Tag: ZAP

ZAP – OWASP web application security scanner

Posted on by Admin@itgoodtoknow
  • Zed Attack Proxy is a web application penetration tool
  • Used as a framework for automated security tests
  • It’s a cross platform tool and can be used on UNIX, Windows or Mac OS
  • ZAP is intercepting proxy
  • It provides both active and passive scanners, passive scanner just examines our requests and responses, active scanner performs wide range of attacks
  • It has an excellent report generation ability
  • ZAP can also find hidden directories and files using Brute Force(based on OWASP DirBuster code) component
  • It can also fuzz parameters including fuzzing libraries (using fuzzdb & OWASP JBroFuzz)
  • ZAP has the following additional features:
    • Auto tagging, this feature tag messages that you can easily see which message has hidden fields
    • Port scanner, so you can see which ports are open on a computer
    • Parameter analysis, it analyzes all requests and shows you the summary of all of parameters that application uses
    • Smart card support, it’s very useful if an application you are testing uses smart card or tokens for authentication 
    • Session comparison
    • Invoke external applications
    • API + Headless mode
    • Dynamic SSL Certificates allows to intercept HTTPs trafic
    • Anti CSRF token handling
  • During initial installation ZAP offers you to create SSL Root CA certificate, it allows proxy to intercept all HTTPs traffic, you will need it if you are planning to test any application using HTTPs protocol, steps are the following: 
    • Generate SSL certificate
    • Save it
    • Import it to your browser
  • Don’t forget to amend Connection Settings in your browser and specify ZAP as your HTTP proxy
  • After successful installation you can perform basic penetration test
  • A basic penetration test
    • Configure your browser to use ZAP as a proxy
    • Explore the application manually
    • Use the Spider to find hidden content
    • See what issues the Passive Scanner has found
    • Use the Active Scanner to find vulnerabilities
    • Review all vulnerabilities that were found during Active Scanning
  • ZAP can be used for completely automated security tests in conjunction with Apache Ant and Selenium framework
  • ZAP has three modes: Safe mode doesn’t allow you to do anything potentially dangerous, Protected mode allows you to do potentially dangerous things on item in Scope and Standard mode allows you to do dangerous things on anything
  • ZAP can keep track of all HTTP sessions and allows to switch between them
  • Nowadays web sockets are very popular and currently  ZAP has one of the best support for web sockets