OWASP ZAP is a multipurpose scanning tool that helps a lot penetration testers and bug bounty hunters for finding vulnerabilities on web app. ZAP stands for Zed Attack Proxy. It is loaded with proxy, active and passive vulnerability scanners, fuzzer, spider, HTTP request sender & many more.
In this detailed guide we are going to learn a lot of things of ZAP in easy language.
Opening and Updating ZAP
First of all we need to open and update ZAP on our Kali Linux. So we can find it on our Kali Linux Application Menu > Web Application Analysis > ZAP, or we can search for it on the menu, As shown in the following screenshot.
Then we click on it and it opens the ZAP application's front page as shown in the following screenshot:
Here we can press CTRL+U and update all add-ons by clicking "Update All". In the following screenshot we can see that our this system already updated everything.
Sometimes on some laptops we have noticed that the update screen takes the total screen and we are not able to see the "Update All" option. In that case we just make the window smaller and then drag it up [simple!].
After finishing the update we need to configure the proxy on browser to run ZAP.
Configuring Network Proxy for ZAP
This quite similar to setup proxy for Burp and WebScarab. We need open our browser (with Kali Linux we got Firefox browser as default). On Firefox we need to open Menu and navigate to Preferences. On the General tab, we scroll down and click on Network Settings.
It opens a new window, we need to set manual proxy here. We need to set the "Manual proxy configuration", HTTP proxy should be 127.0.0.1 (localhost) and the port is 8080. As shown in the following screenshot:
This is how we can set the manual proxy on Firefox browser. We can check manual proxy settings for other browsers. FoxyProxy add-on can easily switch between proxies.
Then if we navigate to a website from our browser and we got security warning from our browser, as shown in the following screenshot:
This is basically happens for the security certificate. Here we need to click on "Advanced". Then we need to click on "Accept risk and continue", as shown in the following screenshot then the certificate for ZAP will be added for this site.Scan for Sensitive Files and Folders using ZAP
After setting ZAP as a proxy, we can scan a website or web application using it. We open a website on our browser and ZAP will react to this action by shows the host's name on the upper-left panel. We just need to right click on the host name, and choose "Attack" > "Forced Browse Directory". As shown in the following screenshot:
Then it will start finding directories by using a default word list for directory. We can see the result on the following screenshot:
In the above screenshot we can see that the directory attack has been started. If it contains any sensitive information then wee can easily got it from here.
If we need to use any other custom word list for directory brute-force (this attack is a type of brute-force) then we need to go to Tools > Options (or we can open this by CTRL+ALT+O) and go to Forced Browse tab and select our custom word list.
By following that process we can add our custom word list for finding files and folders using ZAP.
Copy Website using ZAP Spider
Downloading a full site to a directory in our system leaves us with a static copy of the information; this means that we have the output produced by different requests, but we neither have such requests nor the response states of the server. To have a record of that information, we have spiders, such as the one integrated in OWASP ZAP.
We need to run the ZAP and browser have configured the browser for proxy. Then we navigate to target website (We are targeting our own site) from browser and ZAP respond to it.
Now we can see our website on the above screenshot. We need to right click for options, then we need to navigate to Attack > Spider. As shown in the following screenshot:
After selecting the spider we got a window as shown in the following screenshot:
Here we just need to click on the "Start Scan" to start spider on our website. After started we can see that it is started on the bottom panel of ZAP.
We also can see the structure of our website on the upper left panel of ZAP. We also can see the request methods (GET/POST) there. We can click there and see the request send by the spider and the response comes from the server.
On the right side, we can see the full request made, including the parameters used by ZAP.
How the spider works in ZAP?
Like any other crawler, ZAP's spider follows every link it finds in every page on the web application included in the scope requested and the links inside it. Also, ZAP's spider follows the form responses, redirects, & URLs included in robots.txt & sitemap.xml files. It then stores all the requests & responses for later analysis and use. This is very similar to Burp's Spider.
After crawling a website or web application, we may want to use the stored requests to perform some tests. Using ZAP's capabilities, we will be able to do the following, among other things:
- Repeat the requests that modify some data.
- Perform active and passive vulnerability scans.
- Fuzz the input variables looking for possible attack vectors.
- Replay specific requests in the web browser.
Automatically Scans for Vulnerabilities using ZAP
OSWAP ZAP is a tool that helps us to complete various tasks, automatically scanning a target website is one of them.
To use this feature we need to go set the manual proxy on our browser and open the site as we did previously.
Whenever ZAP respond to it and shows it on the Sites panel (upper left panel) we right click on the site and navigate to Attack > Active Scan , as shown in the following screenshot:
Then a window will popup in front of us. At this point we need to fill some information to start the scan. The "Show Advanced Options" will give us more configuration.
Here also can configure our scan in terms of Scope (where to start the scan, on what context and many more ), Input Vectors (select if we want to test values in GET and POST requests, headers, cookies and other options), Custom Vectors (add specific characters or words from the original request as the attack vectors), Technology (what kind of technology specific tests we want to perform) and Policy (choose configuration parameters for specific tests).
After setting up every thing we can just start the scan by clicking on "Start Scan". In the following screenshot we can see our scan results.
In the above screenshot we can see that that scan is finished and we got 9 new alerts. On the "🚩Alerts" tab we got details about the alerts.
We can see that we got some very serious security loophole on our vulnerable localhost server. This is how we can run security test on a web server or website using ZAP. Found it critical read the next one.
We can export the scan result in CSV, HTML or XML format.
Easy Auto Scanning for Vulnerability using ZAP
Suppose we are very beginner on Kali Linux or ZAP then we just open ZAP and choose "Automated Scan" on Quick Start. Then a popup window will comes up. Here we just put the URL and click on "⚡Attack". The following screenshot shows it.
The attack will be started and we can see the output and Alerts.
We can see the results of the scan. Now this is live we don't add any manual proxy configuration for our system.Hope we got a clear idea how Zed Attack Proxy works on our Kali Linux system and how we can run various test using it. This huge tool can be used as a fuzzer and it also can do much more, that we can't cover in single article. Try it and see what it can do.
Liked our articles? Then make sure to subscribe us by e-mail and get notified whenever we publish new articles. It's free. Also we post updates on GitHub and Twitter, make sure to follow us there.
For any kind of help we are always ready to help. Just leave a comment in the comment section. We always reply.