Authenticated Scan using OWASP-ZAP

Cyber Army
Nov 29, 2019 · 5 min read

In this blog, we will discuss about some of the important terms of OWASP- ZAP. Also, how Authenticated Scan can be done using it.

What is OWASP ZAP?

Most commonly used tool by developers, security professionals and quality assurance team to test for vulnerabilities of application under development.

Setting Up ZAP Environment

Setting up ZAP Environment in your machine is super easy. Now, let’s see how is it done and what do we need.

  1. Java 8+: Before installing ZAP, you need to install Java 8+ on your Linux or Windows Machine. If you are using Mac, you don’t need to install it as it’s already installed. If you are windows or Linux user click here to download Java.
  2. ZAP Installer: Now you need to download ZAP Installer as per your OS. You can click here to get ZAP installer as per your OS.

Start OWASP ZAP

Once, you are done with the Installation Process, you can click on the OWASP ZAP icon. It will be installed in your default directory, you can find the exe file there as well.

C:\Program Files\OWASP\Zed Attack Proxy\ZAP.exe
Startup Dailogue of OWASP ZAP
Startup Dailogue of OWASP ZAP

Different Modes of Attack

There are four types of modes you can see in the drop down menu, at the top left side of the tool.

Different Modes of Attack in OWASP ZAP
  1. Standard Mode: This allows you to do anything to your site.
  2. Safe Mode: This mode turns off all the dangerous features while scanning. This mode avoids user to do anything that is possible.
  3. Protected Mode: Allows user to scan the site in particular scope. Harmful actions can only be performed in the sites mentioned in the scope.
  4. ATTACK Mode: New nodes are Actively Scanned when founded.

Authenticated Scan Using ZAP

Most of the applications today uses password authentication in order to secure their application. In this blog we will be learning to perform Authentication Scan using OWASP ZAP, which will help you scan such password secured sites.

What is Authenticated Scan?

An authenticated security scan is vulnerability testing performed as an logged- in user (Authenticated User) to determine the security of network from an inside vantage point.

1. Crawl the Browser

In order to crawl your site, you can either use default browsers provided by ZAP by clicking on the options at the top tool box.

Default Browsers of OWASP ZAP

Or, you can also use any other browser for that please follow the following steps.

 Browser -> Options -> Advanced tab -> Network -> Settings -> Select Manual Proxy configuration — HTTP Proxy = 127.0.0.1 Port = 8080.

Then, open the browser and hit the URL of the site you are about to attack or scan. The more you crawl through your site, the more ZAP will be able to collect URLs. In this blog, we will be using DVWA as our site to perform authorization scan.

Crawl your site and login to DVWA. Then, in the left side of the ZAP tool, you can see POST URL which is a link for login authentication.

2. Create Context:

Context: It is a method of relating a set of URL’s together.

In order to create New context, right click on the Login Authentication URL and click on Include In Context -> New Context.

As you create New Context, you will see another screen pop up from where you can also change the Context Name. In my case, i will change the name as DVWA Login. You can change the name according to your choice.

Now, click on Authentication sub menu and from the Authentication drop down select Form- Based Authentication .

Then, select Login Form Target URL by clicking On “Select” Button.

This will automatically discover the parameters we need. Now, from the username parameter drop down, select Username.

Once you are done you need to define the username and password parameter somewhere. For that, click on Users Sub Menu. Then, Click on “Add” Button, to add new User. In our case, I will enter Username as “User”.

Our Username is “User” and Password is “password”, which we use in DVWA Login

Before we start the scan, we need to set logged out response in order to let ZAP know when the application is Logged in and when it is Logged out. For that, right click on DVWA site login page, then click on View Page Source. Now, copy the title and paste it in Authentication -> Logged Out Response Message text box.

Click on “OK” button.

The next step is to FLAG the particular context we just created on the POST URL. For that, follow the steps shown in the following screen shot.

Then, Click on “OK” button

Finally! We are almost ready for Authentication Scan using ZAP. But, before that we need to make sure Forced User Mode is enabled. For that, click on the icon shown in the figure below.

3. Start the Attack:

Once you are done, you can now start performing the attacks by clicking on Attack -> Active Scan

This will now start performing Authenticated Scans against the application. It will try to login the application if it is not logged in and then discovers the URLs and initiate the attacks.


Conclusion: Once, the attacks are initiated, it will be alerted in the Alert Section. We will be exploring more about the alerts in our next blog.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade