Overview
This article is intended to introduce in OWASP's Zed Attack Proxy (ZAP) software to do a basic guide.
ZAP is a tool for implementing security testing, even without a strong security background can also be a good test to use.
To achieve this, it will include some security testing concepts and terminology, but this article will not be too in-depth discussion ZAP or safety tests.
Safety test infrastructure
Software security testing, evaluation and testing a system to detect process system and data security risks and vulnerabilities.
Security testing and there is no uniform methodology, but we will describe this process as "not to abuse for the purpose of discovery system vulnerabilities behavior."
Common security testing can be divided into the following types:
• Vulnerability Assessment - usually through the form tool scans to assess the security of the system
• permeability test - system is analyzed and the form of a simulated attack, to assess their security and defense capability
• runtime test - to assess the security of the system by the end-user testing
• Code review - system code to be evaluated and reviewed to determine the system security and defense capability
Note (product) is not included in the risk assessment of this list. This is because the risk assessment is actually not a test, but for one estimate and analyze the different risks, as well as for the development of appropriate risk mitigation initiatives.
About permeability test
Permeability test, the testers play the role of external attackers, the goal is to break the system in order to achieve the purpose of stealing data or similar denial of service attacks.
Advantages permeability test is rarely false security issues (other types of tests, security problems reported in many cases do not constitute a real risk of being attacked).
However, permeability testing is also a very time-consuming tests.
Permeability tests are also used to test the system defense mechanisms to verify response plans, and determine to follow security policies.
Automated penetration testing is an important part of the continuous integration validation, he helps to find new security risks, but also can quickly find safety appear in the fast iteration back.
Permeability test
Manual and automated penetration testing penetration tests are often used, usually in the form of combination, to test all the links from the server to the network, to the device, to the terminal.
In this paper the main attention to the Web site or application penetration testing.
Permeability tests usually follow the following stages:
• explore - to learn the system under test. Learn member comprising the whole system to be used in the system, which includes a terminal, software and systems for which patches are installed, and the like.
This process testers will look for hidden content within the system, known security risks, as well as the performance of other vulnerabilities.
• Attack - testers attempts to exploit vulnerabilities known or suspected risk in order to prove the existence of these risks and vulnerabilities.
• Reports - testers to report test results, including the discovery of system vulnerabilities and how vulnerability is exploited, the degree of difficulty to exploit these vulnerabilities, as well as the severity of the vulnerability being exploited.
Permeability test target
The ultimate goal of penetration testing is to find loopholes in the system, so that these vulnerabilities can be processed.
Can also be used to determine the system will not be affected by a number of known risk.
When vulnerabilities are being repaired, re-penetration test to determine vulnerabilities have been filled.
About ZAP
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool, developed and maintained by the OWASP organization.
ZAP is specifically designed to test the security of Web applications, and has a very strong flexibility and scalability.
ZAP core mechanic is familiar to everyone "intermediate proxy." He set up by the tester between the browser and Web application services, so that he can intercept and review of information exchange between the browser and application services.
Where necessary, ZAP change can be completed and the packet retransmission.
If there already exists a network proxy, ZAP may also be configured to connect to existing agents.
ZAP offers a range of different skill levels of security features - security testing experts from development, to test security novice to.
ZAP supports all major operating systems and Docker, do not force the use of a binding OS.
At the same time in the ZAP ZAP Marketplace client, but also provides a lot of free add-ons to provide a variety of functions.
Since ZAP is an open source software, we can also see his source code, see the implementation of its functions.
Everyone can resources for ZAP tile Gava, including bug fixes and added features.
Installation and Configuration
ZAP provides installation package Windows, Linux and Mac OS / X's.
Docker also provides a mirror, download address can be found below.
installation
First of all, installed in a system according to the permeability test ZAP system. Download from the following address for your system ZAP installation package, and execute:
https://github.com/zaproxy/zaproxy/wiki/Downloads
Note ZAP require more than JDK8 version to run, so the need to pre-install JDK8 or later installed on your system.
Docker version does not need to install Java.
After installation is complete, you can start the ZAP.
Keep the session
The first time you start ZAP, will be asked if you want to keep ZAP session.
ZAP session will default preset name and address, recorded to disk in the HSQLDB database.
If you do not want to keep the session, then when you exit ZAP, these session files will be deleted. (ZAP means that the next start will not see before the operation / test records)
If you choose to keep the session, the session information will be saved to a local database, so next time you can continue to use the previous operation.
Choose to keep the session, you will be prompted to name and select sessions based storage address.
The first time, you can keep the default options and start, so this session will not be maintained.