).

As it is used by the wide community, there is a lot of help available online. you can find it on the ZAP website as well as other online articles to help you setup and use the tool.

By default ZAP is part of the Kali linux machine. If you are using a different OS go to the ZAP website, Download the version for your OS and install it.

Before you start you will need to configure your browser to use ZAP as a proxy and install the SSL for HTTPS requests.

By default ZAP uses an Address of ‘localhost’ and a Port of ‘8080’, but these can be changed via the Options Local Proxies screen.

1. Installing certificate

Since all requests and responses are proxied by ZAP, the certificate verification will fail for sites using SSL (HTTPS) and the connection will be terminated. To prevent this from happening, ZAP generates an SSL certificate for each host, signed by its own Certificate Authority (CA). This CA certificate is generated the first time you run ZAP, and is stored locally. To use the ZAP Proxy with these websites, you will need to install ZAP’s CA certificate as a trusted root in your browser.

1) In ZAP: go to Tools>Options>Dynamic SSL Certificate. Click Generate and then click Save.

2) Save the certificate in the desired location.

3) Open your browser and install the Certificate to your browser accordingly

2. Configuring Proxy

1. Open your preferred browser and set up the proxy as shown here (You can use port 8080 as the port)

2. In the ZAP UI, go to Tools>Options>Local Proxy

3. Make sure the port is set to 8080 (or the port you have configured in your browser)

4. Change the localhost to 127.0.0.1 or your machine IP

5. Open any website using SSL in your browser and make sure the site shows up in the sites list.

Start using ZAP as proxy:

The quickest way to get going with ZAP is to use the Quick Start add-on.

This allows you to enter a URL which ZAP will first spider and then active scan.

For a more in depth test you should explore your application using your browser or automated regression tests while proxying through ZAP.

Open ZAP and click the big Automated Scan button and input your target.

The automated scan performs both passive and automated scans to build a sitemap and detect vulnerabilities.

On the next page you may see the options to select either to use “traditional spider” or “Ajax spider”.

A traditional spider scan is a passive scan that enumerates links and directories of the website. It builds a website index without brute forcing. This is much quieter than a bruteforce attack and can still net a login page or other juicy details, but is not as comprehensive as a bruteforce.

The Ajax Spider is an add-on that integrates a crawler of AJAX rich sites called Crawljax in ZAP. You can use it in conjunction with the traditional spider for better results. It uses your web browser and proxy.

The easiest way to use the Ajax Spider is with HTMLUnit.

To install HTML Unit use the command

sudo apt install libjenkins-htmlunit-core-js-java

Then select HtmlUnity from the Ajax Spider Dropdown.

Both utilities can further be configured in the options menu (Ctrl+Alt+O)

Example for Automated Scan Output:

Lets perform a manual scan against the DVWA machine.

Fire up the DVWA machine (http://<Your IP>), and login using the following credentials:

Username: admin
Password: password

For the purpose of this exercise, once you've logged in, navigate to the DVWA Security tab and set the Security level to Low and hit submit.

We're going to pass our authentication token through ZAP so that we can use the tool to scan authenticated webpages.

On your browser, in the DVWA web page, Right click >> enter inspect element >> Storage tab >> and take note of your PHPSESSION cookie.

In ZAP open the HTTP Sessions tab with the new tab button and set the authenticated session as active.

Now re-scan the application. You’ll see it’s able to pick up a lot more.

This is because it’s able to see all of the sections of DVWA that was previously behind the login page.

If the passive scans are not enough, you can use a wordlist attack and directory bruteforce through ZAP just as you would with gobuster.

This would pick up pages that are not indexed.

To add a wordlist:

Tools >> Options >> Forced Browse

First. Go into your ZAP Options (at the bottom navigation panel, with the screen plus button), navigate to Forced Browse, and add the Custom Wordlist. You can also add more threads and turn off recursive brute-forcing.

Select site >> select list >> play
ZAP will now bruteforce the entire website with your wordlist.

You can brute-force a form to get credentials.
to see how you can do this, go to this guide: "Brute-force a form to get credentials with ZAP"

All the guides, tips, and tricks on this web site are for education purpose only, the website owner is not accountable for any use of this information

Home

About

Guides