Skip to main content

Security Testing with OWASP ZAP

Introduction:

OWASP ZAP Tool is a free and open-source tool for security testing, and it is easy to use for penetration testing to find vulnerabilities in web applications. It provides cross-platform therefore it works on all platforms of OS link Windows, Linux, and Mac. It is reusable, easy to generate reports as well and easy to use as well.

OWASP ZAP Tool creates a proxy server and passes all website traffic through the proxy server. Zap tool is specially designed for web application pen-testing, and it is flexible to use. OWASP Zap Application provides two options like,

  • Automated Scan.
  • Manual Explore.

Automated Scan:

To start a vulnerability assessment of your web application firstly you need to perform the automated scan and passive scanning attack functionality. In the Automated Scan option, we just pass our application URL and click on Attack and its start scanning your application.

Below steps are mentioned on how to perform the Automated Scan:

  • Open the Zap tool.
  • Select Any one option from the pop-up window.
  • First two options will save your section in your system and the last one will not save the section on your system. So, I select the third option.
  • Click on the start button.

  • Select Automated Scan Option
  • Enter your Application URL in the (URL to attack) input box.
  • Select the browser from the drop-down menu.
  • Click on the attack button.
  • It starts to scan your application.
  • It captures your application all URI you can see those in the spider tab.

  • After that it will start performing an active scan and it will try n number of attack methods on each URL. Like SQL Injection, Cross Site Scripting, Server-Side Code Injection, etc.

  • You can see the scanned URL list in the active scan tab.
  • Once the active scan finishes you can see vulnerable requests or URLs in the alert tab.
  • It shows which URLs have a high or low vulnerability, as well as it, gives the solution and reference links also provided in the right tab.

Manual Explore:

In manual explore the need to explore web applications manually that needs to pass the application URL and click on launch the browser and then need to start exploring the application. It captures all visited URLs and performs a passive scan on them.

Below steps are mentioned on how to perform the Automated Scan:

  • Open the Zap Tool.
  • Select the Manual Explore option.
  • Enter the URL in the (URL to explore) input box.
  • Select the browser.
  • Click on launch browser.
  • It will launch the browser and you can start exploring the application.
  • It will capture all visited URLs and perform the passive scan on them.

Let’s see some mostly used functionality in the Zap tool:

  • Active Scan
  • Fuzz
  • Spider Attack
  • AJAX Spider Attack
  • Generate HTML Report

 Active Scan:

Active scanning functionality is used to identify more vulnerabilities in the application. It performs all types of attacks on each URL like SQL Injection, Cross Site Scripting, etc. It is a very useful and most used functionality in OWASP ZAP Tool. When performing an automated scan, it performs an active scan as well but when performing manual explore then it does not perform the active scan.

Below steps are mentioned on how to perform the Active Scan:

  • Once manual explore is done open the ZAP Tool.
  • Expand the site option.
  • Select your browser URL folder or you can expand that folder and select the individual HTTP request.

     

  • Right-click on a folder or Induvial HTTP request.

  • Select the attack option and click on Active Scan.

  • Active Scan pop-up Window will appear then click on Start scan.
  • It will start scanning and perform several attack types on each URL request.
  • It logs the vulnerable HTTP request URL in the alert tab.

Fuzz:

Fuzzing is a technique that sends large volumes of unexpected data inputs to a test application, to verify the application response. OWASP ZAP enables fuzz testing for web applications. You can choose one of the built-in payloads from the Zap tool or you can pass your custom payload as well.

Below steps are mentioned on how to perform the Fuzz Attack:

  • Once manual explore is done open the ZAP Tool.
  • Expand the site option.
  • Select the one HTTP Request and right-click on it.
  • Select attack and click on Fuzz.
  • Select the parameter and click on add Button.
  • Click on add button then the payload window will appear.
  • Again, click on add button.

     

  • Add Payload pop-up window will appear.

  • You can enter your content in the contents section.

  • You can use the file fuzzer option where you can select already define payload.
  • Click on the types drop-down list and select the file fuzzer option.
  • Select any option from the list or which payload you want to use.
  • Then click on add button.
  • Now you can see file fuzzer option is selected.
  • Then click on the ok button.
  • Click on Start Fuzzer.
  • You can see the result in the Fuzzer tab and look for any irregular responses from the result window.

Spider Attack:
The Spider is a tool that is used to find new resources (URLs) on a target application. The Spider visits all the URLs from the target application and then identifies all the hyperlinks on the page and adds them to the list of URLs in the zap tool.

Below steps are mentioned on how to perform the Spider Attack:

  • Once manual explore is done open the ZAP Tool.
  • Expand the site option.
  • You can select the folder, or you can select individual HTTP requests.
  • Right-click on the folder, select the attack, and click on spider.
  • You can see your results in the spider tab.

 AJAX Spider Attack:

The AJAX Spider add-on integrates into ZAP a crawler of AJAX-rich sites that can’t be discovered with a regular spidering tool. With the help of Ajax, you can use it to identify the pages of the targeted application.

Below steps are mentioned on how to perform the AJAX Spider Attack:

  • Once manual explore is done open the ZAP Tool.
  • Expand the site option.
  • You can select the folder, or you can select individual HTTP requests.
  • Right-click on the folder and select the attack and then click on the AJAX Spider.
  • AJAX pop-up window appears then select the (Show Advanced Option) Checkbox.
  • Select the browser from drop down list.
  • Then click on option from nav bar.
  • In the Advanced option you can select how many browsers you want to open, maximum depth, maximum States, etc you can select as per your application.
  • Once you set all the things from advanced option. Then click on start scan.
  • It will start scanning the target application pages. You can see the result in the AJAX Spider tab.

 Generating Report

Once your scanning is done then generate the proper report and forward the report with your team to resolve those issues. Zap tool provides the functionality to generate the report.

In the HTML report, all things are mentioned like,

  • What kind of issue is there.
  • On which HTTP request?
  • Solution for that specific issue.
  • Some reference links are also mentioned in HTML Report.

Below steps are mentioned on how to generate the HTML Report in ZAP Tool:

  • Click on the report tab from the nav bar.
  • Click on Generate Report.
  • Generate Report pop-up Window appears.
  • You can change the report title, and report name and also change the location as well.
  • Click on Template.
  • You can select the template types from drop down list.
  • I select the Traditional HTML Report
  • Click on Generate Report button.
  • View and share the test report with your team to fix priority issues.

We at Varseno, can run security testing using OWASP ZAP for all business websites to improve their reliability, scalability and stability. Reach out to us to improve your website functionalities in terms of security.

Sales Inquiry
close slider