Introduction to OWASP ZAP

Leave a Comment / Cyber Security

What is OWASP Zap?

OWASP ZAP (short for Zed Attack Proxy)  is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

OWASP Zap is much like Burp Suite. It acts as a very robust enumeration tool Web application penetration

What are the benefits of OWASP ZAP?

OWASP Zap is completely open-source and free. There is no premium version, no features are locked behind a paywall, and there is no proprietary code.

There is a couple of feature benefits too with using OWASP ZAP over Burp Suite:

  • Automated Web Application Scan: This will automatically passively and actively scan a web application, build a sitemap, and discover vulnerabilities but for this same feature we have to use a paid version of burp. 
  • Web Spidering: You can passively build a website map with Spidering but this is a paid feature in Burp.
  • Unthrottled Intruder: You can brute force login pages within OWASP as fast as your machine and the web-server can handle but this is a paid feature in Burp.
  • No need to forward individual requests through Burp: When doing manual attacks, having to change windows to send a request through the browser, and then forward in burp, can be tedious. OWASP handles both and you can just browse the site and OWASP will intercept automatically. This is NOT a feature in Burp. 

Now I will demonstrate how to install and use OWASP Zap 

INSTALLATION

We can install OWASP Zap in any operating system

We download and install the OWASP Zap from the official zaproxy website

https://www.zaproxy.org/download/

AUTOMATED SCAN

The automated scan performs both passive and automated scans to build sitemap and detect vulnerabilities.

Now let’s start with OWASP Zap

Click on the automated scan and then enter the target address

Now we have to select which type of spider we have to use we have two options either we select traditional spider or Ajax spider.

Traditional Spider: A traditional spider scan is a passive scan that enumerates links and directories of the website. It builds a website index without brute-forcing. This is much quieter than a brute-force attack and can still net a login page or other juicy details, but is not as comprehensive as a brute force.

Ajax Spider: The Ajax Spider is an add-on that integrates with ZAP a crawler of AJAX rich sites called Crawljax. You can use it in conjunction with the traditional spider for better results. It uses your web browser and proxy.

If we select Ajax Spider then we also have to select with an application we have to use Ajax spider

The simplest way to use Ajax Spider is to use HTMLunit

To install HTMLunit in Linux

Run sudo apt install libjenkins-htmlunit-core-js-java

Then select HTMLunit in Ajax spider drop-down menu

This is the Example of automated scan output

MANUAL SCANNING

After the automated scanning in OWASP Zap now let’s see how to manually configure and perform scanning

First, we set up the proxy between the browser and the OWASP Zap for this steps are as follows:

Step-1: Click on the tools options and then select the options at the bottom of the tools menu list

Step-2: Click on the local proxies option and set the address and port (by default address is localhost and port is 8080)

Step-3: Click on the Dynamic SSL certificates and click on the Save button

Step-4: now import saved certificate in the browser and set the browser proxy to manual proxy configuration and address and port must be same as local proxies address and port in OWASP Zap

Now OWASP Zap will intercept all the request that is sent by the browser

Authenticated Web application scanning

If we scan any web application in which there is some authentication then the scope of the automated scanning is very limited

If we want to scan a complete web application included restricted parts of the web application then we have to either provide the session ID of the login or the username and password

To session-id go to intercept elements and then select storage and copy the session id

Now in OWASP Zap click on HTTP sessions and then click New session and enter the session id  and active the session

Now if you scan the web application you can see more data as compared to the previous scan without session id

Brute Force Attack

If the passive scanning is not provided sufficient data then with the help of OWASP Zap we can also perform directory brute force attacks like the dirb, dirbuster, or gobuster etc

For this: Click on the tools options and then select the options at the bottom of the tools menu list then select the forced browse option and add the custom wordlist

To start the brute force scanning right click on the URL request and then click attack then forced browse

written by: Sahil Gupta

Reviewed By: Sayan Chatterjee

If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs

Leave a Comment

Your email address will not be published. Required fields are marked *