GSOC 2017 Security Testing as a Service with Docker Containerization : OWASP ZAP (Zed Attack Proxy)

OWASP ZAP aka Zed Attack Proxy is one of the world’s most popular free security tools and it can find security vulnerabilities in web applications. Its also a great tool for experienced pen testers to use for manual security testing. OWASP ZAP is a completely free and open source software. This is a cross-platform tool which is written in Java and is available in all of the popular operating systems including Microsoft Windows, Linux and Mac OS.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Some of the built in features include: Intercepting proxy server, Traditional and AJAX Web crawlers, Automated scanner, Passive scanner, Forced browsing, Fuzzer, WebSocket support, Scripting languages, and Plug-n-Hack support. It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added[2].

In this post I am going to show you how to install and run OWASP ZAP tool and do a basic attack in GUI mode. (there are many other options and configurations are available in zap tool. This is just to show the basic options and configurations of zap tool.)

First you need to download zap tool from here.

Once it finishes downloading you can extract it. To do that go to your download place and execute this command.

tar -zxvf ZAP_2.5.0_Linux.tar.gz

When it finishes you can go to that folder and run the zap.sh file

Once you accept to their terms and conditions the tool will start. This is the interface you get when you run zap tool.

Here you can select the first option and click on start. If you want to run a quick test on an application you could just simply select the url and click on attack button. But in order to get best results we need to configure the tool a bit.

First what you need to do is increase the heap size for JVM to run the zap tool. To do that open the zap.sh file in a text editor and change the value Xmx512m to Xmx4096m.If you system memory is less than 1500mb instead of changing Xmx512m you need to change Xmx256m or Xmx128m depending on your memory.

Once it done you can use a policy to fine tune the zap tool [3]. To import that to your zap tool go to analyze -> Scan Policy Manager and you can import the test policy you downloaded from the opened window.

Then go to tool->option and goto local proxy and change the address and the port since i am using port 9090 for my tomcat server here i am adding 8080 if you are using port 8080 for tomcat or some other application you will have to add a another port.

Then open your Firefox browser and goto preferences -> advanced -> network and click on settings

Here select the option manual proxy configuration change the HTTP proxy and port as you configured in the zap tool .(if the localhost or 127.0.0.1 or host name is in the no proxy for field remove them also, other wise zap tool will not trace them.)

once done open the application you want run the scan in the Firefox browser.it will be identified by the zap tool.

Then we have to include the site to the context to do that right click on the site and select include in context -> default context

keep the default configurations and click ok. Then goto session properties to mange sessions of the application and click on authentication and change the selected authentication method to form based authentication.

Here in this form insert the URL for the login page of the site to zap to identity the login page and then enter names of the user name field and password filed and variable holders for them. Then from the drop down box in username parameter select the user name field and in password parameter select password field. Here in this case id is my username.

id={%username%}&password={%password%}

Regex pattern identified in logged in response message is to zap to identify if the logging is successful. Here we can add anything in regex format but it should make sure that the user is logged in successfully. I am adding the bellow regex since logout URL appear only when a user logged in.

\Q<a href="logout.jsp">logout</a>\E

Regex pattern identified in logged out response message is to zap to identify if the logout is successful

\Q<a href="adminlogin.jsp">login</a>\E

Instead of filling the form you can do this automatically also by logging into the application manually. Zap tool will trace the login and then you can flag that action as form based authentication as well

Then we need to add users. To do that select users tab and click on add and give the user name and the passwords and click on add button.we can define multiple users as well.

After everything configured we can perform all the actions manually so zap will trace these actions and will use the when spider the site. To do a spider you can right click on the site and click attack -> spider and then click start scan.

If you want to do a active scan, same as earlier you can right click on select attack -> active scan.

Here if you wants to add the test policy we downloaded[3] you can click on show advanced options then goto policy and select the policy from the drop down menu. Then you can click on start scan. It will take lot of time to finish the scan.