The demand for security tests within companies is increasing. These tests can be executed in different ways, each with its own pros and cons. In this article, we will look into pentesting security tests using OWASP ZAP.
Security Testing is roughly classified according to the type of vulnerability has been tested or type of testing has to be done for it. Commonly it can be done as :
- Vulnerability Assessment
- Penetration Testing
- Runtime Testing
- Code Review
Note that Risk Assessment is not listed in the security testing because it is not actually a test but it’s an analysis of the perceived severity of different risks (Software or Hardware security).
The Pentesting Process:
Software Penetration Testing (i.e. Pentesting) is carried out as if the tester was a malicious external attacker with having a goal of breaking into the system and either stealing data or carrying out some sort of denial-of-service attacks.
Often manual and automated pentesting are used to test every aspect in servers to networks, to devices, to endpoints.
Pentesting generally follows following stages:
- Explore-In this the tester tries to learn about the system which is being tested. This includes determining the endpoints of the system, what patches are installed in the system. Often also includes exploring the site for hidden contents and possible known vulnerabilities.
- Attack-In this the tester attempts to actually exploit the known vulnerabilities to prove that they are actually exists in the system.
- Report– In this stage, the tester makes report of the results of his testing which includes the vulnerabilities found along with how they are exploited. Also it includes how difficult it is to exploit those vulnerabilities and the severity of that exploitation.
Introduction to ZAP–
Zed Attack Proxy (ZAP) is a free, open source pentesting tool developed under the Open Web Application Security Project (abbreviated as OWASP) organization.
ZAP tool is mainly designed for testing the web applications which is both flexible and extensible.
ZAP stands as ‘intercepting proxy’ between the tester’s browser and the web application. ZAP stands between the tester’s browser and the application in that it modifies the contents if needed and then forwards those packets back to the destination.
Effectively, ZAP is used as a ‘Man in the middle attack’ but also as a stand-alone application.
Browser->ZAP->Network Proxy->Web Application.
The ZAP UI consists->
- Menu Bar-Provides access to many tools.
- Toolbar-Includes buttons which provides most commonly used features.
- Tree Window-Displays the sites tree and scripts tree.
- Workspace Window- Displays requests, responses and scripts and allows you to edit them.
- Information Window-Displays details of the automated and manual tools.
- Footer-Displays a summary of the alerts found and the status of the main automated tools.
Configure your browser to proxy through ZAP:
By default, ZAP uses localhost address & 8080 as port. If you want to change and set another proxy, then you can set it under the local proxy settings under ZAP.
Import and Trust the ZAP Root CA Certificate:
- Start ZAP and click Tools -> Options.
- On the left pane of the Options window, click Dynamic SSL Certificates.
- On the right pane, click Save.
- Select a location to save the certificate to and click Save. Be sure to retain the .cer file extension.
To install the certificate:
- Navigate to the certificate file.
- Right-click on the certificate file and then click Install Certificate.
- In the Certificate Import Wizard, select either Current User or Local Machine as the scope of the certificate, then click Next.
- Select Place all certificates in the following store.
- Click Browse and select Trusted Root Certificate Authorities or Trusted Root Certificates (depending on your version of Windows) as the certificate store, then click Next
- Click Finish
- Review the security warning about trusted root certificates and click Yes if the warning is accepted.
Start Pentesting on ZAP:
- Start ZAP and click the Quick Start tab of the Workspace Window.
- In the URL to attack text box, enter the full URL of the web application you want to attack.
- Click the Attack button.
Viewing Alerts from the application:
In the Alerts tab you can see the alerts for the application along with their respective risks.
Run an Active Scan with ZAP:
Active scan makes the active attacks on the web application by exploiting all it’s content. Active scanning, however, attempts to find other vulnerabilities by using known attacks against the selected targets. Active scanning is a real attack on those targets and can put the targets at risk, so do not use active scanning against targets you do not have permission or right to test.
To start an active scan:
- In the Tree View, in the Sites tab, select the sites you want to perform an active scan on.
- Right-click the selected sites and select Active Scan
- In the Information Window, select the Active Scan tab.
- Click New Scan.
To review and modify your settings, then begin an active scan:
- In the Menu Bar, click Tools -> Active Scan.
- Review the settings and make any changes you wish to.
- Click Start Scan to start the Active Scan with these settings.
Footnotes: ZAP is a pentesting tool which exploits the real-time web contents and data so it is must require that you should use ZAP tool for finding the possible vulnerabilities on the applications which you own or have rights to test otherwise it will be a legal offence.