The OWASP Zed Attack Proxy (popularly known as ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications. OWASP ZAP is a fork of version 3.2.13 of the open source variant of Paros Proxy. Paros was a HTTP/HTTPS proxy for assessing web application security. It should be noted over here that Paros Proxy was not updated since August 2006.
Zap is a product of the hard-work of Simon Bennetts’ (Psiinon), with help from co-lead Axel Neumann. However ZAP has now become some sort of an international effort with people from various countries, organizations and volunteers helping with the development of ZAP. Anyone and everyone is welcome to contribute to ZAP, and not necessarily coding only but also with testing, documentation, localization, issues identification, and enhancement requests. It has also been translated into 10 different languages.
INSTALLATION AND CONFIGURATION
ZAP installation is very easy. Once we have unpacked ZAP on our preferred platform then we just need to invoke ZAP from the application icon or at the command prompt via the appropriate executable. A current JAVA Runtime Environment is the basic requirement for installing ZAP.
Now since Zap runs on proxy the next important thing to be taken care of is that our preferred browser should be configured to proxy via local host and a port. Also we have to configure ZAP to listen to that proxy and port. I personally prefer using the port 8085 to avoid conflict with other proxies and services. To set up the proxy in ZAP we have to go to TOOLS ? OPTIONS ? LOCAL PROXY in ZAP and set it with the same configuration as that of the browser.
We must also generate an SSL certificate in order to use and test SSL enabled sites. We will be prompted to do so when running ZAP for the first time.
There are numerous features available with ZAP. Let us discuss some of the features now.
1. Break Points:
A break point is perhaps the first feature that I used when I started using ZAP. A break point allows us to intercept a request from our browser and also allows us to change it before it is submitted to the web application that we are testing. We can also change the responses received from the application.
The two arrows represent the HTML request or response to be intercepted. The forward arrow represents the request and the backward arrow represents the response. Initially they are green which means that neither the HTML request nor the HTML response will be intercepted. Once clicked the arrows turn red which means that the respective request and responses will be intercepted. The request or responses intercepted are now displayed in the Break tab thus allowing us to change disabled or hidden fields, and also allowing us to bypass client side validation. Also we can set up URL specific break point by right-clicking on the site in the sites tab or in the history tab.
Now once we are done editing or viewing the intercepted request or response we then have to click on the play button just beside the break points to allow the request or responses to be forwarded.
2. Active Scan:
Active scanning attempts to find the potential vulnerabilities by using known attacks against the selected targets. However active scanning cannot find certain types of vulnerabilities. Certain vulnerabilities like Logical vulnerabilities can never be found out through any active or automated vulnerability scanning.
An alert is a potential vulnerability and is associated with a specific request. A request can have more than one alert.
Alerts are shown in the UI with a flag indicating the risk.
An alert is basically raised when we run an Active Scan on the site however some alerts may get listed even without running an active scan based on basic HTTP requests and responses exchanged. Also we can manually raise an alert using the Add Alert dialog.
Now the Alert tab has various features in it. We get the alerts grouped by the type of vulnerabilities it presents and under those vulnerabilities each and every vulnerability is explained in detail.
If we now click on any vulnerability on the right hand side we get details of the vulnerability. Such as it describes the risk factor, the reliability of the vulnerability being actually present, the parameter it actually performed the attack on and the attack it performed is described as well.
Also what really impressed me was that it had four scroll text area which were as follows:
Description: – As the name suggest that over here the vulnerability is explained in a very concise manner. Though concise its explained in a very easy to understand way where one is able to gain a basic knowledge about the vulnerability found.
Other Info: – Any other info on that particular vulnerability is noted here
Solution: – This is perhaps the sweetest part from the point of view of a developer. It describes the possible solution to avoid such a kind of vulnerability in your web application. Though very concise it is basically successful in giving us a brief idea about the possible ways to overcome the vulnerability.
Reference: – In this block ZAP lists the references it has used for giving us this valuable information.
A Spider is a tool, which is used to visit and list all the resources (URL) in a particular site. What it does is that first of all it will start with a list of URL’s to visit based on how the spider is started. The spider then visits these URLs and identifies the new resources or URLs from these pages and then lists these URLs to visit and the process continues recursively until and unless the list is complete.
How this spider works is that while processing an URL, it makes a request to fetch the resource. After getting the response it then parses the response identifying the hyperlinks. It not only processes the HTML responses but also non-HTML Text responses and if set then also analyses the ‘Robots.txt’ file.
Now how it helps is that instead of us visiting each and every link manually and creating a site map, spider does so automatically and presents us with a site map, listing all the URLs in that particular site.
5. Brute Force: –
There is an option in ZAP called Brute Force. Now this option is not for brute forcing the password or something similar. This option is used to try to brute force directories and files. Now the ZAP team has not reinvented the wheel over here instead this brute force or forced browsing support is provided via DirBuster.
What happens is that there is a set of files provided which contain a large number of file and directory names. Now ZAP instead of relying on links to find the other files and directories, it tries to access the files and directories directly with the help of the list of names provided to it. There are various files containing an exhaustive list of such different directory and file name. So select the list we want ZAP to check and then click on start, and the magic begins.
6. Port Scan:-
Port scan as the name suggests allows us to do a basic port scanning on the selected website. Sites can be selected via the Sites tab or in the port scanning toolbar. Any sites on which the port scanning is running is marked in bold letters in the port scanning toolbar. To start the port scanning we have to click on the play button on the toolbar after selecting the site to be scanned and ZAP would start doing a basic port scanning. To pause the port scanning we have to click on the pause button and to on stop we have to click on the stop button. It’s very easy and simple to operate.
7. Fuzzer: –
One another interesting feature of ZAP is the option of Fuzzing through Fuzzer. This feature of ZAP is based on code from the JBroFuzz which too is an OWASP project and also includes files from the fuzzdb project.
Fuzzing is basically a technique of submitting lots of invalid or unexpected data to a targeted site. Using ZAP we can fuzz any selected part of the request with the help of a built in set of payloads.
In order to Fuzz we have to first select the string we want to fuzz in the request string (circled in red in our case). Next when we right click in the request tab and select Fuzz a new window opens where we can select from a list of fuzz categories. Each fuzz category has again has a number of fuzzers and based on our need we can select one or even many fuzzers from that list.
Now all we have to do is press the fuzz button. The results from the fuzzing will then be listed in the fuzzer tab, where we can select them to see the full request and responses.
The Params tab basically shows a summary of the parameters a site uses.
We can select the site from the site drop down menu in the params tab. For each parameter there are several information given like the type of the parameter (like COOKIE, FORM or URL), then the Name of the parameter, the number of times the parameter is used, the number of unique values the parameter has, then the percentage change (0 means only one value has been used while 100 would mean that all the values are unique), then the flags of the parameter like the cookie flags etc and finally the value of the parameter.
Thus I have tried to discuss and give an overview of the ZAP tool. Each and every feature again has a lot of functionalities and can be used according to ones need and use. Now since ZAP is an open source project we can all help to develop the plugins for ZAP. It truly is a wonderful tool which can use for finding vulnerabilities in a web application and also for penetration testing. With so many features and ZAP essentially being an open source project it can truly give the paid HTTP proxy tools a run for their money.
Ramesh works for Infosys and is a beginner to information security domain.