OWASP ZAP

Introduction

About

ZAP, short for Zed Attack Proxy, is a popular open-source web application security scanner.

It is maintained by a global community of security experts and is designed for identifying vulnerabilities in web applications during development and production. With its user-friendly interface and robust feature set, ZAP is a go-to tool for security professionals, developers, and QA teams to enhance web application security.

Before we delve into the details as to what this means, what it is about, why it was created and what it can be used for, let us start by having a look at the principles of ZAP first for a better understanding.

The principles are:

• Free and open source
• Cross-platform: Windows, Linux, macOS, Docker
• Beginner-friendly with advanced features for experts
• Easy installation (requires Java Runtime Environment)
• Available in multiple languages
• Comprehensive documentation included
• Compatible with third-party tools, e.g., for automation
• Supports integration of trusted components

These principles can be seen as the motivation behind ZAP. To summarize, it is designed to give everyone interested in web security the chance to easily run security tests, without depending on paid software or advanced skills.

History

Zed Attack Proxy (ZAP) began in 2010 as a fork of the Paros Proxy by Simon Bennetts. Initially a lightweight penetration testing tool, ZAP has grown into a comprehensive security testing solution. Recognized as an OWASP Flagship Project in 2013, it transitioned to The Software Security Project under Checkmarx in August 2023, reflecting its continued evolution and community support.

OWASP (Open Web Application Security Project)

OWASP is a non-profit organization that publishes freely-available articles and aside from tools like ZAP, they also provide documentation and technologies, that deal with web application security. Many security publications refer to the OWASP publications. An example is the OWASP Top 10, which is looking at the biggest security risks for organizations. OWASP Top 10 will be covered in more detail in another chapter. They also offer a testing guide as well as a development guide, offering best practice information to those interested, and many more interesting resources.

Description

ZAP’s focus is on testing web applications. The core idea behind it, is a ”Man-in-the-Middle proxy” that is placed between the client's browser and the web application. HTTP requests and responses can be intercepted, inspected and even modified before they are forwarded to their actual destination. There are different ways to run ZAP, it is possible to use it as a stand-alone application (Java 8+ is required) or as a daemon process.

Additionally, it is possible to run ZAP in combination with another proxy, e.g. if a company runs their web traffic through their own proxy or firewall solution first. In this case we configure our browser to connect to ZAP and then we can configure ZAP to connect to the proxy of the company.

There are various Add-ons, as well as an API, which enhance the functionality and features of ZAP. As stated in the principles, ZAP targets all skill levels. Beginning with those who are new to security testing, who are likely to start out using automated tests, to developers that run security tests for a living and which make use of a variety of features including manual tests. The flexibility and extensibility (via add-ons in the ZAP marketplace) that ZAP provides, makes it a popular choice among security testers. Since we’re talking about security, to a lot of people, it is also important to know what their security tools really can do. ZAP is open source and code examination is possible. If desired, one can look at how certain functions are implemented. The developers are transparent about which data ZAP is collecting (e.g. checks for new versions) and also how that background data can be controlled or even disabled (where possible). The ZAP community is also very open to new developers, anyone can submit bug fixes or create additional features for ZAP.

How-To

Installation

First, go to the Download section on the official website for ZAP and select the installer for your operating system.

Additionally, Java version 17 or higher must be installed. There are no additional requirements.

Test targets

To explore ZAP's features without setting up your own server, you can use pentesting platforms like Firing Range (a free-to-use online installation of Google's Firing Range) or an OWASP Juice Shop instance (e.g. official OWASP Juice Shop instance). Always test only on websites you own or have permission to use; unauthorized testing can alter data, pose risks, and is illegal. Alternatively, you can set up a test environment on your own server. Do NOT run active features of ZAP against public websites without permission, you might alter data and this kind of attack can be prosecuted!

Sessions

In ZAP it is possible to save sessions, preserving all collected and analyzed data from web applications. Upon opening ZAP, you will be prompted to decide whether to persist the current session. Using this feature, you will be able to continue analyzing a web application later without needing to reconnect to it. However, be cautious—more aggressive scans generate larger amounts of data. Even a few minutes of scanning can produce hundreds of megabytes.

Modes

ZAP has different modes to choose from:

• Safe: Only allows operations, that are not considered dangerous. Dangerous meaning, manipulating requests and attacking the web application
• Protected: This is the officially recommended mode. It allows dangerous operations, but only on URLs that were put in the Scope of our target or in other words, only selected sites will be attacked.
• Standard: ZAP is allowed to do anything to the web application
• ATTACK: ZAP actively scans new nodes as soon as they are discovered.

User Agent Settings

If you go to Tools → Options → Connection in the ZAP GUI you can configure the Default User Agent (as in, which browser as well as operating system) that ZAP should pretend to be when connecting to websites. You may get different responses depending on this, especially older websites did have their own configurations for Internet Explorer that were unlike those for other browsers.

