ZAP (Zed Attack Proxy) - DrAlzahraniProjects/csusb_fall2024_cse6550_team2 GitHub Wiki

ZAP, or "Zed Attack Proxy," is an open-source web application security scanner developed by the OWASP (Open Web Application Security Project). It helps security professionals and developers identify vulnerabilities in web applications by performing automated scans and providing tools for manual testing. ZAP is user-friendly and widely used for penetration testing and vulnerability assessment.

Installation steps
Configuration
Implementation
Usage
Troubleshooting

• Visit OWASP ZAP Downloads page
• Select the Windows .exe installer

• Double-click the downloaded .exe file
• Follow the installation prompts to complete the setup

• Open ZAP from the Start Menu or search for "ZAP" in the Windows search bar

• Set your browser to use 127.0.0.1 (localhost) and port 8080 for proxy settings

Proxy Interception: Fundamentally, ZAP serves as an intercepting proxy. In other words, ZAP intercepts and examines all HTTP/S communication while positioned in between the browser and the web application. If you set up ZAP as your browser's proxy, ZAP will track, examine, and even alter requests and answers in real time. Proxy Setup: “Configure ZAP to act as a proxy between your browser and the web application. In ZAP’s settings, assign 127.0.0.1 as the address and 8080 as the port. This intercepts web traffic for analysis.” SSL Configuration: Briefly cover SSL setup to enable secure traffic interception, especially useful for testing HTTPS sites

Open ZAP on your machine

Fig 1: Home page of Zed Attack Proxy

Sections of the interface

• Sites Pane (Top Left): A tree structure of every website you visit is displayed here. ZAP will add the requested domains and URLs to this list as you navigate.

• History Pane (Bottom Left): Every request and response, including headers and contents, is logged in this window. For more investigation, you can examine each request separately.

• Request/Response Tabs (Right Panel): The headers, body, and parameters of a request are shown here when you choose it from the History window. It enables you to examine or alter the traffic.

• Spider and Active Scan: We'll go into more depth later, but these programs automatically crawl and scan webpages for vulnerabilities.

• Click on the Tools menu and choose Options

Fig 2: Open Tools menu and choose Options

• Under the Local Proxy settings, ensure that the default proxy port is set (e.g., 8080). You can change this if needed

Fig 3: Options of ZAP tool

Why IP address 127.0.0.1 and port 8080 are used?

IP Address 127.0.0.1 (Localhost):

• Local Loopback: The IP address 127.0.0.1 is known as the loopback or localhost address. It is reserved by the Internet Protocol (IP) for a device to communicate with itself.
• Local Testing Environment: Using 127.0.0.1 directs the traffic within the local machine, without exposing it to the wider network. This is particularly useful in security testing as it allows you to analyze or intercept network traffic generated by local applications, such as browsers, while keeping everything on your computer.
• Secure and Isolated Testing: Because traffic to 127.0.0.1 stays on the local machine, testing on this address reduces the risk of affecting external systems and allows for a more controlled testing environment.

Port 8080 (Alternate HTTP Port):

• Alternative to Port 80: Port 8080 is commonly used as an alternative to port 80, which is the default port for HTTP traffic. Using 8080 avoids conflicts if a web server or other service is already running on port 80.
• Standard for Proxies and Testing Environments: In security tools like OWASP ZAP, port 8080 is often the default port for intercepting traffic, making it a common choice for configuring proxies.
• Proxying Traffic for Analysis: By configuring ZAP or a browser to use port 8080, it captures HTTP/S traffic through this local proxy. This enables the security tool to analyze or modify requests and responses between the browser and the web application for vulnerabilities.

Why this Configuration is important?

This configuration (127.0.0.1:8080) is important in OWASP ZAP for several reasons:

• Local Traffic Monitoring: It allows ZAP to act as a "man-in-the-middle" proxy, capturing and analyzing all web traffic between your browser and the web application.
• Controlled Environment: By routing traffic through 127.0.0.1, testing stays on the local machine, which keeps it secure and doesn’t impact external networks.
• Vulnerability Detection: This setup enables ZAP to intercept HTTP/S requests and responses, which is essential for identifying vulnerabilities in real-time, such as injection flaws and misconfigurations.
• HTTPS Testing: Configuring ZAP to handle traffic on port 8080 allows it to intercept encrypted HTTPS traffic when properly configured, which is important for security testing on secure (SSL/TLS) sites.
• Customizable Proxy Setup: It provides flexibility to configure browsers or tools specifically to route traffic through ZAP, enabling more targeted and effective testing.

• Open chrome and go to settings

Fig 4: Home page of Chrome

• Check the system settings and click on Settings.

