OWASP ZAP
Introduction
About
ZAP is short for Zed Attack Proxy. Before we delve into details as to what this means, what it is about, why it was created and what it can be used for, let us start by having a look at the principles of ZAP first for a better understanding.
The principles are:
- It is free, open source which means anyone can access and use it.
- It is also cross platform that is it works on Linux, Windows and Macs.
- It is easy to use; any user be it beginner or a professional can use it easily.
- It is easy to install; it requires Java Runtime Environment but everything else is included in standard downloads.
- It is fully internationalized, i.e., it has been translated to many other languages.
- It is fully documented, set of useful documents and helpline files are included.
- It works well with other tools, so that we can use other tools in conjunction with zap if we need to.
- It supports the use of well-regarded components.
These principles can be seen as the motivation behind ZAP, to summarise, it is designed to give everyone interested the chance to easily run security tests, at no cost, no matter their experience, the computer they use or the language they speak. OWASP (Open Web Application Security Project) is a non-profit organisation that publishes freely-available articles, and aside from tools like ZAP they also provide documentation and technologies that deal with web application security. A lot of other security publications refer to the OWASP publications, for example the OWASP Top 10 which is looking at the biggest security risks for organisations and which will be featured in its own chapter in this here paper later on. They also offer a Testing guide as well as a Development guide offering best practice information to those interested and many more interesting resources.
Description
ZAP’s focus is on testing web applications, the core idea behind it is a ”Man-in-the-Middle proxy”, that is, all web traffic between the web browser and the web application is first directed through ZAP. The data and messages can be intercepted, inspected, even modified before they are forwarded to their actual destination. There are different ways to run ZAP, it is possible to use it as a stand-alone application (Java 8+ is required) or as a daemon process.
It is also possible to run ZAP in combination with another proxy, e.g. if a company runs their web traffic through their own proxy or firewall solution first. In this case we configure our browser to connect to ZAP, and then we can configure ZAP to connect to that other proxy.
There are various Add-ons as well as an API which make it possible to be used in a variety of scenarios and also to extend ZAP further in the future. As stated in the principles, ZAP targets all skill levels, from those new to security testing who will probably start out by using automated tests, to developers, to those that run security tests for a living and can be considered specialists, making use of a variety of features including manual tests. The flexibility and extensibility (via add-ons in the ZAP marketplace that is part of the client) that ZAP provides make it a popular choice among security testers, add to that it is available for free and for pretty much every major operating system. Since we’re talking about security, to a lot of people it is also important to know what their security tools really do. ZAP is open source and code examination is possible if so desired, one can look at how certain functions are implemented and the developers are transparent about which data ZAP is ”sending home” (e.g. checks for new versions), and also how that background data can be controlled or even disabled (where possible). The ZAP community is also very open to new developers, anyone can submit bug fixes or create additional features for ZAP.
How-To
Installation
First, go to the Download section on the official website for ZAP and select the installer for your operating system.
Additionally, a Java version 8 or higher must be installed. That’s pretty much it, one needs to agree to the terms of service and then ZAP is ready to go.
Quickstart/Automated Scan
After opening ZAP you are asked if you want to persist the session. Answer "No" to quickly skip to the Quickstart.
The easiest way to start using ZAP is via the Quick Start tab. Quick Start is a ZAP add-on that is included automatically when you installed ZAP. To run a Quick Start Automated Scan:
- Start ZAP and click the Quick Start tab of the Workspace Window.
- Click the large Automated Scan button.
- In the URL to attack text box, enter the full URL of the web application you want to attack.
- Click the Attack button
Manual Scan
A manual scan can be done the following way:
- Start ZAP and click the Quick Start tab of the Workspace Window. (see above)
- Click the large Manual Explore button.
- In the URL to explore text box, enter the full URL of the web application you want to explore.
- Select the browser you would like to use
- Click the Launch Browser
Next you will be presented with a welcome message that includes the HUD tutorial (see figure "ZAP HUD Welcome Message")
Add-Ons
There is a so-called Marketplace for ZAP where Add-ons can be found. These make it possible to extend the functionality of ZAP even further, and typically it is possible to add or remove them without restarting the ZAP application. Usually Add-ons are assigned one of the following states:
- Release: high-quality add-on
- Beta: reasonable quality but possibly incomplete or still requires testing • Alpha: requires further development
You can reach the marketplace by clicking on the blue-red-green squares symbol in the UI, it stands for "Manage Add-Ons".
User Agent Settings
If you go to Tools → Options → Connection in the ZAP GUI you can configure the Default User Agent (as in, which browser as well as operating system) that ZAP should pretend to be when connecting to websites. You may get different responses depending on this, especially older websites did have their own configurations for Internet Explorer that were unlike those for other browsers.
