What is ZAP ?
Zed Attack Proxy also know as ZAP is one of the most powerful open source penetration testing tool available in the market to find out the security loop holes we have in the web application and this can be most useful to pen testers,functional tester and security testing teams.
Download & Installation:
Zap can be downloaded and installed for use on different platforms like Windows, Linux/Cross Platform, Mac OS/X and the different platform setup files can be downloaded from https://code.google.com/p/zaproxy/wiki/Downloads?tm=2 Once the download is complete we can start installation process and install it on our machine and then zap will be ready for use.
Getting Started With Zap:
How to use ?
Zap is mainly used to attack the web application scan it completely and show the users all the security loop holes or bugs we have in the application. This attack can be done in two ways.
1. Using URL to attack on Quick Start Tab
2. Setting as an Intercepting proxy
Zed Attack Proxy also know as ZAP is one of the most powerful open source penetration testing tool available in the market to find out the security loop holes we have in the web application and this can be most useful to pen testers,functional tester and security testing teams.
Download & Installation:
Zap can be downloaded and installed for use on different platforms like Windows, Linux/Cross Platform, Mac OS/X and the different platform setup files can be downloaded from https://code.google.com/p/zaproxy/wiki/Downloads?tm=2 Once the download is complete we can start installation process and install it on our machine and then zap will be ready for use.
Getting Started With Zap:
How to use ?
Zap is mainly used to attack the web application scan it completely and show the users all the security loop holes or bugs we have in the application. This attack can be done in two ways.
1. Using URL to attack on Quick Start Tab
2. Setting as an Intercepting proxy
Using the above two ways we can see the same result. But the limitation we have using we need to input in each URL and then attack. Now lets see how we can attack a web application using these methods.
Using URL to attack on Quick Start Tab:
Type/Copy paste the URL in the box and click on Attack button below and we can see the ZAP actively scanning URL we provided and by the end of the scanning we can see the results displayed in the alerts tab with alerts levels set to High,Medium,Low. This results even display if there is any possible SQL injections and in that case ZAP provides users with predefined SQL injection queries which can be found using Fuzzer.
Setting as an Intercepting proxy:
We need to configure any browser available on our machine to connect to the web application we wish to test through ZAP. Once the proxy settings are established on our browser ZAP allows us to see all of the requests we make to a web app and all of the responses we receive from it. Now lets see how to configure proxies on different browsers.
Configuring Proxies On Different Browsers:
First we need to click on Settings in ZAP and that opens up the ZAP settings pop-up
Under this settings pop-up we need to click on Local proxy and this gives us an option to enter the proxy address and port, by default this shows as localhost and 8080 we can either rename and change the value or leave it as it is and click on OK button below.
Chrome (on Windows)
Press-Settings on Google Chrome button (top right)
Select-Click on 'Show advanced settings'
Scroll down to find 'Network'
Press-'Change proxy settings' button
Press-'LAN Settings' button
Check 'Proxy Server' check box
This enables the Proxy 'Address' & 'Port' fields
Enter in the'HTTP Proxy:' & 'Port'field the 'Address' & 'Port' values we configured in the Options Local Proxy screen on ZAP
Click on 'OK' button
Firefox
Select-'Tools' menu
Select-'Options' menu item
Click'Advanced' button
Click on-'Network' tab
Click-'Settings...' button
Select-'Manual proxy configuration' radio button
Enter in the'HTTP Proxy:' & 'Port'field the 'Address' & 'Port' values we configured in the Options Local Proxy screen on ZAP
Click-Connection Setting 'OK' button
Click 'OK' button
Internet Explorer
Click on 'Internet Options' on top right of the browser
Click on the 'Connections' tab
Press the'LAN Settings' button
Check 'Proxy Server' check box
This enables the Proxy 'Address' & 'Port' fields
Enter in the'HTTP Proxy:' & 'Port'field the 'Address' & 'Port' values we configured in the Options Local Proxy screen on ZAP
Click on 'OK' button
Once the proxy settings are done run any web application on the browser which is configured with proxy. Now going back to ZAP on the left side under sites we can find all the pages we have browsed under the alerts tab we can see all the alerts categorized into High,Medium,Low priorities we have on all the pages we have browsed through. Incase if there is any possible sql injection it shows in the alert tab and ZAP provides users with predefined SQL injection queries which can be found using Fuzzer.
REFERENCES:
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
We need to configure any browser available on our machine to connect to the web application we wish to test through ZAP. Once the proxy settings are established on our browser ZAP allows us to see all of the requests we make to a web app and all of the responses we receive from it. Now lets see how to configure proxies on different browsers.
Configuring Proxies On Different Browsers:
First we need to click on Settings in ZAP and that opens up the ZAP settings pop-up
Under this settings pop-up we need to click on Local proxy and this gives us an option to enter the proxy address and port, by default this shows as localhost and 8080 we can either rename and change the value or leave it as it is and click on OK button below.
Chrome (on Windows)
Press-Settings on Google Chrome button (top right)
Select-Click on 'Show advanced settings'
Scroll down to find 'Network'
Press-'Change proxy settings' button
Press-'LAN Settings' button
Check 'Proxy Server' check box
This enables the Proxy 'Address' & 'Port' fields
Enter in the'HTTP Proxy:' & 'Port'field the 'Address' & 'Port' values we configured in the Options Local Proxy screen on ZAP
Click on 'OK' button
Firefox
Select-'Tools' menu
Select-'Options' menu item
Click'Advanced' button
Click on-'Network' tab
Click-'Settings...' button
Select-'Manual proxy configuration' radio button
Enter in the'HTTP Proxy:' & 'Port'field the 'Address' & 'Port' values we configured in the Options Local Proxy screen on ZAP
Click-Connection Setting 'OK' button
Click 'OK' button
Internet Explorer
Click on 'Internet Options' on top right of the browser
Click on the 'Connections' tab
Press the'LAN Settings' button
Check 'Proxy Server' check box
This enables the Proxy 'Address' & 'Port' fields
Enter in the'HTTP Proxy:' & 'Port'field the 'Address' & 'Port' values we configured in the Options Local Proxy screen on ZAP
Click on 'OK' button
Once the proxy settings are done run any web application on the browser which is configured with proxy. Now going back to ZAP on the left side under sites we can find all the pages we have browsed under the alerts tab we can see all the alerts categorized into High,Medium,Low priorities we have on all the pages we have browsed through. Incase if there is any possible sql injection it shows in the alert tab and ZAP provides users with predefined SQL injection queries which can be found using Fuzzer.
REFERENCES:
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
THANKS FOR RUNNING THROUGH MY BLOG
MORE WAYS OF EXPLORING ZAP TO COME ON ITS WAY!!
great guide , thanks
ReplyDelete