Automated AppSec with ZAP

Security Testing Basics

Security testing is often broken out, somewhat arbitrarily, according to either the type of vulnerability being tested or the type of testing being done. A common breakout is:

1. Vulnerability Assessment – The system is scanned and analyzed for security issues.
2. Penetration Testing – The system undergoes analysis and attack from simulated malicious attackers.
3. Runtime Testing – The system undergoes analysis and security testing from an end-user.
4. Code Review – The system code undergoes a detailed review and analysis looking specifically for security vulnerabilities.

The Pentesting Process

Pentesting usually follows these stages:

1. Explore – The tester attempts to learn about the system being tested. This includes trying to determine what software is in use, what endpoints exist, what patches are installed, etc. It also includes searching the site for hidden content, known vulnerabilities, and other indications of weakness.

2. Attack – The tester attempts to exploit the known or suspected vulnerabilities to prove they exist.

3. Report – The tester reports back the results of their testing, including the vulnerabilities, how they exploited them and how difficult the exploits were, and the severity of the exploitation.

Pentesting Goals

The goal of pentesting is to search for vulnerabilities so that these vulnerabilities can be addressed. It can also verify that a system is not vulnerable to a known class or specific defect; or, in the case of vulnerabilities that have been reported as fixed, verify that the system is no longer vulnerable to that defect.

Zed Attack Proxy (ZAP)

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Worldwide Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible. At its core, ZAP is what is known as a “man-in-the-middle proxy.”

Traditional Spider

The Traditional Spider in ZAP crawls a target web application by following links within the application. It starts from a given URL and systematically explores all accessible pages and resources by recursively following links. The Traditional Spider is a depth-first search spider, meaning it explores one path completely before moving to the next.

AJAX Spider

The AJAX Spider is designed to handle more complex web applications that heavily rely on JavaScript and asynchronous requests. Unlike the Traditional Spider, which primarily follows links, the AJAX Spider simulates user interactions by executing JavaScript events and making asynchronous requests to discover and crawl dynamic content. This allows it to better handle modern web applications that extensively use AJAX and JavaScript to load content.

Questions

• What are the three common stages of the Penetration Testing process and what tasks are performed at each one?

Penetration testing involves three stages: planning, testing, and reporting. First, the tester plans and prepares for the test, understanding the target and getting necessary permissions. Then, they actively scan for vulnerabilities and try to exploit them. Finally, they create a report with findings and recommendations to help the organization fix the vulnerabilities and improve security.

• Explain a “main-in-the-middle proxy” in non-technical terms.

A man-in-the-middle proxy is like a secret listener who intercepts your phone conversation without your knowledge, allowing them to eavesdrop and potentially alter the conversation without you or the other person realizing it.

• What are the 2 spiders available for use in ZAP?

Traditional Spider, AJAX Spider.

• What situations are they best suited for?

Traditional Spider - following links within the application AJAX Spider - simulates user interactions by executing JavaScript events and making asynchronous requests to discover and crawl dynamic content