Owasp Zap Installation & Complete Use Guide in Windows & Linux
OWASP ZAP - Web Application Security Testing Tool | A Simple Way to Detect Vulnerabilities
Hello guys, today we are going to introduce a beneficial bounty hunter tool that is specially designed to check the security of any web application. OWASP ZAP is an open-source web application security scanner. It is intended for use by both novices in the field of application security and professional penetration testers. It has become one of the most widely used open-source dynamic application security testing (DAST) tools, managed by OWASP. If you want to know more about this project, you can also read here.
Penetration testing (otherwise known as pen testing or more generally security testing) is the process of testing your applications for vulnerabilities and answering a simple question: “What could a hacker do to harm my application or organization in the real world? world?”
I recently came across a tool, Zed Attack Proxy (ZAP). Its main goal is to enable easy penetration testing to find vulnerabilities in web applications. It is ideal for developers and functional testers as well as security experts. This OWASP ZAP tutorial will walk you through various ZAP penetration testing concepts.
OWASP ZED attack proxy is a world-class security testing tool that helps find potential vulnerabilities in a web application. This ZED attack proxy tool is ideal for both experienced security analysts and testers and developers new to pen testing. In particular, the OWASP zap tool is the most widely used web scanner in security testing. ZAP security testing has become an important part of web application vulnerability assessment.
Installation of OWASP ZAP in Linux :
In our case, we use the Kali Linux operating system. First, you need to download it from there and then transfer it to a convenient location where you can easily control it. After doing all these steps, run the scanner using the bash command.
┌──(root💀OnlineHacking)-[~] └─# cd Downloads ┌──(root💀OnlineHacking)-[~/Downloads] └─# ls ZAP_2_12_0_unix.sh ┌──(root💀OnlineHacking)-[~/Downloads] └─# bash ZAP_2_12_0_unix.sh Starting Installer ... Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Step_1: After running the bash script, the GUI interface is immediately activated. You need to click “Next” to set up this tool.
Step_2: Now accept the deal and continue.
Step_3: Now click on the install button to proceed with the installation.
Hmmm 🙂!! We need to be patient as the installation may take some time to complete.
Installation of OWASP ZAP in Windows :
Using OWASP ZAP
Nice 😛!! Even after being an open-source tool, it has a lot of features that we will never find even in paid tools. Let’s explore the features of this tool.
As of version 2.5.0, ZAP can be used in one of four modes:
- Safe Mode: Safe mode will avoid anything potentially dangerous.
- ATTACK mode: ATTACK mode will aggressively try to attack new URLs as soon as they are discovered.
- Protected mode: When pen testing is desired on sites you have permission to test, Protected mode can be used.
- Standard mode: Standard mode allows for all types of attacks.
Formats of Reports:
As you can see in the image below, this tool has several options (formats) available for saving the result.
As you can see how many different types of tools are available to hack any web application. All the important things of this tool have been shown and now we have to go to the attack.
First, let’s consider the automatic scanning feature of this tool.
Good 😛!! All we have to do is enter the URL of the web application and select a browser.
A spider is a tool that is used to automatically discover new resources (URLs) on a particular website. It starts with a list of URLs to visit, called seeds, which depend on how Spider is running. The spider then visits these URLs, identifies all the hyperlinks on the page, and adds them to the list of URLs to visit, and the process continues recursively until new resources are found.
During URL processing, Spider asks to retrieve the resource and then parses the response to identify hyperlinks. It currently behaves as follows when processing response types:
Processes the specific tags, identifying links to new resources:
- Base – Proper handling
- A, Link, Area, Base – attribute ‘href’
- Applet, Audio, Embed, Frame, IFrame, Input, Script, Img, Video – ‘src’ attribute
- Blockquote – ‘quote’ attribute
- Meta – ‘http-equiv’ for ‘location’, ‘restore’ and ‘Content-Security-Policy’, ‘name’ for ‘msapplication-config’
- Applet – ‘codebase’, ‘archive’ attributes
- Img – attributes ‘longdesc’, ‘lowsrc’, ‘dynsrc’, ‘srcset’
- Isindex – ‘action’ attribute
- Object – ‘codebase’, ‘data’ attributes
- Param – attribute ‘value’
- Svg – ‘href’ and ‘xlink:href’ attributes of ‘image’ and ‘script’ elements
- Table – ‘background’ attribute
- Video – ‘poster’ attribute
- Form – correct handling of forms using the GET and POST method. Field values are generated validly, including
- HTML 5.0 button input types “form”, “formaction”, “formmethod” are also respected.
- Comments – Valid tags found in comments are also analyzed if entered in the Options Spider screen
- Import – ‘implementation’ attribute
- Inline string – ‘p’, ‘title’, ‘li’, ‘h1’, ‘h2’, ‘h3’, ‘h4’, ‘h5’, ‘h6’ and ‘blockquote’ tags
Results – Spider
As we know, spider scanning is used to crawl the entire web along with the content and hyperlinks.
AJAX Spider allows you to crawl web applications written in AJAX to a much greater depth than native Spider.
An alert is a potential vulnerability and is associated with a specific requirement.
A request may contain more than one notice.
Warnings are displayed in the user interface with a flag indicating the risk:
Alerts can be triggered by various ZAP components, including but not limited to: active scanning, passive scanning, scripts, using add-ons (extensions), or manually using the Add Alert dialog (which also allows you to update or change alert details/information).
Alerts are marked on the History tab with a flag that indicates the highest risk alert.
All alerts are listed on the Alerts tab and the number of total alerts by risk is listed in the footer.
Overriding alerts :
Alerts generated by ZAP contain both general and specific alert information. Specific information relates directly to the potential problem found, such as the URL and parameter affected. General information includes things like a description and links to related online resources.
You can replace or add to the general information using the ‘alert override’ configuration file. This allows you to include information that is specific to your company, such as mandated policies, internal links, or advice for specific technologies you use.
Alerts ( Vulnerability ):
In the alerts section, we can see security issues or vulnerabilities found in web applications.
Setup proxy in ZAP
Close all active Firefox sessions
Tool ON -> Tools Menu -> Options -> Local Proxy -> Change Address = 127.0.0.1 Port = 8081.
Mozilla Browser -> Tools Menu -> Options -> Advanced Tab -> Network -> Settings -> Select Manual Proxy Configuration:- HTTP Proxy = 127.0.0.1 Port = 8081.
Now try to connect to the application using the browser.
If you can’t connect to it, check your proxy settings again. You will need to check your browser’s proxy settings and your proxy settings are ON. It’s also worth checking that the application you’re trying to test is running!
When you’ve successfully connected to your app, you’ll see one or more lines on the Sites and ZAP History tabs.
Note that most ZAP tabs provide additional functions that can be accessed via right-click menus.
Right-click on HTML -> Attack -> Active check
ZAP will perform an active scan of all pages and display the results.
Save the ZAP session
Once you’ve manually explored the app, it’s a good idea to save the ZAP session so you can look at it again.
If your application has multiple roles, you should examine it with each role and save the sessions in separate files.
Generating a Report
ZAP Tool -> Report -> Generate HTML report (any other options listed) -> Save and share report.
Authentication, session, and User management using ZAP
1) Context: Represents the web application
2) Session management method: How web sessions are identified by the server and how they handle requests
Example: cookie based on query parameters
3) Authentication method: How is a new session created?
This can be either a form-based, HTTP-based, or oath-based authentication method.
4) User Management: Manage web application users that can be used to perform actions
Example: username/password pair