In this post we are going to quick explore OWASP Zed Attack Proxy(ZAP) security testing tool. OWASP ZAP is an open-source free web application security scanner. It helps finding the security vulnerabilities in web applications.
-
OWASP
- The Open Web Application Security Project is a nonprofit foundation that works to improve the security of software.
-
ZAP
- Detect vulnerability present on any web server
- Can be used as a stand-alone application, and as a daemon process.
ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination.
More details: https://www.zaproxy.org/getting-started
ZAP Setup
ZAP has installers for Windows, Linux, and Mac OS/X. There are also Docker images available on the download site. ZAP requires Java 8+ in order to run.
- JAVA 8+
- ZAP Installer Download
Start ZAP
If choose to persist a session, the session information will be saved in the local database to access it later.
if do not want to save, choose “No, I do not want to persist this session at this moment in time” then start.
ZAP Modes
-
Standard Mode
- Allow to do anything to any website.
-
Attack Mode
- Active scans any websites.
-
Safe Mode
- Turns off all the dangerous operations while scanning.
-
Protected Mode
- Allow to scan websites in a particular scope. It prevents user to scan an unwanted website.
ZAP Scan Options
-
Automated Scan
- ZAP will spider through the web application, exploring all the links it can find.
-
Manual Explore
- Instead of using a spider, user have to manually browse through the website.
In this post we are going to quick start with automated scan.
Automated Scan
Vulnerability Alerts
Report
Hope this will help to quick start with ZAP.
