Web Security - Installation and Use of Web Scanning Tool OWASP ZAP

This article is for safe learning use only! Do not use illegally.

1. Introduction to OWASP ZAP

The Open Web Application Security Project (OWASP) is an organization that provides unbiased, factual, cost-effective information about computers and Internet applications. ZAP is a tool project in OWASP, and it is also a flagship project. The full name is OWASP Zed attack proxy. It is a web application integrated penetration testing and vulnerability tool. It is also free, open source and cross-platform.
ZAP is a man-in-the-middle proxy. Any interaction between the browser and the server will go through ZAP, and ZAP can analyze and scan its captured packets.
ZAP official website:

https://www.zaproxy.org/download/

2. OWASP ZAP installation

① ZAP supports running on Windows, Linux, MacOS and other platforms, and the data package can be downloaded directly from the official website. The Windows and Linux versions need to run Java 8 or higher.

② In the Kali Linux system, ZAP software is built in, which can be used directly:

3. Use of OWASP ZAP

• hold session

Saving the session will record the session result in the database, otherwise it will be deleted when exiting ZAP.

• User Interface
  

• Automatic scanning
  Click "Quick Start" -> " Automated Scan", enter the complete URL to attack, and you can choose to check the spider, ZAP provides the spider to scan the web pages and find all the pages. For AJAX applications, an AJAX spider can be used. Click "Attack" to start the scan.
  

• Scanning results
  After clicking the attack, ZAP starts to crawl the web application, showing the scanning progress and the request and response of each page:
  

After the scan is complete, you can view potential security vulnerabilities and details in the "Alarm" TAB:

• Manual exploration
  On the quick start interface, click " Manual Explore" Manual exploration, enter the URL of the web application to be explored, select the browser to be used, and click to start the browser:
  

ZAP provides the HUD function, which is a function that can directly access ZAP in the browser, and can provide key security information and functions when accessing the Web:

At this point, ZAP can perform synchronous exploration while interacting with the browser to log in and other operations:

Click on different pages, and the scanned vulnerability warning will pop up in the lower right corner.

After traversing the page as much as possible, view the site tree, and the site with the alert will be identified:

• Single-target attack
  Right-click a subpath of the site tree to "attack" a single target:
  

Use "crawling", "forced browsing website", "forced browsing directory", "forced browsing directory and subpages" to record the page path more completely, and then use "active scanning" and other methods for further testing.

• Generate Report
  After all scans are completed, click "Report" to generate an HTML report: