Configuration guide
- Go to
Tools/Options/Local Servers/Proxiesand set port to 8081 - Then go to
Tools/Options/Server Certificatesand click on save - Import it in your browser (in brave/chrome search for certificates and add it on authorities)
Set up dark mode
- Go to
Options >> Display >> Look and Felland selectFlat Dark:D
Benefits of OWASP ZAP
Itโs completely open source and free. There is no premium version, no features are locked behind a paywall, and there is no proprietary code.
Thereโs a couple of feature benefits too with using OWASP ZAP over Burp Suite:
- Automated Web Application Scan: This will automatically passively and actively scan a web application, build a sitemap, and discover vulnerabilities. This is a paid feature in Burp.ย
- Web Spidering: You can passively build a website map with Spidering. This is a paid feature in Burp.
- Unthrottled Intruder: You can bruteforce login pages within OWASP as fast as your machine and the web-server can handle. This is a paid feature in Burp.
- No need to forward individual requests through Burp: When doing manual attacks, having to change windows to send a request through the browser, and then forward in burp, can be tedious. OWASP handles both and you can just browse the site and OWASP will intercept automatically. This is NOT a feature in Burp.
If youโre already familiar with Burp the keywords translate over like so:
ZAP is unable to perform Login timing attacks. Burp can.
Installation
Download from the official website: zaproxy
- In Kali you can use:
sudo apt install zaproxy -y
How to perform an automated scan
Lets perform an automated scan. Click the big Automated Scan button and input your target:
The automated scan performs both passive and automated scans to build a sitemap and detect vulnerabilities.
On the next page you may see the options to select either to use โtraditional spiderโ or โAjax spiderโ.
A traditional spider scan is a passive scan that enumerates links and directories of the website. It builds a website index without brute-forcing. This is much quieter than a brute-force attack and can still net a login page or other juicy details, but is not as comprehensive as a bruteforce.
The Ajax Spider is an add-on that integrates in ZAP a crawler of AJAX rich sites called Crawljax. You can use it in conjunction with the traditional spider for better results. It uses your web browser and proxy.
The easiest way to use the Ajax Spider is with HTMLUnit.ย
To install HTML Unit use the command: sudo apt install libjenkins-htmlunit-core-js-java
And then select HtmlUnity from the Ajax Spider Dropdown.
Both utilities can further be configured in the options menu (Ctrl+Alt+O)
Example Automated Scan Output:
With very minimal setup we were able to do an automated scan that gave us a sitemap and a handful of vulnerabilities.
Manual scanning
Lets perform a manual scan against the DVWA machine.
Like Burp, you should set-up your proxy between OWASP ZAP and your Browser. Weโll be using Firefox.ย
OWASP Proxy Setup:
Add ZAP Certificates:
Without importing ZAP Certificates, ZAP is unable to handle simultaneous Web request forwarding and intercepting. Do not skip this step.
In the same options menu, navigate to Dynamic SSL Certificates and save the certificate somewhere youโll remember and not delete.
Then, open Firefox, navigate to your preferences, and search for certificates and click โView Certificatesโ
Then click โImportโ and then navigate to the earlier downloaded certificate and open it.
Select both and then hit OK.
Scanning an Authenticated Web Application
Without your Zap application being authenticated, it canโt scan pages that are only accessible when youโve logged in. Lets set up the OWASP ZAP application to scan these pages, using your logged in session.
Lets go to the DVWA machine (http://10.10.176.113), and login using the following credentials:
Username: admin Password: password
After logging in you should see this.
For the purpose of this exercise, once youโve logged in, navigate to the DVWA Security tab and set the Security level to Low and then hit submit.
Weโre going to pass our authentication token into ZAP so that we can use the tool to scan authenticated webpages.
Enter inspect element and take note of your PHPSESSION cookie.
In ZAP open the HTTP Sessions tab with the new tab button, and set the authenticated session as active.
Now re-scan the application. Youโll see itโs able to pick up a lot more. This is because its able to see all of the sections of DVWA that was previously behind the login page.
Brute-Force Directories
If the passive scans are not enough, you can use a wordlist attack and directory bruteforce through ZAP just as you would with gobuster.ย This would pick up pages that are not indexed.
First. Go into your ZAP Options (at the bottom navigation panel, with the screen plus button), navigate to Forced Browse, and add the Custom Wordlist. You can also add more threads and turn off recursive brute-forcing.
Then, right click the site->attack->forced browse site
Select your imported wordlist from the list menu, and then hit the play button!
Brute-force Web Login
Lets brute-force a form to get credentials. Although we already know the credentials, lets see if we can use Zap to obtain credentials through a Brute-Force attack.
If you wanted to do this with BurpSuite, youโd need to intercept the request, and then pass it to Hydra. However, this process is much easier with ZAP!
Navigate to the Brute Force page on DVWA and attempt login as โadminโ with the password โtest123โ
Then, find the GET request and open the Fuzz menu.
Then highlight the password you attempted and add a wordlist. This selects the area of the request you wish to replace with other data.
For speed we can use fasttrack.txt which is located in your /usr/share/wordlists if youโre using Kali Linux.
After running the fuzzer, sort the state tab to show Reflected results first. Sometimes you will get false-positives, but you can ignore the passwords that are less than 8 characters in length.
ZAP Extensions
Want to further enhance ZAPs capabilities? Look at some of itโs downloadable extensions!
Letโs install the bugcrowd HUNT extensions for OWASP ZAP. This will passively scan for known vulnerabilities in web applications.
First navigate in your terminal somewhere youโd like to store the scripts
git clone https://github.com/bugcrowd/HUNT
Then in ZAP click the โManage Add-Onsโ icon
From the Marketplace install โPython Scriptingโ and โCommunity Scriptsโ
In ZAP Options, under Passive Scanner, make sure โOnly scan messages in scopeโ is enabled. Then hit OK.
In ZAP open the Scripts tab.
And under Passive Rules, find and enable the HUNT.py script
Now when you browse sites and HUNT will passively scan for SQLi, LFI, RFI, SSRF, and others. Exciting!