Interested in formal OWASP Top 10 Training? Check out our  OWASP Top 10 Training course OWASP Top 10 Training

Introduction

ZAP is an open source tool designed to help security professionals as well as developers to find out the security vulnerabilities present in the web application. The only reason for not mentioning it in my previous article Free Web Application Scanners is that it deserves special attention. Unlike other tools in the market, ZAP helps security newbies to learn and apply the application security skills in an easy way. ZAP is open source and completely free to use, which also means that users have the opportunity to implement changes which they think would add value to the tool. ZAP comes equipped with many features which can be used to test the overall strength of a web application. So let’s move on to find out and explore what ZAP is all about.

Main features of ZAP

The main features available in ZAP are described below:

  1. Intercepting Proxy:
    An intercepting proxy is the first thing that any security professional needs to understand and master. It helps you to see the traffic (request/response), intercept it and modify it on the fly. Many interesting things happen between intercepting a request and sending the modified request.
  2. Automated Scanner: Identifies the security holes present in the web application by simulating an actual attack. So in short it analyses the security posture of an application dynamically.
  3. Passive Scanning: This feature does not attack the application but instead analyses the responses from the server to identify certain issues.
  4. Brute Force Scanner: Attempts to brute force access to files and directories.
  5. Spidering: Spidering helps to construct the hierarchical structure of the website. In simple words, it tries to identify every link present on the website.
  6. Fuzzing: Supplying invalid or unexpected data to the target to crash it or to produce unexpected results.
  7. Port Scanning: To find out the open ports on the target website
  8. Dynamic SSL Certificates: Using this you can intercept requests/responses to/from the server. We will see this in detail later.
  9. BeanShell Console dialog: Beanshell is lightweight Java scripting which dynamically executes standard Java syntax and extends it with loose types, commands, and method closures like those in Perl and JavaScript. ZAP provides an interactive Java shell that can be used to execute BeanShell scripts. BeanShell integration in OWASP ZAP enables you to write scripts using the ZAP functions and data set.
  10. ZAP is fully internationalized and supports 11 languages (Spanish, Chinese, French, etc) apart from English.

Before proceeding any further, please note that you are not supposed to scan any external sites using the ZAP tool without the authorization of the owner of the website. The intended use of security tools is to identify the security holes on your own applications.

Installation

The ZAP tool can be downloaded from the link below. The installation part is straightforward and doesn’t require much explanation. So just download it and install it by double clicking the set up file.

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

Download Link: http://code.google.com/p/zaproxy/downloads/list

Configure the browser to proxy

Firstly you need to configure your browser to send/receive requests and responses through the ZAP tool. So you are basically telling your browser to send the request to server through ZAP. If you are behind a proxy (as is the case in a corporate network) then you need to configure ZAP to use that proxy. By default ZAP listens on 127.0.0.1 port 8080 but this can be changed.

In the case of Internet Explorer, below is the path to configure the browser: Internet Options à Connections à LAN Settings à Proxy Server and make changes as shown below:

Once this is done, start the ZAP tool and now browse through some websites to check whether everything is working fine. You must be able to see the browsed sites under the ‘sites’ tab as shown below.

Intercepting the traffic

Now that you have configured your browser, let’s see how to intercept a request using ZAP. Let us consider http://zero.webappsecurity.com/ which is a demo site for testing purposes. Under the ‘sites’ section, right click on the website you want to scan and click on ‘break’. A popup window appears; click on ‘Add’. So ZAP intercepts every request that goes to this server.

Now click on any other link in the site and observe that the request is captured under the ‘break’ tab as highlighted below. You can make any modification to this request before you click the play button to forward the request to the server. Now observe that the response is intercepted again. Click on the play button to forward the response to the browser. Simple as that!

Scanning the website

Spidering

As explained earlier, the sites you visit with ZAP turned on will be listed under the ‘sites’ tab. So before you scan make sure you browse through available links on the target site, fill the forms and submit the values. After browsing all the visible links, use the spider option to crawl automatically through the other links. To do this under the sites tab, right click on the target site and under ‘Attack’ select ‘Spider site’ option.

The spider will automatically discover the hidden links and now explore the links shown by the tool. The newly discovered URLs would be shown under the ‘spider’ tab as shown in the below figure. The URLs found during the crawl are shown and below that the URLs whose domain is different from the target site are listed.

Active Scanning

To scan a site actively, under the sites tab right click on the target site and select ‘Active scan site’ under Attack. Once the scan is started you can sit back and watch as the ZAP tool does the work for you. Active scan is something where the tool actually attacks the application in all possible ways to find out the vulnerabilities present on that site. The progress of the scan will be shown to you. At the end of the scan you will be presented with the findings.

