Zed Attack Proxy (ZAP) – The short guide

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

  1. Download Zed Attack Proxy (ZAP), and install
  2. Run Zed Attack Proxy (ZAP)
  3. Go to Tools -> Options -> Connections, and set proxy settings to match your browser proxy settings (and proxy exclusions)
  4. Go to Tools -> Options -> Local proxy and enter localhost (port: 85),
  5. In your browser of choice, set proxy in LAN settings to localhost (port: 85), and clear the proxy exclusions list.
  6. Access a test site URL to verify settings all applied correctly (The Zed Attack Proxy “Sites” window should populate with all URL’s visited)
  7. If the site requires Authentication, go to Tools -> Options -> Authentication, and add details in the table.
  8. Run Active Scan on root URL (Click Active Scan tab, and select URL from dropdown if not already selected).
  9. Click Report -> Generate HTML report, to view issues found.
  10. Run Spider test, which will pick up on 404 errors, missing URL references, and help you identify redundant file calls.

Zap Website Security Testing

OWSAP ZAP is a useful website security testing tool, that any web savvy tester could use effectively. Apart from the annoyingly vague setup (ensure first task is to set up your browser to use same proxy as defined in ZAP), there are useful tools that you can start at a click. I ran the “Active Scan” option, just to see what this could do out-the-box. I would recommend “Passive Scan” really, as this is far safer to use (remember to try and use this tool only on test sites, as it does have potential to crash websites).

Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets.

Impressive – firstly, I was surprised by how much of a site directory is viewable – when using CMS’s like Drupal or WordPress, a lot of assumptions are made as to security. The number of updates to these CMS’s purely on security issues should highlight the need to keep a handle on your website security in general. Click more to view the reports I generated, as it will illustrate that this tool is capable of.

Continue reading