09 Jul OWASP ZAP: A Dive into Web Security Testing
Securing websites are indispensable these days. So to make web applications secure, there are many tools which are used for scanning and finding out vulnerabilities of applications. So here you will see an easy way to run web penetration using ZAP (zed attack proxy).
What is OWASP ZAP?
OWASP (Open web application security project) is a vendor neutral, non-profitable organization dedicated to improving the security of web applications. ZAP is open source and one of the most popular security testing tools for web applications which is used to perform penetration testing and It belongs to the OWASP community so it’s totally free. It assists testers to detect any security vulnerabilities in websites.
Advantages of ZAP
- Zap (Zed attack proxy ) is a java based tool that enables testers to perform fuzzing , writing scripts for it, spidering and proxying to attack web applications.
- Zap is platform independent that means It can be used across all operating systems (Windows, Linux, Mac).
- Zap is an open source and free tool to use.
- After completion of testing it can generate Reports also.
- We can reuse the zap session for avoiding re-coding the whole process again on functional changes.
At first zap creates a proxy server and makes website traffic go through the server. The auto scanner in zap helps you to prevent the vulnerabilities in the web application. To understand the workflow of zap GO through with following flowchart.
Basic Terminologies in ZAP
- Session: A session means that To identify the area of attack in a website it must navigate through the website. For performing this test, we can use any browser accordingly by changing the browser proxy setting. Zap allows us to save sessions with extension (.session) and it can be reused.
- Context: Context is a system of collection of all URLs. According to the requirement you can hit the particular set of URLs with particular users, hosts etc and ignore the rest, to keep it away from too much data.
- Attacks in ZAP: The objective of this tool is to penetrate through the web applications, attack it’s URL, scan the URL, hit and check how vulnerable the website is from the threat/attacks.
- Quick attack: It helps you to perform tests in the quickest way possible of web applications through ZAP. Below Quick start tab just Enter URL into the input box of URL and click on ‘Attack’ button. To crawl through the websites zap uses its spider which starts scanning all the located pages and then to attack all of the pages it will use an active scanner. This is the most efficient way to perform an initial verification of the web applications.
- Spider: Spider is used to explore new resources or URLs automatically in websites. It looks into those URLs and identifies the hyperlinks. After finding the hyperlinks it will add all those to the new list.
- Active scan: To detect vulnerabilities in websites it attacks on websites using a known approach. It performs changes in data and can insert malicious scripts to the web application. So when you are going to test your web application to find out any security issues, open it in a new environment and run an active scan. Then make sure that we can only run the active scan for the websites we are permitted to use.
Note: Zap provides many more attacks other than we discussed above such as Fuzzing, AJAX spider and Forced browse etc.
Download zap installer according to your os, we are using windows 10 so we have downloaded win 64 bit installer accordingly.
Note: You should have installed java 7 or above in your system. If it is not installed then first get it done so you will be able to launch ZAP.
How to run tests in ZAP
After installation of zap application to default directory, it would get stored at
C:\Program Files\OWASP\Zed Attack Proxy\ZAP.exe
You can launch this with a zap icon from windows desktop OR you can launch zap with command prompt. First navigate to the directory where zap.jar is stored (C:\Program Files\OWASP\Zed Attack Proxy) and then trigger the below command to launch the zap application.
java -Xmx512m -jar zap-2.7.0.jar
After zap opens, first it will ask, Whether you want to save the session or not.
If you want to reach your site configuration and test results then select the second option or if you don’t want then can opt “No,I do not want to persist the session”. So, here I am going to select the second option because I want to persist in the session. After completion of this, Zap home window will open which consists of three section and all have their own task.
Sites and Context: All the websites you access using zap proxy will get stored in list form. And if the website you are using is making a call to another site then, that will be stored under a separate site. A particular website may be of interest in this special case then that must come under the ‘context’ section.
Workspace window: Here we provide our website URL which we want to scan. There are two buttons ‘Attack’ and ‘Stop’. After entering the URL and clicking on the attack button will attack the target and clicking on the stop button will abort the scanning at the moment. Detected issues will continue to be logged and sent to the bottom section.
Bottom window: This section shows the results, request history, vulnerabilities of the tests. And the most essential tab is alert because it will show all the detected vulnerabilities for the targeted web application. Clicking on the alert tab will open all related Request/Response and provides the detailed information about the detected vulnerabilities.
Attack the web application
To perform attacks on websites, first provide the target URL in the text box for which you want to test. And the test will start as soon as you click on the ‘attack’ button. You can also select which attack you want to start like- spider, active scan etc. Once the attack gets completed you will be able to check results in the Alert tab from the bottom section. The alert shows the level of risk in the form – high, low and medium.
In the bottom section as you can see under the alert tab, it’s showing all the detected vulnerabilities. And clicking on them will show the detailed information like, risk level and the line of code which is vulnerable.