INTRODUCTION

The OWASP Zed Attack Proxy (ZAP) is one of the worlds most popular free
security tools and is actively maintained by hundreds of international
volunteers*. It can help you automatically find security vulnerabilities in your
web applications while you are developing and testing your applications. It is
also a great tool for experienced penetration testers to use for manual
security testing.

FEATURES
Active Scan
-

Using known attacks against the selected targets, it is useful to find

certain types of vulnerabilities. It should use combine with manual
penetration testing to find all types of vulnerabilities.
Demo :
o Precondition : Successfully configure ZAP as proxy server
o Following these steps to perform test :
Enter the application website (dummy website) you want
to test in the browser. ( I use testfire.net for this example )
After that the site will appear on your site tab, select the
site

Choose Active Scan Tab

Click New Scan to start testing

Break Point

A Break Point allows you to intercept a request and change the values
in that request before it submits to the server (GET) or it displays to
the user (POST).
Demo :
o Assuming that we have these request on the sites tree.

o
o
o

o
o
o
o

Select the request you want (POST in this case) and click the
Break Point button on the toolbar.
Assuming that my username and password will be account,
password.

After click login, you will redirect to ZAP (Break Point Tab) to start
changing the values in the body of POST request.
After finishing changing the values, click on Play button to submit
your new username and password.
Done

Spider and AJAX Spider

-

Spider is a tool used to find all the sites/URLs linked on a particular

site. During the processing of an URL, the Spider makes a request to
fetch the resource and then parses the response, identifying
hyperlinks. It currently has the following behavior when processing
types of responses: HTML, Robot.txt, etc.

o Maximum depth to crawl

The parameter defines the maximum depth in the crawling
process where a page must be found in order for it to be
processed. Resources found deeper than this level are not
fetched and parsed by the spider.
The depth is calculated starting from the seeds, so, if a
Spider scan starts with only a single URL (eg. Spider URL),
the depth is calculated from this one. However, if the scan
starts with multiple seeds (eg. Spider site), a resource is

processed if it's depth relative to any of the seeds is less

than the defined one.
o Number of threads used
The spider is multi-threaded and this is the number that
defines the maximum number of worker threads used in
the crawling process. Changing this parameter does not
have any effect on any crawling is in progress.
o Maximum duration
The maximum length of time that the spider should run for,
measured in minutes. Zero (the default) means that the
spider will run until it has found all of the links that it is
able to.
o Domain Pattern
The normal behavior of the spider is to only follow links to
resources found on the same domain as the page where
the scan started. However, this option allows you to define
additional domains that are considered "in scope" during
the crawling process. Pages on these domains are
processed during the scan.
AJAX spider is similar to the regular spider but it integrates a crawler of
AJAX rich sites called Crawljax. It also comes with a different set of
options. In AJAX spider, it actually open a new window in a particular
browser.

Demo :
o For both spider and AJAX spider to configure them we choose
Tools -> Options.
o Select the site on the Sites Tree.
o

o Click New Scan to start parsing and observe the results.

Passive Scanner
ZAP passively scans all of the responses from the web application being tested. Passive
scanning does not change the responses in any way and is therefore safe to use. Scanned is
performed in a background thread to ensure that it does not slow down the exploration of an
application.
adding tags and raising alerts for potential issues.

This controls how likely ZAP is to report potential vulnerabilities.

If you select Off then the scanner won't run.

If you select Low then more potential issues will be raised which may increase
the number of false positives.

If you select High then fewer potential issues will be raised which may mean that
some real issues are missed (false negatives).

Force Browse
Forced browsing is an attack where the aim is to enumerate and access resources that are not
referenced by the application, but are still accessible.
This attack is also known as Predictable Resource Location, File Enumeration, Directory
Enumeration, and Resource Enumeration.

Demo

ZAP allows you to try to discover directories and files using forced browsing
Create new tab Forced Browse

Choose site and then press start forced browse button to begin the test

As you see, there will be a lot of hidden directory but we are able to access

Fuzzing
Fuzzing is a technique of submitting lots of invalid or unexpected data to a target.
The fuzzer does not detect vulnerabilities, its there to help you find vulnerabilities manually
Demo

is a Black Box software testing technique

Create new tab fuzzer

Highlight one of the strings you wish to fuzz in the Request tab;

Right click and select 'Fuzz...';

Payload Generators

Payload Generators generate the raw attacks that the fuzzer submits to the target
application.

They are managed via the Payloads dialog

Payload Processors can be used to change specific payloads before they are

Payload Processors
submitted.

They are managed via the Payload Processors dialog

Fuzz Location Processors

Fuzz Location Processors can be used to change all of the payloads before they
are submitted.

They are managed via the Location Processors dialog

Demo :
Web scanner test site ?
Create txt file contain password
Or perform sql injection test
http://kcntt.duytan.edu.vn/Home/ArticleDetail/vn/128/2461/bai-01-so-luoc-ve-fuzzing-testing

Option Dynamic SSL Certificates

OWASP ZAP allows you to transparently decrypt SSL connections. For doing so, ZAP
has to encrypt each request before sending to the server and decrypt each response,
which comes back. But, this is already done by the browser. That's why, the only way to
decrypt or intercept the transmission, is to do a 'man in the middle' approach.

The purpose is to In other words, once you've added the ZAP Root CA certificate to your list of
trusted Root CAs, your browser doesn't recognize the man in the middle.

1. Go to Internet options
2. Tab Content
3. Click certificates
4. Click tab trusted root certificates
5. The OWASP ZAP Root CA should be ther

WebSockets
ZAP is able to:

intercept and show WebSocket messages

set breakpoints on specific types of WebSocket messages

fuzz WebSocket messages (send lots of invalid or unexpected data to a browser

or server)

Demo:
Websocket.org/echo.html
1.

Press the Connect button.

2.

Once connected, enter a message and press the Send button. The output will appear in
the Log section. You can change the message and send again multiple times.

3.

Press the Disconnect button.

Note: In some environments the WebSocket connection may fail due to intermediary firewalls,
proxies, routers, etc. In that case take advantage of WebSocket's secure capability and check Use
secure WebSocket (TLS). Even if you have no issues you can still feel free to test using a secure
connection.

Wait a little bit . It may takes a while