In this post, you will learn how to execute penetration tests with OWASP Zed Attack Proxy (ZAP). ZAP is a free web app scanner which can be used for security testing purposes.
When you are developing an application, security must be addressed. It cannot be ignored anymore nowadays. Security must be taken into account starting from initial development and not thinking about it when you want to deploy to production for the first time. Often you will notice that adding security to your application at a later stage in development, will take a lot of time. It is better to take security into account from the beginning, this will save you from some painful headaches. You probably have some security experts inside of your company, so let them participate from the start when a new application needs to be developed. Nevertheless, you will also need to verify whether your developed application is secure. Penetration tests can help you with that. OWASP Zed Attack Proxy (ZAP) is a tool which can help you execute penetration tests for your application. In this post, you will learn how to setup ZAP and execute tests with the desktop client of ZAP. You will also need a preferably vulnerable application. For this purposes, Webgoat of OWASP will be used. In case you do not know what Webgoat is, you can read a previous post first. It might be a little bit outdated because Webgoat has been improved since then, but it will give you a good impression of what Webgoat is. It is advised to disconnect from the internet when using Webgoat because it may expose your machine to attacks.
2. Start the Application
First thing to do, is to start Webgoat. The easiest way is to run it as a Docker container. The Docker image contains the applications Webgoat and Webwolf, but you will only use Webgoat in this post. You give the container the name
goatandwolf (this will make it easy to start and stop the container) and you run it in detached mode.
$ docker run --name goatandwolf -p 8080:8080 -p 9090:9090 -d webgoat/goatandwolf
After the container has started, verify whether you can access Webgoat via the browser at URL http://localhost:8080/WebGoat/. The login page should be shown.
That’s it for now, you are ready now to start with ZAP.
3. Zed Attack Proxy
Installation instructions for ZAP are dependent of your OS. For Linux, you download the file
ZAP_2_10_0_unix.sh and execute it.
Start ZAP, leave the default persistence setting and click Start.
3.2 Quick Start Scan
The quickest way to start a scan is to use the Quick Start menu and start an automated scan. Click the Automated scan button in this menu.
Fill in the URL you want to attack, enable Use ajax spider and click the Attack button. Do not think too much about all the options at this moment, they will become more clear later on in this post.
Some interesting things can be noted after running the scan. Let’s take a look at the Sites section and unfold it so you can see which URL’s did participate to the scan.
The spiders try to explore your website and do find some useful things, but in this case, almost your entire website is located after a login page. The scan was executed without logging in, so the major part of your website is not scanned. The scan did find some alerts but not as many as expected.
The automated scan is a nice way for obtaining some quick results, but nothing more than that. It can definitely not be seen as a good scan of your application, certainly when the larger part of your application needs a login.
3.3 Explore Your Application
One way or the other, you will need to let ZAP know how your application looks like. So, you need to manually explore your website and click all links, buttons, fill in all available forms, even navigate to maybe hidden URL’s, etc. You need to do so for every role your application has, in the case of WebGoat, you will only explore the site for a regular user in this post. Let’s start doing so!
Go to the Quick Start menu again, this time choose Manual Explore. Fill in the URL if not already done and click the Launch Browser button.
A browser window is opened and the login page is shown, just as we saw before when we accessed WebGoat. The difference is, that ZAP is now in between the browser and the application which makes it possible for ZAP to intercept all traffic and follow what we are doing onto the website.
Let’s continue with creating a user. Click the Register new user link and create a user. In the example below, the user
mydeveloperplanet with password
password (the password must be between 6 and 10 characters) is created. Agree with the terms and conditions and click the Sign up button.
Now it is time for the most tedious work, you have to explore the website as good as possible. When you do so, you will notice that the Sites section will continue to grow with new URL’s.
Close the browser and save this session via File – Persist Session…
3.4 Create Context
Before you can continue, you must provide login information to ZAP which it can use during scanning. This information has to be stored in the context. Double-click Default Context in the Sites section.
The Session Properties window opens where settings concerning the session can be changed. You can for example change the session name to a more convenient one than Untitled Session. You name it for example
More importantly is the Contexts section. Change the name Default Context to e.g.
Add the WebGoat website and underlying URL’s by means of a regular expression to the Include in Context section.
In the Authentication section, choose Form-based Authentication (this will be dependent of your application) and fill in the URL for the login page.
And finally, add the created user in the Users section. Fill in the user name and password as previously created. This will allow ZAP to login to the application.
Do not forget to click the OK button in order to save the changes.
3.5 ZAP Modes
ZAP can act in four different modes:
- Safe: no potentially dangerous operations are permitted;
- Protected: only perform potentially dangerous operations on URL’s which are in scope;
- Standard: you can do anything;
- ATTACK: new nodes that are in scope are actively scanned as soon as they are discovered.
You must be aware of the fact that you can only run ZAP against a website you own. It is therefore recommended that you use Protected mode to ensure that you only attack your own sites.
3.6 Start Spider
Although you have done your best clicking on every link, button, you can think of, a spider can help you to reveal the things you might have missed. You can run a traditional spider and/or an AJAX spider. The latter will also crawl dynamically built links. Remember that you also enabled these spiders during the Quickscan.
In the Sites section, right-click the WebGoat URL and choose Attack – Spider…. Select the user
mydeveloperplanet and click the Start Scan button.
The Spider finishes quickly and in the results you will notice that a certain amount of nodes have been added (37 in the screenshot).
Do the same with the AJAX spider. Right-click the WebGoat URL and choose Attack – AJAX Spider…, fill the necessary items and click the Start Scan button.
Again some new URL’s have been added.
3.7 Active Scan
At this moment, you have done all the preparation work and now it is time for the real action. Right-click the WebGoat URL, select Attack – Active Scan…, fill the necessary items and click the Start Scan button.
ZAP will do its work now, so be patient, this can take some time (it took approximately 15 minutes for the scan to complete). At the end, the results can be viewed in the Alerts section.
Clicking an alert will show more information about the vulnerability and how to solve it.
3.8 Export Results
Several export functions are available in the Reports menu for generating reports. You can for example generate a HTML report with Generate HTML Report….
The report is available at GitHub in directory
4. Next Steps
The active scan will give you a first indication about vulnerabilities. Beware however that the active scan can only find certain types of vulnerabilities. In addition to the active scan, manual penetration tests should always be performed. The OWASP Top 10 website gives you good information about whether a vulnerability can be found with an automated scan or not.
In addition to the active scan, you can also use the Forced Browse Site which will try to find undiscoverable links and the Fuzz which will send in random data to your site.
Do not forget to stop the WebGoat Docker container when you are finished testing.
$ docker stop goatandwolf
In this blog you learnt how to use Zed Attack Proxy. It is advised to experiment with it, try to solve the issues, check which other information is available in the tool in order to get more acquainted with it. It is for example also possible to intercept a request and change items in the request.