OWASP ZAP Tutorial: Comprehensive Review Of OWASP ZAP Tool

This Tutorial Explains What is OWASP ZAP, How does it Work, How to Install and Setup ZAP Proxy. Also Includes Demo of ZAP Authentication & User Management:

Why Use ZAP for Pen Testing?

To develop a secure web application, one must know how they will be attacked. Here, comes the requirement for web app security or Penetration Testing.

For security purposes, companies use paid tools, but OWASP ZAP is a great open-source alternative that makes Penetration Testing easier for testers.

OWASP ZAP

What Is OWASP ZAP?

Penetration testing helps in finding vulnerabilities before an attacker does. OSWAP ZAP is an open-source free tool and is used to perform penetration tests. The main goal of Zap is to allow easy penetration testing to find the vulnerabilities in web applications.

ZAP advantages:

  • Zap provides cross-platform i.e. it works across all OS (Linux, Mac, Windows)
  • Zap is reusable
  • Can generate reports
  • Ideal for beginners
  • Free tool

How Does ZAP Work?

ZAP creates a proxy server and makes the website traffic to pass through the server. The use of auto scanners in ZAP helps to intercept the vulnerabilities on the website.

Refer to this flow chart for a better understanding:

ZAP flowchart

ZAP Terminologies

Before configuring ZAP setup, let us understand some ZAP terminologies:

#1) Session: Session simply means to navigate through the website to identify the area of attack. For this purpose, any browser like Mozilla Firefox can be used by changing its proxy settings. Or else we can save zap session as .session and can be reused.

#2) Context: It means a web application or a set of URLs together. The context created in the ZAP will attack the specified one and ignore the rest, to avoid too much data.

#3) Types of ZAP Attacks: You can generate a vulnerability report using different ZAP attack types by hitting and scanning the URL.

Active Scan: We can perform an Active scan using Zap in many ways. The first option is the Quick Start, which is present on the welcome page of the ZAP tool. Please refer the below screenshot:

Quick Start 1

Quick start 1

The above screenshot shows the quickest way to get started with ZAP. Enter the URL under the Quick Start tab, press the Attack button, and then progress starts.

Quick Start runs the spider on the specified URL and then runs the active scanner. A spider crawls on all of the pages starting from the specified URL. To be more precise, the Quickstart page is like “point and shoot”.

Quick Start 2

Quick start 2

Here, upon setting the target URL, the attack starts. You can see the Progress status as spidering the URL to discover content. We can manually stop the attack if it is taking too much time.

Another option for the Active scan is that we can access the URL in the ZAP proxy browser as Zap will automatically detect it. Upon right-click on the URL -> Active scan will launch. Once the crawl is complete, the active scan will start.

Attack progress will be displayed in the Active scan Tab. and the Spider tab will show the list URL with attack scenarios. Once the Active scan is complete, results will be displayed in the Alerts tab.

Please check the below screenshot of Active Scan 1 and Active Scan 2 for clear understanding.

Active scan 1

Active scan1

Active scan 2

Active scan 2

#4) Spider: Spider identifies the URL in the website, check for hyperlinks and add it to the list.

#5) Ajax Spider: In the case where our application makes heavy use of JavaScript, go for AJAX spider for exploring the app. I will explain the Ajax spider in detail in my next tutorial.

#6) Alerts: Website vulnerabilities are flagged as high, medium and low alerts.

ZAP Installation

Now, we will understand the ZAP installation setup. First, download the Zap installer. As I am using Windows 10, I have downloaded Windows 64 bit installer accordingly.

Pre-requisites for Zap installation: Java 7  is required. If you don’t have java installed in your system, get it first. Then we can launch ZAP.

Setup ZAP Browser

First, close all active Firefox sessions.

Launch Zap tool >> go to Tools menu >> select options >> select Local Proxy >> there we can see the address as localhost (127.0.0.1) and port as 8080, we can change to other port if it is already using, say I am changing to 8099. Please check the screenshot below:

Local proxy in Zap 1

Local proxy in ZAP

Now, open Mozilla Firefox >> select options >> advance tab >> in that select Network >> Connection settings >>select option Manual proxy configuration. Use the same port as in the Zap tool. I have manually changed to 8099 in ZAP and used the same in the Firefox browser. Check below screenshot of the Firefox configuration set up as a proxy browser.

Firefox proxy setup 1

Firefox zap setup

Try to connect your application using your browser. Here, I have tried to connect Facebook and it says your connection is not secure. So you need to add an exception, and then confirm Security Exception for navigating to the Facebook page. Please refer the screenshots below:

Access webpage -proxy browser 1

Access webpage -proxybrowser1

Access webpage -proxy browser 2

Access webpage -proxybrowser2

Access webpage -proxy browser 3

Access webpage -proxy browser3

At the same time, under the Zap’s sites tab, check the created new session for the Facebook page. When you have successfully connected your application you can see more lines in the history tab of ZAP.

Zap normally provide additional functionality that can be accessed by right-click menus like,

Right-click >> HTML >> active scan, then zap will perform active scan and display results.