Below are the issues active scanning looks for:

Active Scanner Rules, Secure page browser cache, Directory browsing, External redirect, Potential File Path Manipulation, Private IP disclosure, Session ID in URL rewrite, CRLF injection, MS SQL Injection Enumeration, Oracle SQL Injection Enumeration, SQL Injection, SQL Injection Fingerprinting, Parameter tampering, Server side include, Cross Site Scripting, Path Traversal, URL Redirector Abuse.

The scan policy can be changed under the Analyse à Scan Policy. Under this you can find vulnerabilities that ZAP is configured to look for. You can uncheck any of them if you do not want ZAP to explore the application for those vulnerabilities.

Findings under ‘Alerts’ tab

The vulnerabilities can be viewed under the ‘Alerts’ section. This section shows all the security issues identified by the tool. As shown in the below figure, ZAP tool has identified various issues like cross site scripting, password auto complete, directory browsing, etc. Please note that active scanning may not identify certain issues like severity of the information disclosure, cryptographic storage issues, etc.

Let’s now look at available options to configure a scan. Active scanning can be configured under Tools à Options à Active Scan. It essentially deals with the below options:

Number of hosts scanned concurrently – This deals with the number of hosts that you would want the tool to scan at a single point of time. The maximum value for this can be 5. Increasing the value might affect the performance of the system depending on its specifications.

Concurrent scanning threads per host – Depending on the test cases the tool would run threads to scan the application. So this option lets you decide the number of scanning threads the tool should run per host.

Delay when scanning in milliseconds – This represents the amount of time between each request. The value can be set to zero if you want faster execution of the scan.

Passive scanning

Passive scanning differs from the active scanning in that the former does not change any responses coming from the server. Passive scanning only looks at the responses to identify the vulnerabilities present. So in a way passive scanning is safe to use. This is certainly an interesting feature which could be an important aspect in the future.

Below are the issues passive scanning looks for:

Incomplete or no cache-control and pragma HTTP Header set, Content-Type header missing, Cookie no http-only flag, Cookie without secure flag, Cross-domain JavaScript source file inclusion, Cross Site Request Forgery, IE8s XSS protection filter not disabled, Information disclosure – database error messages, Information disclosure – debug error messages, Information disclosure – sensitive information in URL, Information disclosure – sensitive information on HTTP Referrer header, Password Autocomplete in browser, Weak authentication, X-Content-Type-Options header missing, X-Frame-Options header not set.

Analysing the results

So with this we have seen how to scan a website using the basic features in ZAP. So it is now up to the penetration tester or the security analyst to apply his skills in determining which one of the identified vulnerabilities are false positives. This is important because no tool’s report can be believed to be free from false positives unless it is confirmed by a professional. The security analyst has to look at the issues raised by the tool one by one and eliminate the false positives. This can be done by right clicking on a vulnerability and clicking delete.

Alternately by right clicking on a vulnerability you can also exclude it from the scan or open the same in the web browser to explore the issue. When the vulnerability is selected the corresponding risk associated with it is mentioned in the side tab as High or Medium or Low. For instance, cross site scripting vulnerabilities are marked as High. In this way a report needs to be prepared at the end of the scan by eliminating the false positives and including only the valid findings.

Reporting

The best part of the ZAP tool is even though its open source, it has the features which can compete with the commercial tools present in the market. One such feature is the Reporting feature which allows you to generate a report of the vulnerabilities. To generate a report, select Report à Generate HTML Report and select desired location to save the file.

There are many other features in the ZAP tool which can be explored to make use of them. Below are some of the features.

Port Scan – This feature scans open ports on the target site and lists them accordingly. This can be configured under ‘Port scan’ in Options. You can also select the maximum port to scan. Selecting a high port number might significantly increase the time taken to scan. You can also set concurrent scanning threads per post.

Encode/Decode Hash – Use this feature to encode/ decode the text entered. This can be a handy feature, especially while pen testing an application, you might come across several scenarios where you need to encode and decode the content.

Fuzzing – Fuzzing is the process of sending invalid and unexpected input to the application to observe the behaviour. To fuzz any request, select a request and highlight corresponding string to fuzz, right click and now select fuzz.

Notes – Use this feature to add anything to the request.

Extensions for ZAP: The below link provides the extensions for ZAP. To use them, just download them and drop them into the ZAP Plugin directory and restart the ZAP. You can find plugins like LDAP Injection, session fixation etc. and many others.

Link: http://code.google.com/p/zap-extensions/

For example download the ‘SQL Injection Scanners’ extension (includes generic, MySQL, Hypersonic/HSQL, Oracle, and PostgreSQL) and copy it to the ‘plugin’ directory under the ZAP installation directory. Restart the ZAP tool and find that the plugin has resulted in increased number of tests in the scan policy. So there no tab or window which lists all the plugins installed.


Thus ZAP proves to be a promising tool which helps security professionals to scan the web applications as well as security newbies to learn the concepts of application security in an easy way. It’s definitely worth trying!! Happy scanning!!