Identify Web Application Vulnerabilities using OWASP ZAP

December 11, 2012, by | Start Discussion

Introduction

Today’s organizations are facing major problems with Web Application Vulnerabilities. Many of such Web app vulnerabilities resulted in compromise of systems, including financial damage, theft of credit cards, loss of confidential data and reputational damage. Sometimes you just need to browse a site to compromise whole organization’s network, it’s that simple. Period.  But thanks to the folks at OWASP, we can find flaws in web applications before bad guys do, by using the tool ZAP. In this article we are going to learn “how to identify flaws in your applications using ZAP”.

You cannot build secure web applications unless you know how to attack them

OWASP Zed Attack Proxy provides an easy to use integrated penetration testing tool for  testing web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Main Features of ZAP

  • Intercepting Proxy:  An Intercepting proxy is a tool which sits in between your browser and web server, It allows you to see all of the requests you make to a web app and all of the responses you receive from it. which also allows you to intercept the requests and responses.
  • Active or Automated Scan:  Active scanning attempts to find the vulnerabilities which are listed in owasp top 10 of selected target . It uses default attack scenarios to find the vulnerabilities.
  • Passive scanner:  Passive Scanner scans all of the responses from the web application being tested in the background by raising potential issues without intercepting any requests/responses.
  • Brute Force scanner: This features allows to Brute force directories and files using a set of dictionaries provided, which contains a large number of files and directory names.
  • Spider: Spider is a tool that is used to automatically discover new URL’s and crawls through all the identified hyperlinks in the page and adds them to the list of URLs, the process continues recursively as long as new resources are found.
  • Fuzzer: Fuzzing is a process of finding bugs/crashes by providing invalid or unexpected data to the target server.
  • Dynamic SSL certificates:  ZAP can generate self signed certificates, which allow you to send and receive data by encrypting/decrypting them from server using man in the middle approach.
  • API: An Application Programming Interface (API) which allows you to interact with ZAP programmatically.
  • Beanshell integration: The BeanShell is an interactive Java shell that can be used to execute BeanShell scripts.

Reporting

The important part once after performing the pentest is reporting. The ZAP tool provides a good reporting feature which allows you to generate a report of the vulnerabilities identified. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. To generate a report, select Report → Generate HTML Report and specify the desired location to save the file.

ZAP Extensions

One of the best feature in ZAP is adding extensions which adds additional features to ZAP suite.
Visit below link more about extensions: https://code.google.com/p/zap-extensions/

Conclusion 

ZAP is a free and open source software which is developed for the community by the community. It can be used by beginners to learn pen testing, Developers can use it to secure their web apps and for security pros to use it for auditing the security stance of an application. Zap is a unique and key project of OWASP with an active community.

Note: The tools are able to find vulnerabilities based on predefined test cases. However, there are certain vulnerabilities that none of the tools can find like logical bugs, misconfigurations etc. Automated tools tend to generate false positives, which must be verified manually.

Author bio not avialable

Leave a Reply