ZAP, A WEB APPLICATION VULNERABILITY SCANNING TOOL
What is ZAP?
Zed Attack Proxy (ZAP) is a free, open source penetration testing tool maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications.
In other words, ZAP is what is known as a “man-in-the-middle proxy.” It sits between the pentester’s browser and the web application so that it can intercept and inspect messages sent between the browser and the web application, modify the content if necessary, and forward those packets to the destination.
What is OWAPS?
OWASP (Open Web Application Security Project) is the name of an open source project that was born in 2001 and became a non-profit foundation in 2004. An initiative that has become a standard methodology for structuring and analyze the vulnerabilities of all types of software and hardware. It is an unavoidable reference within the world of cybersecurity.
Best practices and why they are so important to write a safe code
Security incidents can have serious consequences for businesses and people. Code created without following a path of good security practices can cause damage that triggers economic and legal consequences, among other damages. In specific sectors, such as finance, healthcare, energy and transportation, the negative effects can be greater and even devastating.
One of the most popular guides is OWASP Secure Coding Practices. This section has a series of good practices described as a checklist that cover a total of 14 areas with a direct impact on the life cycle of a development process.
The 14 security topics analyzed by OWASP, are:
- Input validation
- Output coding
- Authentication and password management
- Session management
- Access control
- Cryptographic practices
- Error and log management
- Data Protection
- Security in communications
- System configuration
- Database security
- File management
- Memory management
- General practices for code development
Tools used by security apps
There are many security testing tools out there, in this case we will focus on web vulnerabilities, among the best-known solutions we have:
- Legion (previously called Sparta and Vega)
- Nikto
- Burpsuite
- OpenVas
- Nessus
- Nexpose
- nmap
- ZAP (Zed Attack Proxy)
In his case and for the sake of this article, we are going to focus on ZAP.
Building a test environment
There are operating systems prepared for pentesting, in this case, Kali Linux and Parrot OS, running on VirtualBox.
References:
- Kali Linux Download
- Parrot OS Download
- Installing Kali linux in a Virtualbox Environment
- Installing Parrot OS in a VirtualBox Environment
The tools that will be used are already pre-installed on each system, but you can check the following installation guide anytime to improve or change your preferences.
Using OWASP ZAP for the first time
Before you start working with ZAP, you need to understand some terms:
Session: Session, simply means, browsing the website to identify the attack area. To do this, you can use any browser like Mozilla Firefox by changing its proxy settings. Or, we can save the zap session as .session and it can be reused.
Context: It means a web application or a set of URLs.
Types of ZAP Attacks: You can generate a vulnerability report using different types of ZAP attacks by clicking and scanning the URL.
Running OWASP ZAP
When you start ZAP for the first time, the system will ask if you want to stay logged in. If the answer is “yes” (default) the ZAP sessions will be written to disk in a database with HSQLDB, but if the answer is “no” the files will be deleted when the session is closed.
For now, select “no, I don’t want to persist in this session at this time.” Then click Start.
The ZAP Desktop user interface is made up of the following elements:
- Menu Bar: Provides access to many of the automatic and manual tools.
- Toolbar: Includes buttons that facilitate access to the most used functions.
- Tree window: Shows the Sites tree and the Scripts tree.
- Workspace window: Shows requests, responses and scripts and allows you to edit them, for practical purposes, this example will use the “Automated Scan” method.
- Information window: Shows details of automatic and manual tools.
- Footer: Shows a summary of the alerts found and the status of the main automated tools
Practice
The easiest way to get started with ZAP is through the “Quick Start” tab.
To run an automated “Quick start” scan:
- Start ZAP and click “Quick Start” tab.
- Type the target (URL to attack) as shown in item number 1.
- Click “Attack” button.
In item number 2, you will see all the target identified sections (directories, scripts, etc.), each item will be marked with a flag and a specific color depending on the vulnerability/severity level, being red the highest level.
In item number 3, you will see the analysis progress.
Building Reports
Once the scan is complete, reports can be generated. To do so, it is necessary to click on the item “Report” in the menu bar.
- “Create HTML reports”
- “Type path where the report will be saved”
- “Click on Generate report”.
Running a security scan over web application
In this case, we are going to test a Hx Application (Hx requested this activity)
App Name: Hexacta Rewards Dev
Analysis and pentesting execution date: July 6, 2023
Used tools:
- ZAP
- Nikto
- Nmap
Evidence and findings:
This alert is classified with a high risk flag, however it is not part of the application.
This “red flag” refers to a configuration parameter that must be added to the web server where the application resides.
Results
Identified sub-sites where the application send/collect information
Alerts classified by risk level
Alerts classified by sites found in the application and their risk level
Alerts classified by type
The vulnerabilities identified below were rated with medium and low severity, but no less important and refer to some procedures that must be applied in the application to avoid click jacking, SQL injection and domain flooding attacks.
Although there is a vulnerability that is unrelated to the development of the application, it is worth highlighting its importance since it can compromise the security of the application. This vulnerability, as mentioned before (above image), refers to the security configuration of the web server where the application resides, more details in the following image.
