I remember hearing about ZAP on my ride into work, listening to Security Weekly. After a little researched I discovered that it was a tool supported by the Open Web Application Security Project. OWASP is an open source non-profit organization focused on providing better application security to organizations. The best part about the tool is that it is free!
What is ZAP?
ZAP stands for Zed Attack Proxy. Named such by Simon Bennetts who told me that he really wanted to name the tool ZAP (OWASP. Bugs. Get it?). Simon is not a security person by trade. He’s a developer and built the tool to help developers write better code. It just so happened that security people found the tool and started using it.
Setting up ZAP as a proxy allows for a tester to run through an application and find vulnerabilities. It uses the methods in OWASP’s Top 10 as part of its scan. I’ll get into the methodology of using the tool later. This automates and streamlines a lot of testing. Beware, the scanner is not perfect (no scanner is). Confirming vulnerabilities found by the tool is a very important part of the process. One false positive with developers and we lose credibility.
After testing is complete ZAP has an export report feature. The report can be exported in either an HTML or an XML format. The HTML is great for working with developers and researching and confirming each finding. With the XML format, a tool like ThreadFix or Dradis can be used to help track vulnerabilities.
The tool also has advanced features for further digging into the application. This is great as a tester gets more comfortable and better with the tool he has an opportunity to dig deeper into an application.
The alternative to ZAP is Burp Suite. It does a lot of the same things that ZAP does with some minor differences. Burp has two versions: A community version (free); and a premium version (paid). The premium version costs $300 a year. For those looking to make a career in application security, getting familiar with Burp is a must. Learning both is a plus. Each tool has it's strengths and weaknesses.
How to get started
Download ZAP from the OWASP website and install. Launch the application. The first screen you will see is asking, “Do you want to persist the ZAP Session?” Persisting the session will allow you to close and re-open the ZAP session quickly. You can either:
- YES Persist: Save it in the default directory (first option)
- YES Persist: Specify the name and location (second option)
- Do Not Persist: Or don't bother (third option)
If you intend to save your own sessions then select the third option.
One of the first things available when ZAP opens, is the Quick Start tab. This can be used to perform a very quick, top-level scan. To dig much deeper into an application it will need to be setup as a proxy. To do this go to: Tools -> Options -> Local proxy.
Select your settings (or leave everything default). Then open internet options. Click the Connections tab and click the LAN settings button. Under the Proxy server section check the box for “Use a proxy server for your LAN.” Make sure the Address field says "localhost" (default) and the Port field reads "8080" (default). Click OK and then Apply. ZAP is now intercepting all internet traffic. This includes any browsers or applications using the internet. I recommend running the application assessment from a separate machine or virtual machine. As a proxy it will collect all internet traffic your computer performs. Including browser traffic and any updaters installed.
Now that we’re setup, time to test.
Run through the entire application. When I say the entire application, I mean the ENTIRE APPLICATION. Click on every link and button. Fill out every field and submit forms. This is best done in a test environment which developers should have. Coordinate with them for any functions that need handling on their end. Once the application has been explored, it’s time to use ZAP to map the rest of the application.
Before we do that though, it is a good idea to exclude any sites you don’t want to run ZAP on. Right-click any sites you want to exclude. Select Exclude From Proxy and click OK. There is some flexibility here, but for the most part I just exclude the sites from the proxy all together.
To map the application ZAP uses a Spider. Right-click the site, highlight Attack, and select Spider. The spider will run through the application and map it. The more the application was explored by the tester, the more it will find. ZAP also features an Ajax Spider attack for ajax content. This will open a browser, run through the website, and map the ajax content in the application.
After running the spider function, run the forced browse attack. This function will use a text file with common directory names to look for hidden directories. This attack can usually take several hours to run, depending on the size of the list. ZAP supports user created lists.
Active scan is run next. This is where discovery of vulnerabilities of the application occurs. The function will run through techniques in the OWASP Top 10. Clicking on the heartbeat monitor icon will allow you to watch the progress of the scan.
I want to mention one other type of attack that may or may not be used. The Fuzz attack or fuzzer. This is typically used for things like user enumeration (username discover). The attack allows for requests sent to be modified using a text file. This allows for the automation of sending many modified requests to the application. Viewing the responses we can build a list of usernames in automated and quick fashion.
Once the Active Scan completes we have a (hopefully not long) list of vulnerabilities. Export and view a report of the findings by clicking Report -> Generate HTML report. The report includes:
- The type of attack
- A short description
- The vulnerable link
- The attack
- The solution
Once the vulnerabilities are confirmed or rejected, it’s report writing time.
OWASP ZAP is a great tool for those just starting out in application security. Or those needing to stand up a security assessment program. The instructions above are meant to just get someone started with using ZAP. Both ZAP and Burp Suite provide a lot of granular control of and customization of it's features and functions. But both are very simple to use. Both are well documented (check the more resources section below).
If $300 is within the budget, Burp Suite is the tool of choice by application security professionals. I've tinkered with Burp Suite, but for the most part I've used ZAP. Free is hard to beat, but it also came in handy working with developers. As I was implementing the security assessment program in my organization, I quickly discovered that the developers were interested in the tool. That probably had more to do with managements support of the program. Still, when the developers started asking questions on how I tested, I simply installed the tool on their system. From there I showed them my techniques for performing assessments. Now, I'm easily showing the developers how to run their checks of the application before it even reaches me.
I probably could do the same with Burp Suite, but I have a few more hoops to jump through with the $300 price tag. The community version does a lot of the same things the premium does. It's just throttled. Again, if you're sure application security is where you want to be $300 is not an insurmountable amount of money. If you're still feeling out the field ZAP works is the best bang for your buck.
- OWASP Zed Attack Proxy Tutorial - YouTube
- Lanmaster53 - Tim Tomes (he provides training too)
- The Web Application Hacker's Handbook 2nd Edition by Dafydd Stuttard
- SANS web App Penetration Testing and Ethical Hacking Course