Basic Tutorial: Free Security Vulnerability Scanner ZAP

Zed Attack Proxy (ZAP) is a free and open-source web application security scanning tool developed by OWASP, a not-for-profit organization working to enhance the security of software applications. This tool is ideal for beginners to start security testing of web applications as it is easy to use, and installation is also quite easy. Although, these tools used by penetration testing professionals also. I feel that the ZAP tool is ideal for developers and functional testers to automate their applications' security testing. You can also use other tools like Selenium with ZAP to automate testing.

Download and Installation

ZAP is available for multiple operating systems such as Windows, MAC, and Linux. It  can be downloaded free from the below link:

https://www.zaproxy.org/download/

Tool Usage

After download and installation, launch OWASP ZAP by clicking on the icon of ZAP.

To run the first test, just enter URL in the field "URL to attack" (e.g. http://www.testsite.com) and click on the button "Attack". This is basic scan and it gives security vulnerabilities.

Note: Never run this tool on any public websites as it is illegal under the law unless you have proper permission to do so.

Results:

On successful running of a scan, ZAP gives the list of application security issues. All issues you can find under tab "Alerts".

Reporting of application vulnerabilities

After successful running of the tool, you can download reports in formats such as HTML, XML, and Markdown by navigating ZAP tool -> Report. Also, you can also export messages, response and selected URLs to file in ASCII format by selecting rows under History tab for future reference.

Configuring Proxies

You need to configure the web browser to use ZAP as a proxy. You can see these local proxy details by navigating ZAP Tool -> Tools -> Options -> Local Proxy:

You need to configure your web browser by navigating:

FireFox Menu ->Options -> Settings (Under Network Proxy) -> Manual Proxy Configuration. Set HTTP Proxy as "localhost" and Port as "8080".

You can check by browsing any URL and check whether ZAP tool captures traffic by intercepting or not.

Website Crawling

For crawling the whole website automatically, you can use spider feature of ZAP tool. Navigate ZAP -> Tools, click on "Spider" and enter site URL in "Starting point".

Authentication

Some websites need username and password for vulnerability scanning. To do authentication, intercept the traffic by configuring proxies mentioned above. Right click on login request, select "Flag as Context" and click "Form-based Auth Login Request".

Conclusion

OWASP ZAP is an awesome tool for beginners who wants to start a security assessment of web applications. The big community is working to enhance the features of this tool.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

2 Responses

  1. Atul says:

    Nice and well structured article.
    Keep posting.

  2. Shah Ahmad says:

    I have used ZAP in application security … it is really a nice tool

Leave a Reply

Your email address will not be published.