Basic Tutorial: Free Security Vulnerability Scanner ZAP

Zed Attack Proxy (ZAP) is a free and open-source web application security scanning tool developed by OWASP, a not-for-profit organization working to enhance the security of software applications. This tool is ideal for beginners to start security testing of web applications as it is easy to use, and installation is also very easy. Although, these tools are used by penetration testing professionals also. I feel that the ZAP tool is ideal for developers and functional testers to automate their applications' security testing. You can also use other tools like Selenium with ZAP to automate testing.

Download and Installation

ZAP is available for multiple operating systems such as Windows, MAC, and Linux. It  can be downloaded free from the below link:

https://www.zaproxy.org/download/

Tool Usage

After downloading and installing, launch OWASP ZAP by clicking on the icon of ZAP.

To run the first test, just enter the URL in the field "URL to attack" (e.g. http://www.testsite.com) and click on the button "Attack". This is a basic scan and it gives security vulnerabilities.

Note: Never run this tool on any public websites as it is illegal under the law unless you have proper permission to do so.

Results:

On successful running of a scan, ZAP gives the list of application security issues. All issues you can find under the tab "Alerts".

Reporting of application vulnerabilities

After the successful running of the tool, you can download reports in formats such as HTML, XML, and Markdown by navigating ZAP tool -> Report. Also, you can also export messages, responses, and selected URLs to file in ASCII format by selecting rows under the History tab for future reference.

Configuring Proxies

You need to configure the web browser to use ZAP as a proxy. You can see these local proxy details by navigating ZAP Tool -> Tools -> Options -> Local Proxy:

You need to configure your web browser by navigating:

Firefox Menu ->Options -> Settings (Under Network Proxy) -> Manual Proxy Configuration. Set HTTP Proxy as "localhost" and Port as "8080".

You can check by browsing any URL and check whether the ZAP tool captures traffic by intercepting or not.

Website Crawling

For crawling the whole website automatically, you can use the Spider feature of the ZAP tool. Navigate ZAP -> Tools, click on "Spider" and enter the site URL in "Starting point".

Authentication

Some websites need usernames and passwords for vulnerability scanning. To do authentication, intercept the traffic by configuring the proxies mentioned above. Right-click on the login request, select "Flag as Context" and click "Form-based Auth Login Request".

Conclusion

OWASP ZAP is an awesome tool for beginners who wants to start a security assessment of web applications. The big community is working to enhance the features of this tool. I will definitely recommend you use this tool in your cybersecurity assignment.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

3 Responses

  1. Atul says:

    Nice and well structured article.
    Keep posting.

  2. Shah Ahmad says:

    I have used ZAP in application security … it is really a nice tool

  3. David Jacobs says:

    What’s the meaning of the icons and the flap on ZAP?

Leave a Reply

Your email address will not be published. Required fields are marked *