Fig 5: Search Network settings inside Chrome browser

• Choose the manual proxy configuration option.
• Set the HTTP Proxy to 127.0.0.1 and the Port to 8080.

Fig 6: Open Connection Settings inside Chrome browser

• Check the option to use this proxy for all protocols.
• Click OK to apply the settings.

• In your browser, visit a simple website (e.g., http://testphp.vulnweb.com/)

Fig 7: Opening Example website (http://testphp.vulnweb.com/) to test the vulnerabilities inside the Chrome

• In ZAP, you should see the traffic captured in the Sites or History tab

Fig 8: Traffic of the website inside the ZAP tool

• Active vs. Passive Scanning: Briefly outline the scenarios and purposes for each type of scan. For instance, passive scanning is useful for initial analysis, while active scanning is suited for more in-depth testing.
• Automated Scanning Workflow:"1) Perform a passive scan.2) Review any initial findings.3) Set up rules and triggers.4) Conduct an active scan.5)Generate a report and analyze the results.
• Sample Workflow: Provide an example scan command and anticipated output, such as zap-cli --active-scan <target_url>. Include a brief explanation of each section of the output.

• ZAP offers a range of automated scanning capabilities, including spidering, active scanning, and passive scanning. These tools allow users to perform security assessments efficiently and effectively.

Passive Scan:

• The passive scanner operates without modifying or interacting with the application; it inspects requests and responses as they pass through the proxy.
• Since it doesn’t send additional traffic to the server, passive scanning is well-suited for production environments.
• Common issues detected by passive scanning include information leakage, weak SSL/TLS configurations, and missing security headers.

Active Scan:

• The active scanner sends additional requests to the target web application to identify vulnerabilities.
• Active scanning should be used cautiously, particularly on production systems, as it can be intrusive.
• Certain web application functionalities may be disrupted during an active scan.

Spidering:

• To find every resource on a web application, ZAP's spider crawler is utilized. It builds a sitemap by methodically visiting each link on the target website. Spidering is helpful for locating obscure or unknown pages that may be at risk.

• Spider the website: To find every page and link on a website, ZAP's Spider tool crawls it. When mapping a huge application or making sure you've covered every region for testing, this is really helpful.

• This section walks you through sample tests with ZAP, from simple proxy setups to complete security assessments.”

• Login Session Handling: "To test a login-protected page, use ZAP's session handling features to ensure all pages, even those requiring login, are covered. Go to Options > Session Management and enter session cookies manually or through browser plugins.”

• SQL Injection Detection: "Enable ZAP's SQL injection test rules, then run an active scan to see if the application is vulnerable. Look for entries under ‘Injection Flaws’ in the report." Example Code: Provide code snippets or JSON configurations for automated workflows with zap-cli.

  • In ZAP, enter the URL of the website you want to scan in the URL to Attack field at the top

    Fig 9: Entering the URL manually to check the vulnerabilities in ZAP tool

  • ZAP will crawl the site and find all accessible pages

    Fig 10: Pages that are accessible to check vulnerabilities in ZAP tool

  • Configure the Spider:

    • In the Sites pane, right-click on the website you want to spider and choose Attack > Spider Site.
    • In the Spider configuration, choose the scope (domains and subdomains) and hit Start. On Spider tab we can see the following.

    Fig 11: Performing Spidering Operation

    • As the Spider runs, you’ll see new URLs appear in the Sites pane, indicating that they’ve been discovered. ZAP can also discover hidden or hard- to-find pages.

  • Perform Active Scanning ZAP's most effective technique for identifying security flaws, such as SQL Injection, XSS, insecure cookies, and more, is Active Scanning. Initiating a Scan:

  • After manually browsing the website or spidering it, right-click on it in the Sites pane and choose Attack > Active Scan. To check for typical vulnerabilities, ZAP will send the server specially constructed queries.

  • After the spider has completed, click on the + symbol and select Active Scan

  Fig 12: This shows Performing active scanning

  • ZAP will perform vulnerability tests on the website

  Fig 13: Zap performing vulnerabilities test

• Vulnerability Severity Levels: As the scan progresses, vulnerabilities will appear in the Alerts tab, categorized by severity: low, medium, high, and critical. Each alert can be clicked for more detailed information, including the method of discovery and suggested corrective actions.

• Customizing the Scan Policy: You can customize the scan policy by enabling or disabling specific attack types. This feature is useful when testing specific areas of the web application.

• Alert Details: Each alert provides detailed information, including the risk level and potential exploitations.

  • As ZAP scans, it will log any security issues in the Alerts tab.
  • You can view detailed information about each alert, including risk levels and possible exploitations

  Fig 14: Viewing Alerts of the website inside ZAP tool

• Authentication Setup : Authentication is required for many online applications, and ZAP can be configured to handle authenticated sessions.

