Quick use steps
The OWASP Zed Attack Proxy is a free and open source penetration testing tool released by OWASP and developed for website application security testing.
The tool can be used by both security professionals, testers and developers alike.
After opening the tool:
-
Select ‘Launch Browser’ then ‘JxBrowser’.
-
Go to the website in the browser
-
Notice that under ‘Sites’ you will not only see the website but also a list of related sites where your website draws resources from.
-
Select your site and add it as the ‘Default Context’.
-
Select all other sites to exclude and make sure they are excluded from the proxy scanner.
There are several different types of ‘Attacks’ that can run.
- Spider
- Active Scan
- Forced Browse site
- Forced Browse directory
- Forced Browse directory (and children)
- AJAX Spider
- Fuzz
For this, I selected ‘Active Scan’ then ‘Advanced Options’. All technology and input vectors were chosen as part of the scan to make it as comprehensive as possible.
You can also select elements under the main ‘Site’, to attack other elements.
I also started using the fuzzing tool.
-
Right click over the site, select ‘Attack’ then ‘Fuzz’
-
Select ‘Add’ in ‘Fuzz Locations’
-
Add Payload via strings, script, regex, empty/null, file fuzzers, file, numberzz.
There are some fuzzer scripts available, but the application has a couple of file fuzzers already available.
I ran DirBuster first. DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers, however it is no longer an actively maintained OWASP project.
Following that, I ran JBroFuzz. It is a web application fuzzer for requests being made over HTTP or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities. It is also an inactive OWASP project.
Alert example
While running these attacks, the Alerts tab will show alerts which are potential vulnerabilities associated with a specific request. These alerts can be raised by various ZAP components.
The alerts will show this type of template:
Details: Name of the alert.
URL: URL of the website attacked.
Risk: Description of how serious risk is.
Confidence: Description of how confidence the result is in the validity of the finding. Ranges from False Positive, Low, Medium, High, Confirmed.
Parameter: Parameter that the issue is associated with (or in other words, the parameter that was attacked). The field is prepopulated with any URL and FORM parameters found, but you can also enter your own parameter name.
Attack: Parameter value or detail used for the attack itself.
CWE ID: Idea in relation to the CWE (Common Weakness Enumeration) project.
WASC ID: This is the ID from the WASC (Web Application Security Consortium) Threat Classification project.
Source: This is the ZAP policies code.
Description:
Description about the vulnerability itself.
Other info:
Showcases information on how to read the results and how the alert came about, more information about vulnerability and so on.
Solution:
Can be more than one solution and a list of possible solutions to mitigate the vulnerability.
Reference:
List of reference links.
How useful was OWASP ZAP?
First thing to know is that OWASP has developed and released a large number of resources to advance the information security industry. One such resource is OWASP ZAP, which had made web application security testing more accessible.
The results from OWASP ZAP provided is a good springboard for testers and developers alike to further secure their web applications.
More Resources
How to scan for website vulnerabilities with OWASP-ZAP (6 min video) - watch video
ZAP Tutorial - Authentication, Session and Users Management (18 min video by one of the developers) - watch video
WASC (Web Application Security Consortium) Threat Classification project. More details.
CWE (Common Weakness Enumeration) project. More details.