Project Toolkit 001 : OWASP ZAP

If you are a website, I will be the crawler

Hey all today I am going to write about OWASP’s Zed Attack Proxy (ZAP) tool which we can use to perform any kind of security testing even though you don’t have any background or knowledge on security testing.

Now without further delay lets dive straight away into the installing part of ZAP.

The initial step that we got to do is to go download ZAP on the system which you would be performing the tasks using ZAP

https://www.zaproxy.org/download/ — download link

Now select your installer and download it. I will be selecting the windows (64) installer.

Note:- The ZAP tool needs java 8+ to run. For windows, Linux and cross Platform you will need to install java 8+ separately.

but,

For MAC OS users the installer itself will include an appropriate version of JAVA.

Step 1:

Go to this provided link https://www.java.com/en/download/

Step 2: click on agree and start download

Step 3: Click on install after the installer finishes downloading

Click on the Installer and wait for it to execute complete the Installer

click on next
click on I accept the agreement and then click on next
keep it on the standard installation and click next
Then click on install

Finally after the installation finishes you can simply open ZAP.

When you initially load ZAP you will be prompted with a message as follows,

For now just click on the “No I do not want to persist this session at this time” and click start.

Remember that by default Zap sessions are always being recorded to the disk in a HSQLDB database with the default name and location and if you do not persist the session those files will be deleted when you close ZAP.

But if you select to persist a session all the information of the sessions will be saved and you could access them later and also you could give custom names and locations when saving the files.

(1) The Menu Bar will provide access to many manual and automated tools.

(2) The Tool bar provides buttons which provides easy access to the most commonly used features in ZAP.

(3)The tree window displays the site and script tree.

(4) The work station windows gives the details of the requests, responses and scripts. also allows you to edit them.

(5)Information window displays all the information of the automated and manual tools.

(6)Finally the footer displays a summary of the alerts found and the status of the main automated tools.

Further if you face any difficulties while using ZAP and you need help simply click help on the menu bar (1) or you can use the key F1 to get help. Zap also supports a command line functionality and a powerful API.

Running an Automated Scan

(1) click on quick scan

(2) then click on Automated Scan

Then you will be directed to a window as follows ,

(1)Over here in the URL to attack tab paste the link you need to do the attack (i will be using a vulnerable website for this demonstration https://www.hackthissite.org/)

(2)Then click on attack

When you look at the work station you would be seeing something similar to this,

The way ZAP will do the Automated Scan

With the spiders of ZAP, ZAP will proceed to crawl the web application and passively scan each page it finds. Then using the active scanner it will attacks all of the discovered pages, parameters and functionality.

ZAP will be providing us with 2 spiders for crawling the websites and we can use any or both of them for our scan.

This spider discovers the links by examining the HTML in the responses from the web application and this spider is fast. But the spider will not be effective when an AJAX web application is explored because the AJAX web application generates likes with the use of java-script.

This spider is likely to be more effective. The way this spider works is it explores the web application by invoking browsers, which then follows the links that have been generated. The AJAX spider is way slower than the traditional spider and also needs an additional configuration to work in “headless” environment.

Interpret the Test Results

While ZAP spiders the website which you provided it will construct a ma of the web application pages and all the resources which were used in rendering those pages. Then it records all the requests and responses sent to each page and starts creating alerts and if something is potentially wrong with either of the request or response.

To examine a tree view of explore pages just click the sites tab in the tree window. You can expand all the nodes to see individual URL’S accessed,

if you examine the left corner of the footer you will be able to see the count of the alerts that were found during the scan which are broken down into risk categories which are,

by clicking the alerts tab in the information window you will be able to see each individual alert that was caught. Also it will be showing the URL accessed and the vulnerability detected on the right side of the information window just as follows,

If you want to view the responses click on the response tab in the workstation window and you will be able to see the content of the header and body of the response. further the part of the response which highlighted the alert will also be highlighted just as follows,

Manually Exploring an Application

The passive scanning and automated scanning are great functionalities and is a great way to begin a vulnerability assessment for the website your planning to attack but this comes with some limitations therefore it is always better o use the manual exploration as well.

Spiders are a great way to explore the website which you want to explore but they should be combined with the help of the manual exploration to be more effective.

Spider for example will only enter the basic default data into the forms of the web application but the user is able to enter more relevant information which can be used to expose more of the attacking web application into ZAP (this can be used in registration forms where valid emails are required, the spider may enter a random string which might cause an error but the user is able to fix this error by supplying strings which are correctly formatted which will reveal more of this website to ZAP)

Note:- when exploring all of the web applications its better to use a browser which is proxying through ZAP.

You can quickly and very easily launch the manual explore by clicking on quick start and then clicking on manual explore then you will be prompted with a window like this,

In the URL to explore box enter the desired URL which you want to explore and select the browser you like and then click the launch browser, then you will be displayed with a website similar to this,

Through this window we are able to do the exploring manually and as I have told earlier (You can send out the normal spiders, AJAX spiders, send out active scans and many more manually so that the exploration will be more beneficial for the person who is doing the exploration)

The heads Up Display

The heads up display (HUD) is an innovative interface that provides access to ZAP functionality directly in the web browser. it is ideal for people who are new to web security and also allows the experienced pen Testers to focus on an applications functionality while providing key security information and functionality

the HUD is over-layed on top of the target web application in the browser you have selected (firefox and chrome support this feature)

Alright guys this is the end my today’s Write-up hope you all enjoyed reading this also make sure to try OWASP ZAP by yourself to get an 1st hand experience.

But most of all “REMEMBER TO HAVE FUN IN ANYTHING YOU DO” signing off for now.

Stay safe!

Written by Jehan Hettiarachchi — 2nd Year 2nd Semester -Cyber Security Student-SLIIT

First they begin with Us..