1. Context Management: ZAP uses Contexts to manage various aspects of a website, including login and logout mechanisms. To set up authentication, right-click on a site in the Sites pane and select Include in Context.

Fig 15: Figure shows the context management setup

2. Configure Authentication:

• In the Context settings, you can specify login URLs, session management methods, and parameters that indicate a logged-in session.
• You can even script custom login mechanisms using ZAP's built-in scripting interface.

**Fig 16: This figure shows Context settings, you can specify login URLs, session management methods, and parameters that indicate a logged-in session**

• Generate a report:

  • After scanning, go to Reports > Generate Report
  • Choose the format (HTML, XML) and location to save the file

  Fig 17: This figure shows the Report File formate i.e; .html

• Review Alerts

  • ZAP will categorize the vulnerabilities found (e.g., XSS, SQL Injection) under the Alerts tab. Each alert has detailed descriptions and recommended fixes

  Fig 18: The summery of the alerts in side the report

  

  Fig 19: The fig represents the types of alerts, Risk level and no of instances

  

  Fig 20: The fig represents the alert Missing click-jacking header

• If ZAP can’t bind to a port or access certain resources, ensure that Windows Firewall isn’t blocking it. Allow ZAP through the firewall if necessary

Fig 21: Security settings of Windows

• Ensure that ZAP has the necessary permissions on your computer to intercept traffic, especially if testing local websites

Fig 22: Allowing the ZAP through the firewall

What are the general troubleshooting tips for ZAP(Zed Attack Proxy)

1. ZAP Not Starting or Crashing

• Verify Java Installation: ZAP requires Java to run. Confirm Java is installed by running java --version in the terminal.
• Reinstall ZAP: If the issue persists, try reinstalling the latest stable version from the official ZAP website.
• Check Logs: Review ZAP’s logs for errors. Logs are located in ~/.ZAP on macOS/Linux or %USER_HOME%.ZAP on Windows.

2. ZAP Running Slowly or Becoming Unresponsive

• Disable Unused Add-ons: Unnecessary add-ons can slow down ZAP. Disable them from the "Manage Add-ons" menu.
• Increase Memory Allocation: For large scans, adjust the memory allocation by modifying the -Xmx parameter in zap.sh (Linux/macOS) or zap.bat (Windows).
• Limit Scan Scope: Define a narrower scope to speed up scans by focusing only on specific areas of the site.

3. Problems Intercepting Traffic

• Install Root CA Certificate: To intercept HTTPS traffic, install ZAP’s Root CA certificate in your browser from the "Tools > Options > Dynamic SSL Certificates" menu.
• Check Proxy Settings: Ensure both ZAP and the browser are using the same proxy settings (default is localhost:8080).
• Check Firewall or Antivirus: Ensure ZAP has permissions in your firewall or antivirus settings.

4. Scanner Not Detecting Vulnerabilities

• Update ZAP and Add-ons: Keep ZAP and add-ons updated to ensure the latest vulnerability checks are included.
• Configure Scan Policy: In the "Policy Manager," customize the scan policy to ensure relevant tests are enabled.
• Set Up Authentication: For authenticated scans, configure the authentication settings in the "Context" menu.

5. Crawling Issues with Certain Websites

• Enable AJAX Spider for JavaScript-Heavy Sites: The AJAX Spider can handle dynamic content better on single-page applications (SPAs).
• Review Restrictions: Some sites have robots.txt or security headers that can block crawling; check for these restrictions.

6. Add-ons Failing to Install

• Network Settings: Ensure ZAP can access the internet for add-on downloads. Configure proxy settings if required.
• Manual Installation: If issues persist, download add-ons manually from the ZAP marketplace and install them via “Manage Add-ons.”

7. Proxy Fails to Start

• Resolve Port Conflicts: If another service is using ZAP's default port (8080), change the port in "Tools > Options > Local Proxies" to an available one.

• The official documentation provides detailed explanations on ZAP’s features, configuration, and usage: ZAP User Guide ZAP User Guide

• ZAP has a powerful REST API for automation and integration: ZAP API Documentation ZAP API Documentation

• OWASP ZAP Quick Start Guide: A beginner's guide to setting up ZAP and scanning for vulnerabilities OWASP ZAP Quick Start Guide

• ZAP has a built-in marketplace for add-ons to extend functionality, accessible from the ZAP UI under Manage Add-ons ZAP Marketplace
• Popular Extensions:
  • Advanced SQL Injection Scanner: Provides more in-depth testing for SQL injection vulnerabilities.
  • Port Scanner: A built-in port scanner to find open ports on a target.
  • HUD (Heads Up Display): A new UI that provides contextual security information as you browse.