What is OWASP?
The Open Web Application Security Project (OWASP) is an open, online community that creates methodologies, tools, technologies and guidance on how to deliver secure web applications. It is an international collaborative initiative comprised of both individuals and corporations. The project aims to standardise security approaches in web development and spread associated knowledge.
What is OWASP ZAP?
OWASP ZAP (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help to find security vulnerabilities in web applications. It’s also a great tool for experienced pen testers and beginners.
ZAP can scan through the web application and detect issues related to:
SQL injection
Broken Authentication
Sensitive data exposure
Broken Access control
Security misconfiguration
Cross Site Scripting (XSS)
Insecure Deserialization
Components with known vulnerabilities
Missing security headers
How it works
ZAP is what is known as a “man-in-the-middle proxy.” It stands between the browser and the web application. While you navigate through all the features of the website, it captures all actions. Then it attacks the website with known techniques to find security vulnerabilities.
As ZAP spiders the web application, it constructs a map of the web applications’ pages and the resources used to render those pages. Then it records the requests and responses sent to each page and creates alerts if there is something potentially wrong with a request or response.
Setting up ZAP
To begin with, you need to download and install OWASP ZAP scanner and set it up correctly. ZAP is platform agnostic so you can install it on Windows, Linux or Mac OS. You need Java 8+ installed on your Windows or Linux system.
Starting ZAP
Once setup you can start ZAP by clicking the ZAP icon on your Windows desktop or from the start menu.
When the app launches, it asks you whether you want to save the session or not. If you want to use the current run configuration or test results later, you should save the session for later. For now let’s select “No, I do not want to persist this session at this moment in time”.
Figure 1. OWASP ZAP start-up dialog
Once you click the “Start” button, the ZAP UI will be launched.
Figure 2. ZAP UI
Spidering the web application
Spidering a web application means crawling all the links and getting the structure of the application. ZAP provides two spiders for crawling web applications;
Traditional ZAP spider:
The traditional ZAP spider discovers links by examining the HTML in responses from the web application. This spider is fast, but it is not always effective when exploring an AJAX web application.
AJAX spider:
This is more likely to be effective for AJAX applications. This spider explores the web application by invoking browsers which then follow the links that have been generated. The AJAX spider is slower than the traditional spider.
Automated scan
This option allows you to launch an automated scan against an application just by entering the URL. If you are new to ZAP, it is best to start with Automated Scan mode.
To run a QuickStart Automated Scan:
Start Zap and click the large ‘Automated Scan’ button in the ‘Quick Start’ tab.
Enter the full URL of the web application you want to attack in the ‘URL to attack’ text box.
Click the ‘Attack’ button
Figure 3. ZAP Automated Scan window
Once you click the ‘Attack’ button, ZAP will start crawling the web application with its spider and passively scan each page it finds. Then ZAP will use the active scanner to attack all of the discovered pages, functionality and parameters.
Exploring the web application manually
Spiders are a great way to explore the basic site, but they should be combined with manual exploration to be more effective. This functionality is very useful when your web application needs a login or contains things like registration forms, etc.
You can launch browsers that are pre-configured to proxy through ZAP via the Quick Start tab. Browsers launched in this way will also ignore any certificate validation warnings that would otherwise be reported.
Figure 4. ZAP Manual Explore window
To Manually Explore the web application:
Start ZAP and click on the large ‘Manual Explore’ button in the Quick Start tab.
Enter the full URL of the web application to be explored in the ‘URL to explore’ text box.
Select the browser you would like to use and click the ‘Launch Browser’ button.
This will launch the selected browser with a new profile. Now explore all of the targeted web applications through this browser. ZAP passively scans all the requests and responses made during your exploration for vulnerabilities, continues to build the site tree, and records alerts for potential vulnerabilities found during the exploration.
What is passive scanning?
Passive scans only scan the web application responses without altering them. It does not attack or insert malicious scripts to the web application, so this is a safe scan; you can use it if you are new to security testing. Passive scanning is good at finding some vulnerabilities and as a way to get a feel for the basic security of a web application.
What is active scanning?
Active scan attacks the web application using known techniques to find vulnerabilities. This is a real attack that attempts to modify data and insert malicious scripts in the web application.
Active scans put the application at risk, so do not use active scanning against web applications you do not have permission to test.
Figure 5. Running Automated scan against the web application
Inspecting the test results
Once the scan is completed, ZAP generates a list of issues that are found during the scan. These issues can be seen on the Alerts tab that is located in the bottom pane. All the issues are marked with colour coded flags. You can also generate an HTML scan report through the ‘Report’ menu option on the top of the screen.
Figure 6. ZAP scan report risk categories
Summary
ZAP is a free open source platform-agnostic security testing tool that scans through your web application to identity any security vulnerabilities as possible. It is a great tool for experienced pen testers, as well as beginners.
ZAP spiders the web application under test and scan for any known vulnerabilities.
For beginners, it is easy to start with Automated Scan that will crawl the given URL with spider and passively scan each page it finds. You can do a more in-depth scanning by exploring the web application manually.
ZAP generates the scan report in the form of Alerts that are marked with colour coded flags. You can even download HTML reports from the “Report” menu option.
ZAP can also be integrated into CI/CD pipeline using ZAP Jenkins plugin.
Kommentare