Features

Quick Start/Automated Scan

The easiest way to start using ZAP is via the Quick Start tab. To run a Quick Start/Automated Scan:

• Start ZAP and click the Quick Start tab of the Workspace Window.
• Click the large Automated Scan button.
• In the URL to attack text box, enter the full URL of the web application you want to attack.
• Click the Attack button

Manual Scan

A manual scan can be done the following way:

• Start ZAP and click the Quick Start tab of the Workspace Window. (see above)
• Click the large Manual Explore button.
• In the URL to explore text box, enter the full URL of the web application you want to explore.
• Select the browser you would like to use
• Click the Launch Browser

Next, you will be presented with a welcome message that includes the HUD tutorial (see figure “ZAP HUD Welcome Message”)

Passive versus Active Scanning

Passive scanning is considered safe and legal. It is used to find vulnerabilities without modifying requests nor malicious actions. It is also run in a background thread, so it does not negatively affect the performance when exploring an application.

Active Scanning is considered malicious and should only be used when verbal or written permission of the owner of the target web application is acquired. Active Scan is running by default in Standard and Attack Mode.

Limitations of a standard passive scan are that pages that require a login can not be accessed by ZAP, since the authentication will not be handled by ZAP. It is, however, possible to configure the functionality to authenticate. Another limitation is that the sequence in which a passive scan explores the target is pretty much uncontrollable. But ZAP offers a solution for almost every limitation, and that means there are many extra features in ZAP for exploring and attacking other than the passive scan. For exploring a site, we already mentioned spidering as a viable option, but we need to keep in mind that they also are rather limited when it comes to filling out forms. Forms may be filled with default data or random strings instead of the required information. So it is suggested that spidering is used in combination with manual exploration, so that an actual user can, for example, fill out form data if an error message is returned.

Another recommendation for exploration is to take a look at the web application with a browser proxying through ZAP. The benefit of this method is that all requests and responses undergo a passive scan by ZAP and a site tree is built. Additionally, ZAP will record potential vulnerabilities that it finds for future reference.

Spider

After starting an automated scan, the Spider tab opens up in ZAP. The Spider “crawls” through the web application and tries to find every page of the web application. By following links, form actions, and embedded scripts, it constructs a comprehensive sitemap of the application. This functionality is essential for identifying hidden or inaccessible end-points, such as administrative panels or API endpoints, that might not be apparent from the user interface. Optionally, a more advanced AJAX spider for AJAX-rich sites can be used.

Add-ons

There is a Marketplace for ZAP where extra Add-ons for ZAP can be found. These make it possible to extend the functionality of ZAP even further, and typically it is possible to add or remove them without restarting the ZAP application. Usually, Add-ons are assigned one of the following states:

• Release: high-quality add-on
• Beta: reasonable quality but possibly incomplete or still requires testing • Alpha: requires further development

You can reach the marketplace by clicking on the blue-red-green squares symbol in the UI, it stands for “Manage Add-ons”.

API

ZAP offers a powerful API (Application Programming Interface) that allows interaction with almost every feature offered in the GUI, with new features being added in future versions. A comprehensive API documentation extensive documentation is available, providing examples in Shell script, Python, and Java to help beginners and experienced users alike.

Requests to the API are made via GET and POST endpoints, with responses available in formats like JSON, HTML, and custom options such as HAR. While the content is the same across response formats, developers can choose the one that best suits their needs. For instance, HTML is recommended for readable reports, while JSON or XML is preferred for quickly parsing results.

It is also possible to use ZAP to scan APIs and even automate the scanning process for these API scans, using the same file formats we that we use for ZAP’s own API (JSON, etc.). However, the main problem with scanning APIs is the exploration, figuring out what to target and using which methods since most of the time browsing or spidering will not lead to useful results for APIs.

Why is an API key required by default? Since ZAP can be controlled via API, we also must protect it from malicious sites or attackers that are looking to basically remotely control our ZAP installation or make changes to it. So it was decided to make the usage of an API key mandatory to hinder these attempts.

Reporting and analysis tools

ZAP offers robust reporting capabilities that allow users to share and analyze scan results. It can automatically generate reports in various formats, such as HTML, XML, and JSON, with detailed information about discovered vulnerabilities, sorted by severity. The reports include insights into endpoints, issues, and remediation suggestions, making it easier for developers and security teams to address risks. Users can also customize reports to focus on specific vulnerabilities or compliance needs. With clear, structured reports, ZAP ensures effective communication of security findings for technical teams and stakeholders alike.

Attack the OWASP Top 10 using ZAP

One of the many guides found at the ZAP website is about how to attack the Top 10 security threats using ZAP. The content of the following tables is taken from the Zapping the Top 10 Guide. The last OWASP Top 10 was 2017. The current OWASP Top 10 is from 2021, which has three new categories, with naming and scoping changes, and some combined vulnerabilities in the Top 10 for 2021. More information about the Top 10 can be found on their OWASP Top Ten Page.

Videos and Tutorials

Zaproxy and AllDayDevops offer a series of short videos (~10 mins each) about different ZAP features. On Youtube, you can find a Step-by-Step Tutorial by Arkenstone Learning [1].

References

• Official Documentation for ZAP
• Official API documentation
• R. S. Devi and M. M. Kumar, "Testing for Security Weakness of Web Applications using Ethical Hacking," 2020 4th International Conference on Trends in Electronics and Informatics (ICOEI)(48184), Tirunelveli, India, 2020, pp. 354-361, doi: 10.1109/ICOEI48184.2020.9143018.[2]