API
It is possible to interact with ZAP using its powerful Application Programming Interface (API), almost every feature that the GUI offers can be accessed via API and more features are being added with future versions. It also helps not only beginners that there is an extensive documentation for the API, giving examples for Shell script, Python and Java commands to run features.
Requests to the API are via GET and POST endpoints, responses are available in a variety of formats such as JSON, HTML and HTML but also custom formats such as HAR. The content of the response formats is always the same but the developer can select the format that best fits their use case depending on what they are looking for. There are recommendations given such as using HTML for good readability in reports, JSON or XML if one is looking to quickly parse the returned result.
It is also possible to use ZAP to scan APIs and even automate the scanning process for these API scans, using the same file formats we that we use for ZAP’s own API (JSON, etc.). However, the main problem with scanning APIs is the exploration, figuring out what to target and using which methods since most of the time browsing or spidering will not lead to useful results for APIs.
Why is an API key required by default?
Since ZAP can be controlled via API, we also must protect it from malicious sites or attackers that are looking to basically remotely control our ZAP installation or make changes to it. So it was decided to make the usage of an API key mandatory to hinder these attempts.
Attack the OWASP Top 10 using ZAP
One of the many guides found at the ZAP website is about how to attack the top 10 security threats using ZAP. The content of the following tables is taken from the Zapping the Top 10 Guide.
| Manual | Man-in-the-middle proxy |
| Manual | Manual request / resend |
| Manual | Scripts |
| Manual | Search |
| Automated | Active Scan Rules (Release, Beta*, and Alpha*) |
| Automated | Advanced SQLInjection Scanner* (Based on SQLMap) |
| Manual | Fuzzer, combined with the FuzzDb* and SVN Digger* files |
| Manual | HTTP Sessions |
| Manual | Spider |
| Manual | Forced Browse |
| Manual | Token Generator* |
| Automatic | Access Control Testing* |
| Automated | Active Scan Rules (Release, Beta*, and Alpha*) |
| Automated | Passive Scan Rules (Release, Beta*, and Alpha*) |
| Automatic | Active Scan Rules (Release, Beta*, and Alpha*) |
| Automated | Active Scan Rules (Release, Beta*, and Alpha*) |
| Automated | Passive Scan Rules (Release, Beta*, and Alpha*) |
| Automated | Access Control Testing* |
| Manual | HttpsInfo* |
| Manual | Port Scanner* |
| Manual | Wappalyzer - Technology detection* |
| Manual | Spider |
| Manual | Ajax Spider |
| Manual | Session comparison |
| Manual | Access Control Testing* |
| Manual | HttpsInfo* |
| Automated | Active Scan Rules (Release) |
| Manual | Fuzzer, combined with the FuzzDb* files |
| Manual | Plug-n-Hack |
| Automated | There are two outstanding issues that are relevant to this Top 10 entry: Insecure deserialization active scanner & Java Serialization Handling |
| Automated | Passive Scan Rules (Alpha*) and Retire |
| Manual | Wappalyzer - Technology detection |
| Automated / Manual | The Spider(s), Active Scanner, Fuzzer, and Access Control addon can all be used to generate traffic and ”attacks” which are
potential sources/causes for logging and alerting. |
Note: Add-ons marked with a * are not part of the default installation of ZAP, they can be installed using the ZAP Marketplace
Modes
ZAP has different modes to to choose from:
- Safe: only allows operations that are considered not dangerous
- Protected: the officially recommended mode, it does allow dangerous operations but only on URLs that were put in the Scope of our target
- Standard: everything goes
- ATTACK: this mode sets ZAP to scan new nodes within the Scope to be actively scanned as soon as they are discovered
Passive versus Active Scanning
Passive scanning is considered safe and legal, too, it is used to find vulnerabilities and none of the requests or responses change. It is also run in a background thread so it does not negatively affect the performance when exploring an application.
With Active Scanning we might actually attack our target so this should be done with caution and of course permission only, we could end up altering data at the target site with an active scan.
Limitations of a standard passive scan are that pages that require a login can not be accessed by ZAP since the authentication will not be handled by ZAP. It is, however, possible to configure the functionality to authenticate. Another limitation is that the sequence in which a passive scan explores the target is pretty much uncontrollable. But ZAP offers a solution for almost every limitation, and that means there are many extra features in ZAP for exploring and attacking other than the passive scan. For exploring a site we already mentioned spidering as a viable option but we need to keep in mind that they also are rather limited when it comes to filling out forms, they may enter default data or random strings instead of the required information. So it is suggested that spidering is used in combination with manual exploration, so that an actual user can, for example, fill out form data if an error message is returned.
Another recommendation for exploration is to take a look at the web application with a browser proxying through ZAP, the benefit of this method is that all requests and responses undergo a passive scan by ZAP and a site tree is built. Additionally, ZAP will record potential vulnerabilities that it finds for future reference.