Zed Attack Proxy (ZAP) is one of many Open Web Application Security Program (OWASP) products pertaining to software security. OWASP is non-profit organization this is focused on spreading information and awareness about enterprise application security problems and creating guidelines and tools for enterprise application security assessment.
ZAP is a penetration test and vulnerability assessment tool written in Java that is able to scan and analyze web applications. ZAP works as a proxy and it can both intercept packet traffic exchanged during request/response messages, and make direct attacks towards target applications.
ZAP has achieved great success has been given various awards by users in the last few years. The main advantages are:
- Open-source with active community support
- Easy to use, with a user-friendly interface and multilingual support. Suitable for newbies but also provides advanced features for experts as well.
- Cross platform
- Provides various software extensions (such as those on this page) and templates to help users develop add-ons.
- Any tools can use ZAP features and source code with the purpose to improve the security of those tools and the overall security of web applications
- Fully documented
ZAP can be downloaded from the OWASP site.
After the installation process, an SSL security certificate is required in order to establish protected communication with the user, to encrypt/decrypt all the data the server sends/receives. Then, on the web browser (Firefox in this case):
- Import the certificate generated: Options -> Advanced -> Certificates -> View Certificates -> Your Certificates -> Import
- Configure the browser to use ZAP as a proxy: Options -> Advanced -> Network -> Settings specifying the address and port number where ZAR is located, for ex: http://localhost:8080/proxy.pac
ZAP offers different functionalities to analyze application vulnerabilities with spider, passive and active approaches, fuzzer, brute force, and many others.
Passive scan can be used to analyze web applications and it allows you to assess the vulnerability by sniffing the normal network traffic then acting as a proxy between server and browser. Passive scan does not attack or interfere with client and server but analyzes the request/response to and from the server to identify vulnerabilities.
Fig. 1. List of vulnerabilities found by a passive analysis
Spider explores and creates, automatically, the structure of a web application with the list of all URL resources found. For each URL, ZAP creates a request to get the resource and then parses the response, discovering hyperlinks. To use the Spider is necessary to specify an initial URL or subgroup of URLs.
Fig. 2. Spider analysis
Active scanning attempts to find security holes by simulating real known attacks against target web applications. Active scan should be used only with your own applications.
With ZAP is possible to select a list of previously used resources and make active attacks on them in order to be aware of known vulnerabilities. Active scanning provides a wider list of vulnerabilities and, combined with spider and the passive scan, can show all the vulnerabilities ZAP can recognize, including high risk vulnerabilities:
Fig. 3. List of some vulnerabilities found by passive and active analysis
Fuzzer is a feature that allows you to send a range of invalid and unexpected random string in order to discover security holes in the target application. ZAP allows fuzzing any request using strings from a text file list that contain inputs. Users can add files manually or via the application to extend the range of strings available.
Fig. 4. Fuzz testing
The Brute Force feature is not used for brute force attacks on authentication fields, but aids in finding files or directories of the target application. ZAP contains huge files with lists of files and directories names and uses these names to try to access resources directly, rather than relying on finding links to them. A brute force attack only requires knowledge of the target web application and the associated file with the list of names.
Other functionalities, not explored in this brief introduction, are HttpSession, Param, WebSockets, and many others.