OWASP ZAP for beginners

Introduction:

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination.

OWASP ZAP comes pre-installed in Kali Linux and can be installed for other platforms for the below link

ZAP

After installation when you first start ZAP, you will be asked if you want to persist the ZAP session. By default, ZAP sessions are always recorded to disk in a HSQLDB database with a default name and location. If you do not persist the session, those files are deleted when you exit ZAP.

If you choose to persist a session, the session information will be saved in the local database so you can access it later, and you will be able to provide custom names and locations for saving the files.

Introduction to ZAP UI:

The ZAP Desktop UI is composed of the following elements:

1. Menu Bar — Provides access to many of the automated and manual tools.
2. Toolbar — Includes buttons which provide easy access to most commonly used features.
3. Tree Window — Displays the Sites tree and the Scripts tree.
4. Workspace Window — Displays requests, responses, and scripts and allows you to edit them.
5. Information Window — Displays details of the automated and manual tools.
6. Footer — Displays a summary of the alerts found and the status of the main automated tools.

Configuring ZAP proxy:

1. In ZAP UI select Tools -> Options

2. Select Local Proxies. Select localhost(or 127.0.0.1) as Address and a port on your desire and click OK

3. Open the browser and navigate to Network Settings.

Ex- for Mozilla Fire fox Options->Network Settings

4. Select Manual proxy configuration option and given the same port ID you gave for ZAP and click on OK

2.3 Installing certificate

After above configuration since all requests and responses are proxied by ZAP, the certificate verification will fail for sites using secure connections (HTTPS) and the connection will be terminated giving the following error.

In order to stop that from happening, the certification needs to be installed.

1. In ZAP UI select Tools -> Options

2. Click on Dynamic SSL Certificates. Click on Generate and save the Certificate.

3. In Firefox select Options -> Privacy and Security

4. In Privacy and Security menu select Certificates -> View Certificates

5. Select Authorities -> Import, brows and import the certificate saved.

6. Make sure to check the check boxes

7. Observe that the certificate is successfully added.

8. Restart both ZAP and the Browser

Now we will be able to see requests and responses in OWASP ZAP and we can start testing the websites.

Scan Modes

ZAP provides four modes for testing a website these are:

• Standard Mode: Allows you to do anything to any website.
• Attack Mode: Active scans any websites.
• Safe Mode: Turns off all the harmful features while scanning.
• Protected Mode: Allow you to scan websites in a particular scope.

Navigating Your Website

In order to extract the tree of your website, you need to crawl the website in your browser. You should hit all the features, go thru all possible actions. This phase is very important!

The more you explore your website, the more you get efficient results.

Spidering Your Website

Spidering a website means crawling all the links and getting structure of the website.

Why do we need spidering?

If you access all aspects of the site while navigating your website then strictly seeking you don’t need to use the spider — that’s there to pick on things you missed or when proxying isn’t an option.

This is done by right clicking of the site and selecting Attack from the menu, then clicking Spider.

Extensions

There’s an extension marketplace added by the community. You can click the -3 Coloured Boxes- icon to show up the list. To install an extension, click on the Marketplace tab and write extension name in the box. Then the click Install Selected button.

Generate reports

Zap provides comprehensive reports on the scans done. There are few types of reports in ZAP. Users just have to click on Reports -> Select the type of report

There are various other features that ZAP provides which you will explore on your own as you use this tool.

HAPPY HACKING!!!!!