Recently, I had an opportunity to work alongside my excellent team mates from Triad and the Department for Transport (DfT) as a QA practice lead, developing the new Manage Motor Fuel Greenhouse Gas Emissions service for GOV.UK.
For this project, we wanted to strengthen our in-house penetration testing (pen test) capability to enable us to prove the security of our web application from the outset, rather than having to wait for the results of our independent pen test towards the end development. Being relatively new to penetration testing, we wanted to choose a tool that was easy to setup and could find as many vulnerabilities as possible. Having considered several free and paid tools, we chose OWASP Zed Attack Proxy (ZAP) due to reasons given above and expanded on below.
In this article, I will demonstrate how to setup and use OWASP ZAP to test the security of a typical web application.
Before I continue, I feel obligated to warn you that you should use this tool only with an application you’re hosting yourself, or one you’ve been given explicit permission to test, as ZAP attempts to modify data and insert malicious scripts in the web application.
What is OWASP?
The Open Web Application Security Project (OWASP) is an open, online community that creates methodologies, tools, technologies and guidance on how to deliver secure web applications. It is an international collaborative initiative comprised of both individuals and corporations. The project aims to standardise security approaches in web development and spread associated knowledge.
What is OWASP ZAP?
OWASP ZAP (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help to find security vulnerabilities in web applications. It’s also a great tool for experienced pen testers and beginners.
ZAP can scan through the web application and detect issues related to:
- SQL injection
- Broken Authentication
- Sensitive data exposure
- Broken Access control
- Security misconfiguration
- Cross Site Scripting (XSS)
- Insecure Deserialization
- Components with known vulnerabilities
- Missing security headers
Why we chose OWASP ZAP?
As it is designed to be used by people with a wide range of pen testing experience, it was ideal for our team who were new to penetration testing.
ZAP is a free open-source tool which is easy to setup and use. As it is used by the wider community, there is a lot of help available online through the ZAP blog and other articles to help you setup and use the tool.
ZAP is cross platform i.e. you can install it in Windows, Linux or Mac OS.
ZAP Jenkins plugin can be setup to run the scans as part of CI / CD pipelines.
How it works
ZAP is what is known as a “man-in-the-middle proxy.” It stands between the browser and the web application. While you navigate through all the features of the website, it captures all actions. Then it attacks the website with known techniques to find security vulnerabilities.
As ZAP spiders the web application, it constructs a map of the web applications’ pages and the resources used to render those pages. Then it records the requests and responses sent to each page and creates alerts if there is something potentially wrong with a request or response.
Setting up ZAP
To begin with, you need to download and install OWASP ZAP scanner and set it up correctly. ZAP is platform agnostic so you can install it on Windows, Linux or Mac OS. You need Java 8+ installed on your Windows or Linux system.
For the purposes of this article, I’m going to concentrate on its use on Windows.
Once setup you can start ZAP by clicking the ZAP icon on your Windows desktop or from the start menu.
When the app launches, it asks you whether you want to save the session or not. If you want to use the current run configuration or test results later, you should save the session for later. For now let’s select “No, I do not want to persist this session at this moment in time”.
Once you click the “Start” button, the ZAP UI will be launched.
Spidering the web application
Spidering a web application means crawling all the links and getting the structure of the application. ZAP provides two spiders for crawling web applications;
- Traditional ZAP spider: The traditional ZAP spider discovers links by examining the HTML in responses from the web application. This spider is fast, but it is not always effective when exploring an AJAX web application.
- AJAX spider: This is more likely to be effective for AJAX applications. This spider explores the web application by invoking browsers which then follow the links that have been generated. The AJAX spider is slower than the traditional spider.
This option allows you to launch an automated scan against an application just by entering the URL. If you are new to ZAP, it is best to start with Automated Scan mode.
To run a Quick Start Automated Scan:
- Start Zap and click the large ‘Automated Scan’ button in the ‘Quick Start’ tab.
- Enter the full URL of the web application you want to attack in the ‘URL to attack’ text box.
- Click the ‘Attack’ button.
Once you click the ‘Attack’ button, ZAP will start crawling the web application with its spider and passively scan each page it finds. Then ZAP will use the active scanner to attack all of the discovered pages, functionality and parameters.
Exploring the web application manually
Spiders are a great way to explore the basic site, but they should be combined with manual exploration to be more effective. This functionality is very useful when your web application needs a login or contains things like registration forms, etc.
You can launch browsers that are pre-configured to proxy through ZAP via the Quick Start tab. Browsers launched in this way will also ignore any certificate validation warnings that would otherwise be reported.
To Manually Explore the web application:
- Start ZAP and click on the large ‘Manual Explore’ button in the Quick Start tab.
- Enter the full URL of the web application to be explored in the ‘URL to explore’ text box.
- Select the browser you would like to use and click the ‘Launch Browser’ button.
This will launch the selected browser with a new profile. Now explore all of the targeted web applications through this browser. ZAP passively scans all the requests and responses made during your exploration for vulnerabilities, continues to build the site tree, and records alerts for potential vulnerabilities found during the exploration.
What is passive scanning?
Passive scans only scan the web application responses without altering them. It does not attack or insert malicious scripts to the web application, so this is a safe scan; you can use it if you are new to security testing. Passive scanning is good at finding some vulnerabilities and as a way to get a feel for the basic security of a web application.
What is active scanning?
Active scan attacks the web application using known techniques to find vulnerabilities. This is a real attack that attempts to modify data and insert malicious scripts in the web application.
Active scans put the application at risk, so do not use active scanning against web applications you do not have permission to test.
Inspecting the test results
Once the scan is completed, ZAP generates a list of issues that are found during the scan. These issues can be seen on the Alerts tab that is located in the bottom pane. All the issues are marked with colour coded flags. You can also generate an HTML scan report through the ‘Report’ menu option on the top of the screen.
ZAP is a free open source platform agnostic security testing tool that scans through your web application to identity any security vulnerabilities as possible. It is a great tool for experienced pen testers, as well as beginners.
ZAP spiders the web application under test and scan for any known vulnerabilities.
For beginners it is easy to start with Automated Scan that will crawl the given URL with spider and passively scan each page it finds. You can do a more in-depth scanning by exploring the web application manually.
ZAP generates the scan report in the form of Alerts that are marked with colour coded flags. You can even download HTML reports from the “Report” menu option.
ZAP can also be integrated into CI/CD pipeline using ZAP Jenkins plugin.