Web Application Security Testing with OWASP Zap [Tutorial]

OWASP ZAP is a powerful alternative to Burp Suite that can help you find and exploit vulnerabilities in web applications. It is popular, open source and user-friendly.

In this article, we will show how you can start using ZAP for bug hunting.

What is ZAP?

ZAP (or ZAProxy) stands for Zed Attack Proxy, is an open source project started by OWASP foundation, in 2009, which is industry standard in Cybersecurity.

It can perform various functions, such as:

• Intercept and modify web requests and responses using a proxy
• Passively and Actively scan web requests and responses
• Spider web applications to discover hidden endpoints
• Fuzz web parameters and payloads to test for injection flaws and other errors
• Generate reports and alerts based on the findings
• Automate security testing using scripts, APIs, and integrations

ZAP is suitable for beginners as well as experts. It has a graphical user interface to easily configure and control the tool. It also has a command-line interface to run the tool as a daemon.

At the time of writing this article, I came across great news for all ZAP enthusiast!
ZAP is now led by SSP, which is a new initiative by the Linux Foundation. They will work more actively gather funds to empower the development of ZAP.

ZAP is a community-driven project supported by a dedicated team of volunteers. It is compatible with many other security tools, add-ons and frameworks, such as Selenium, Jenkins, and more.

How to install ZAP?

ZAP runs on Java and available on Windows, Linux, and macOS platforms. You can download the latest version of the tool from the official website. It requires Java JDK to run.

Alternatively, you can also install ZAP using other methods, such as Docker, Apt, Flathub, Homebrew Cask, Snapcraft, or Chocolatey. You can find more information about these methods on the download page.

How to use ZAP for bug hunting?

Now that you have installed and setup ZAP, you are ready to use it for (security) bug hunting.

There are many types of vulnerabilities that can affect web applications, such as:

• Injection flaws
• Broken authentication and session management
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Insecure direct object references
• Security misconfiguration
• Sensitive data exposure
• Missing function level access control
• Cross-site scripting (XSS) protection
• Using components with known vulnerabilities
• Invalidated redirects and forwards

You can launch ZAP from applications menu. It takes time to start application and database.

You will see a splash screen followed by a welcome screen that asks you if you want to use save the session or not. You can choose any option depending on your preference.

Step 1: Configure ZAP

All settings can be access in options. For example: to change the display theme of ZAP, we can go to Options > Display > Look and Feel.

• Go to the “Network > Local Server/Proxies” tab in ZAP.
• Note the “Proxy listener” settings (e.g., Proxy listener address: 127.0.0.1 or localhost, Proxy listener port: 8080).
• 
• Now go to Server Certificates subtab in the Network tab.
• Click on the Save button (in the top right corner) to download the ZAP CA certificate.

Step 2: Install Foxy Proxy in browser

• For Firefox (recommended): Install the add-on from Mozilla Add-ons website. Pin the extension for ease of use.

Configure Foxy Proxy settings.

• Open the Foxy Proxy extension/add-on in your browser.
• Click on the Foxy Proxy icon and select “Options” or “Manage Foxy Proxy” (exact option may vary).
• Click on “Add New Proxy” or “New Proxy” to create a new proxy configuration.
• Enter a name for the proxy (e.g., ZAP).
• In the “Proxy Details” section, enter the following:
  • Proxy Type: HTTP
  • IP address: 127.0.0.1 (or the address specified in ZAP)
  • Port: 8080 (or the port specified in ZAP)
• Save the proxy configuration.

Enable Foxy Proxy with ZAP Proxy

• In the Foxy Proxy extension/add-on, select the proxy configuration you created (e.g., ZAP).
• Activate the proxy configuration by clicking on the Foxy Proxy icon and selecting the proxy configuration you created.

Step 3: Intercept HTTPS traffic

Most of the website, we use on the internet have HTTPS (HTTP Secure) which is an SSL certificate is attached to allow communicating securely. When ZAP comes in between the browser and server, the browser refuses to connect and gives a warning.

To solve this, we have to add a self-signed certificate from ZAP to trusted authority in the browser:

1. Open your browser and go to Settings > Security > Certificates.
2. Click on the View Certificates button.
3. 
4. Make sure you are on the Authorities tab in Certificate manager. Click import and select the CER file.
5. 
6. Click on the Import button and select the CA certificate that you downloaded in step 2.
7. 
8. Restart your browser.

Once you have completed these steps, your browser will trust the self-signed certificate from ZAP. You will now be able to use ZAP to intercept and modify traffic from HTTPS websites.

Step 4: Verify HTTPS Intercept in ZAP

• Start browsing the web in your browser.
• ZAP should now intercept the traffic between your browser and the websites you visit.

Hope you found this article helpful while configuring browser and ZAP to intercept and manipulate HTTP and HTTPS network traffic for Application Security Testing.

Hack for good!!