ZAP Penetration Testing: A simple Tutorial to Detect Vulnerabilities

Are you looking for an OWASP ZAP tutorial? Check out our step by step guide on how ZAP penetration testing works and how it helps to find vulnerabilities in web applications.

Penetration testing (otherwise known as pen testing, or the more general security testing) is the process of testing your applications for vulnerabilities, and answering a simple question: "What could a hacker do to harm my application, or organization, out in the real world?"

Recently I came across a tool, Zed Attack Proxy (ZAP). Its main goal is to allow easy penetration testing to find vulnerabilities in web applications. It is ideal for developers and functional testers as well as security experts. Let’s check out how ZAP penetration testing works.

Step1

1. Open the web application that you want to test.
2. In Zap you will find your website/application displayed under sites.

ZAP will spider that URL, then perform an active scan and display the results.

Zap runs on proxy, to set up the proxy in ZAP:

Close all active Firefox browser sessions

ZAP tool -> Tools Menu -> Options -> Local Proxy -> Change Address = 127.0.0.1 Port = 8080.

Mozilla browser -> Tools Menu -> Options -> Advanced tab -> Network -> Settings -> Select Manual Proxy configuration:- HTTP Proxy = 127.0.0.1 Port = 8080.

Now try to connect to your application using your browser.

If you can’t connect to it then check your proxy settings again. You will need to check your browser’s proxy settings, and ZAP’s proxy settings. It’s also worth checking that the application that you are trying to test is running!

When you have successfully connected to your application you will see one or more lines in ZAP’s Sites and History tabs.Note that most of ZAP’s tabs provide additional functionality that could be accessed via ‘right click’ menus.

Right click on the HTML -> Attack -> Active scan

ZAP will perform active scan on all the pages and display the results.

Save the ZAP session

Once you have manually explored the application it would be a good time to save the ZAP session so that you can look at it again.

If your application has multiple roles then you should explore it with each role and save the sessions in separate files.

Generating a Report:

ZAP tool -> Report -> Generate HTML report (Any other options listed) -> Save and share the report.

Authentication, session and User management using ZAP

1. Context: Represents a Web application
2. Session Management Method: How are the web Sessions identified by the server and handle requests

Example: cookie based using query parameters

3. Authentication Method: How is a new session established?

It could be either Form based authentication method, HTTP based or oath methods.

4. User Management: Handling users of web application that could be used for executing actions

Example: user name/password pair

Steps to follow:

1. Set proxy in local browser/access url: https://pr-uat.iptquote.com

Now include web app in context.

Further reading: https://www.toobler.com/blog/zap-penetration-testing-simple-tutorial/