If you can’t connect your application using the browser, then check your proxy settings again. You will need to check both browser and ZAP proxy settings.

Generating Reports In ZAP

Once the Active scan is done, we can generate reports. For that click OWASP ZAP >> Report >> generate HTML reports >> file path provided >> scan report exported. We need to examine the reports for identifying all possible threats and get them fixed.

ZAP Authentication, Session And User Management

Let us move on to another Zap feature, handling authentication, session and user management. Please let me know any query that comes into your mind related to this as comments.

Basic Concepts

  • Context: It represents a web application or set of URLs together. For a given Context, new tabs are added to customize and configure the authentication and session management process. The options are available in the session properties dialog .i.e Session properties dialog -> Context -> you can either use the default option or add a new context name.
  • Session Management Method: There are 2 types of session management methods. Mostly, cookie-based session management is used, associated with the Context.
  • Authentication Method: There are mainly 3 types of Auth method used by ZAP:
    • Form-based Authentication method
    • Manual Authentication
    • HTTP Authentication
  • User management: Once the authentication scheme has been configured, a set of users can be defined for each Context. These users are used for various actions (For Example, Spider URL/Context as User Y, send all requests as User X). Soon, more actions will be provided that make use of the users.

A “Forced-User” extension is implemented to replace the old authentication extension that was performing re-authentication. A ‘Forced-User’ mode is now available via the toolbar (the same icon as the old authentication extension).

After setting a user as the ‘Forced-User’ for a given context or when it is enabled, every request sent through ZAP is automatically modified so that it is sent for this user. This mode also performs re-authentication automatically (especially in conjunction with the Form-Based Authentication) if there is a lack of authentication, ‘logged out’ is detected.

Let us see a demo:

Step 1:

First, launch ZAP and access the URL in the proxy browser. Here, I have taken the sample URL as https://tmf-uat.iptquote.com/login.php. Click on Advanced -> add Exception -> confirm security exception as in page 6 and 7. Then the landing page gets displayed. At the same time ZAP automatically loads the Webpage under Sites as a new session. Refer to the below image.

New zap session

Step 2:

Include it in a context. This can be done either by including it in a default context or adding it as a new context. Refer to the below image.

Step2

Step 3:

Now, next is the Authentication method. You can see Authentication in that session properties dialog itself. Here we are using the Form-based Auth method.

It should be like authMethodParams as login Url=https://tmf-uat.iptquote.com/login.php&loginRequestData=username=superadmin&password=primo868&proceed=login”

In our example, we need to set the authentication method as Form-based. For this, select the target URL, login request post data field gets pre-filled, after that, change parameter as username and password -> click ok.

Step 3

Step 4:

Now, set indicators that will tell ZAP when it is authenticated.

Logged in and logged out indicators:

  • Only one is necessary
  • We can set Regex patterns matched in the response message, need to set either logged in or log out indicator.
  • Identify when a response is authenticated or when not.
  • Example for Logged in indicator: \Qhttp://example/logout\E or Welcome User.*
  • Example of the Logged out indicator: login.jsp or something like that.

Here, in our demo application, I have accessed the URL in a proxy browser. Logged in to the application using a valid credential, Username as superadmin & Password as primo868. Navigate through inner pages and click on logout

You can see in Step 3 screenshot, Zap takes the login request data as one used for the TMF application login [Demo application login].

Flag logged in Regex pattern from the Response of ZAP as Response -> logged out response -> flag it as logged in the indicator.  Refer to the screenshot below

Step4

Step 5:

We can save the indicator and verify whether session properties dialog gets added with the logged-in indicator or not. Refer to the screenshot below:

Step5

Step 6:

We need to add users, valid and invalid users. Apply spider attacks to both and analyze the results.

Valid User:

Step6-Valid User

Invalid User:

step6 -invalid user

Step 7:

By default set the session management as a cookie-based method.

Step7

Step 8:

Spider URL attack is applied to invalid and valid users and review results/generate reports.

Invalid user spider attack view 1:

step 8 invalid user

Here, a spider URL attack is applied to the invalid user. In the ZAP interface, we can see Get: login.php (error _message), which means authentication has failed. Also, it doesn’t pass the URLs through inner TMF pages.

Step 9:

To apply spider URL attack for the valid user, go to sites list -> attack -> spider URL -> existing valid user -> here it is enabled by default -> start scan.

Analyze results: As it is a valid authenticated user, it will navigate through all inner pages and display authentication status as successful. Refer below screenshot.

Valid-user

Step9 valid user

ZAP Html Report Sample

Once an active scan is completed, we can generate an HTML report for the same. For this, select Report -> Generate Html Report. I have attached a sample content of HTML reports. Here, high, medium and low alerts reports will be generated.

Alerts

Alerts

Conclusion

In this tutorial, we have seen what ZAP is, how ZAP works, installation and ZAP proxy setup. Different types of Active scan processes, a demo of ZAP authentication, session and user management, and basic terminologies. In my next tutorial, I will explain about Ajax spider attack, use of fuzzers, Forced browsed sites.

And if you have used Zed attack proxy and have some interesting tips to share, do share in the comments below.

References: