OWASP Zed Attack Proxy Primer

Introduction

Otherwise known as ZAP, the OWASP Zed Attack Proxy is a web proxy application used to intercept, analyze and manipulate web traffic. It is a free and open source alternative to Burp Suite. When it comes to performing a penetration test against a web application, a web proxy is the number tool needed. It can uncover hidden information in server responses that you may not notice, it can analyze the traffic looking for indicators of misconfigurations and it can quickly map out entire sites at the click of a button. You launch your proxy, which will run on localhost on port 8080 by default although this can be configured to different values as necessary.

Some important features are:

• Spider
• Forced Directory Browsing
• Active Scan
• Alerts
• Request Editor/Repeater
• HUD

Setup

Routing Traffic

On of the recent developments in ZAP that has really drawn my attention and lead me to use ZAP more heavily is the introduction of the HUD. This brilliant addition overlays pretty much all the information and functionality of the ZAP proxy on the browser itself so you don’t have to keep switching windows. This will be shown later in this post. For now we will launch it in a similar manner as we would Burp. When you first open ZAP, it will prompt you asking if you would like to persist your session, saving it to a file. For now, select no and continue. You will see a window like below:

Now that ZAP is up, open Firefox and get into the preferences window found in the hamburger menu. Type proxy in the the search bar and it will drop you right where you need to be to tell you browser to route through ZAP:

By default, web proxies like ZAP will run on port 8080. Select the radio button next to Manual proxy configuration, type 127.0.0.1 into the HTTP Proxy field, set the port to 8080 and check the box to Use this proxy server for all protocols before clicking on OK:

Now when we browse to sites in our browser, you will see the site tree on the left side of the ZAP window begin populating with every site that it sees:

The bottom part of the window shows the history of each request made, and the top right panel shows individual requests and associated responses in tabbed format for whatever is selected in the tree or history panels.

Our traffic is successfully routed through our proxy and we have just a couple more things to complete before we can start testing our target. With a proxy in between our browser and the websites we visit, we need to tell our browser to trust the certificate used by the proxy so we can browse HTTPS websites without triggering the browsers native protective measures.

SSL Certificates

An important step to take when launching ZAP this way is to import is Root CA Certificate as trusted in your browser, otherwise any HTTPS site will break, with most not even allowing you to add an exception. To do this, go into the Tools menu of ZAP, select Options then find the Dynamic SSL Certificates section. You will need to click on the Generate button, then Save at the bottom to save the certificate to your file system:

Once saved, switch to Firefox and go into Preferences. Search for Certificates and select View Certificates:

Click Import on the window that pops up and select the file you just saved out of ZAP:

Since mine has already been imported it won’t prompt me with the next window but you should have the option to select what you want to trust this certificate to identify, and you should check to trust everything that has the option to. With this done, you will be able to navigate to any site without interruption. ZAP also has the ability to launch the browser for you, in which case it handles all of this for you and you won’t need to import the certificate for that session.

Contexts

Now with ZAP up and our traffic successfully routing through it, we can get down to business. First we will want to tell ZAP what sites we want to consider as in scope for our test. This is done using contexts and until you tell it otherwise ZAP will consider every site it sees as explicitly out of scope for any active tools in order to protect you from accidentally attacking a target that you do not have permission. One easy way to add a site to your context is to find it in the site tree, right click on it and use the Include in Context menu option:

We are running a local instance of Juice Shop, a vulnerable eCommerce application that is good for practicing various attacks. Now that we have included our target in our default context, it will make things easier if we filter out all the out of context noise so we can focus only on what is important. To do this, find the button looks like a grey and white target above the site tree and another above the history panel and click both so that they turn red:

Now ZAP is filtering all out of context information from view, although it is still collecting it so you can toggle off the filter and see it later if needed.

Spider

Now that we have set our scope, we can safely tell ZAP to spider our target. This will crawl the site and navigate to everything linked to in any in-context page on our target. While it will occur at a high rate, it will be mostly indistinguishable from normal web traffic to the server so it is relatively safe to do. Right click on the site you want to spider, find the Attack sub menu and select spider. You will see a new tab in the bottom panel appear showing the progress and results of the scan, and you will begin seeing new nodes under the site in the site tree:

This is a great way to map out a target that may be a large application. ZAP automatically analyzes all responses that come from the server to look for signs of misconfiguration or possible vulnerabilities. It defaults to passive mode so it will only analyze traffic you generate, or traffic that you explicitly tell ZAP to generate such as issuing a spider command.

Forced Directory Browsing

While tools like Dirbuster and GoBuster still shine, it’s nice to have similar functionality built in to the proxy so it is immediately available. This is what the Forced Directory Browsing (and Children) option in the attack menu does. You can point it at a word list and it will recursively try to discover non-linked directories and endpoints in the target. This will further populate the site tree in the top left panel, and give more of an attack surface when it comes to active scanning:

Active Scanning

Next, we can switch ZAP into active mode where it will generate malicious traffic to try and identify more issues with the target. Be cautious doing this however, as it is very noisy and will trip any kind of monitoring or protection measures that exist on the target. I recently had my home network temporarily banned by Akamai during a bug bounty because I tried this method on the clients QA server and my wife was not happy that she couldn’t get to any of her favorite shopping sites. Use a VPN folks.

Again in the Attack sub menu, select Active Scan and click start scan. You can see the traffic that it is sending in the bottom panel:

Remember you can select any of these requests form the bottom panel to open them up and see every detail, as well as manually resend that particular request.

Alerts

As ZAP analyzes the traffic you generate passively, or generates malicious traffic during an active scan, it will identify and report possible issues and vulnerabilities. These are called Alerts in the ZAP ecosystem and they provide a ton of information. If the free version of Burp has something similar to this, then I haven’t found it and is one of the biggest reasons I prefer ZAP over Burp right now. You can see it’s categorized findings under the Alerts tab in the bottom panel:

As ZAP finds indications of misconfigurations or vulnerabilities in an application, it will populate this window. The alerts are ranked and categorized, and you can drill down on them to get down to the specific request that it found the issue in. The panel to the right will show a good amount of information on the issue including the URL the alert was generated from, the risk ranking, a description of the category of issue, relevant information with links to resources when available as well as a suggestion to resolve the issue.

Request Editor/Repeater

While the alerts are definitely very useful, just like with all automated scanners it is a good idea to manually confirm that the vulnerability truly exists. ZAP gives an easy way to do this in the way of the Request Editor. You can right click on any request, whether in the Alerts panel, the History panel, or the Site Tree, and select Open/Resend in Request Editor. This will pop up a window with the raw HTTP request that allows you to make modifications to any field and send it to the server. This is great for inserting SQLi and de-serialization payloads into things like cookies that aren’t directly editable in the browser and are often overlooked by developers as a means of malicious data transfer:

HUD

It appears that either a recent update broke this functionality, or more likely that a recent change on my system did. Either way, it isn’t working but I highly recommend you head over to YouTube and watch the video from the developers to see what it’s all about. Once I get it working again, I will either update this post, or create a follow up post to demonstrate it, so stay tuned.

Conclusion

This is just a high level view of what I consider to be the most important features. ZAP also has plugins and a scripting engine that allow for great deal of extensibility much like Burp Suite pro does. As I dig in to that and learn it myself, I will put together a new post for a deeper dive into this important tool for web application penetration testing.

If you found this content helpful, please consider donating your favorite cryptocurrency below.

  • Bitcoin
  • Ethereum
  • Cardano
  • Xrp
  • Litecoin
  • Stellar
  • Bitcoin cash
  • Dogecoin
  • Usdcoin
  • Aave
  • Uniswap
  • Wrappedbitcoin
  • Eos
  • Cosmos
  • Synthetix
  • Dash
  • Maker
  • Dai
  • Ethereum classic
Scan to Donate Bitcoin to 3ENZABkzJ8V2u3ewaHGFmsWx3i7pdy47Nr

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0a7B929203F77353DDBF9419Fc0d50a50932010c

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Cardano to DdzFFzCqrhsuy6avGUazSq2S5VKEBS6rTxo1Cy71DKwozED8nXFwtzAZda4u5GbE3B4oKFwKVNw3fbAfCrkRdpv8pma83rsgokDk1CTy

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Xrp to rw2ciyaNshpHe7bCHo4bRWq6pqqynnWKQg:::ucl:::2447425404

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Litecoin to LXQcKbXSemXnF3VNH5Ez7n4SDUFTkh1uJp

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Stellar to GDQP2KPQGKIHYJGXNUIYOMHARUARCA7DJT5FO2FFOOKY3B2WSQHG4W37:::ucl:::639763260

Donate Stellar to this address

Scan the QR code or copy the address below into your wallet to send some Stellar

Scan to Donate Bitcoin cash to 17iu6o47bdYRbGoxV3WeWUCUBcYZsrXYeG

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Dogecoin to DNserpUCc77Q9EvoU2BePPMnB2nJzJcbRW

Donate Dogecoin to this address

Scan the QR code or copy the address below into your wallet to send some Dogecoin

Scan to Donate Usdcoin to 0xC8354d47Df616EbEb9E91b65C64F352Ce2457215

Donate Usdcoin to this address

Scan the QR code or copy the address below into your wallet to send some Usdcoin

Scan to Donate Aave to 0x268a1fc2eF33c37c0f6D593C17886c2105456f7C

Donate Aave to this address

Scan the QR code or copy the address below into your wallet to send some Aave

Scan to Donate Uniswap to 0xf83FA7Ef077fDA536029EC1F6B73CC87d1D33a54

Donate Uniswap to this address

Scan the QR code or copy the address below into your wallet to send some Uniswap

Scan to Donate Wrappedbitcoin to 0xac7C2A4a700a3c6B341658960C7e99BcC7A93387

Donate Wrappedbitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Wrappedbitcoin

Scan to Donate Eos to coinbasebase:::ucl:::2151882130

Donate Eos to this address

Scan the QR code or copy the address below into your wallet to send some Eos

Scan to Donate Cosmos to cosmos1scwcfre6h4c7epkyrdfegpeaz8umqldl50gn8w

Donate Cosmos to this address

Scan the QR code or copy the address below into your wallet to send some Cosmos

Tag/Note:- 102476592
Scan to Donate Synthetix to 0x89Ee88FdD6B30f72a8e6E6BF3F948Ac3B45e16A8

Donate Synthetix to this address

Scan the QR code or copy the address below into your wallet to send some Synthetix

Scan to Donate Dash to XoMHNXYDx37sDq4bij96cTEpcBznLsbaab

Donate Dash to this address

Scan the QR code or copy the address below into your wallet to send some Dash

Scan to Donate Maker to 0xF72Ace0DdCa3b8e2F691700d8a78282b5d628E12

Donate Maker to this address

Scan the QR code or copy the address below into your wallet to send some Maker

Scan to Donate Dai to 0x22675f754c285bCD7fF8D411Eca32348021a4162

Donate Dai to this address

Scan the QR code or copy the address below into your wallet to send some Dai

Scan to Donate Ethereum classic to 0x03DC1DeFBaFD17Ebf77827faEAc5E50AB90e3b52

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Leave a Reply