Zap

Prerequisites #

Java v11+, requires manual installation for Windows, Linux, and Cross-Platform versions. Docker and macOS can simply go ahead with installation.

⚡ Installing OWASP Zed Attack Proxy (ZAP) ⚡ #

Download OWASP ZAP from OWASP.

If you get stuck follow the instructions from the QuickStart Guide.

When you have completed the installation, start OWASP ZAP, read the agreement and click agree if you accept the terms.

!!If you are running on macOS!!

Currently not a verified developer with Apple. To circumvent the error: OWASP ZAP.app cannot be opened because the developer cannot be verified."

Go to “System Preferences > Security & Privacy” > Click “Open Anyway” in the bottom of the dialog.

Using OWASP ZAP #

First thing you will asked is type of session to be used (see figure 1), keep in mind that if you choose “persist the session” you can access the session and files again. If you choose “not persistent”, you will loose your work once you close ZAP.

Recommended to sign in to your target (as authenticated user, the more access the more goodies)

Alt text Figure 1: Type of session

Now you are ready to go, happy ZAPPING! 🙈🙉🙊

If you get stuck, check out the QuickStart Guide, below are simplified versions of how to scan.

Automated Scan #

A scan which performs passive/automated scans to build a sitemap and identify potential vulnerabilities of your target.

You can use traditional spider: Passive scan, enumerates links, directories, etc. Builds a website index without any brute-force.

Ajax Add-on which integrates ZAP with a crawler of Ajax rich sites (CrawlJax). Requires web browser + proxy. Easiest way to use is by using HTML Unit (or Firefox)

  1. Start ZAP
  2. Click “Automated Scan” tab
  3. Enter full URL of your target
  4. Choose scan type (see below for difference)
  5. Click attack button ⚡

Manual Scan #

You can quickly and easily launch browsers that are pre-configured to proxy through ZAP via the Quick Start tab. Browsers launched in this way will also ignore any certificate validation warnings that would otherwise be reported. (needs to be confirmed)

!!Requires proxy to be configured!!

In ZAP: Select Tools > Options > Local Proxy > Ensure you have: 127.0.0.1:8080, remove unsupported encodings and always unzip

Still in ZAP: Select Tools > Dynamic SSL > Save the certificate (keep in mind where you put it)

Import cert to your browser (we recommend 🦊 Firefox 🦊 and to trust all options).

In your browsers “proxy conf”: 127.0.0.1:8080, SOCKS host: 127.0.0.1:9050

  1. Start ZAP
  2. Click “Manual Scan” tab
  3. Enter full URL of your target
  4. Choose scan type (see below for difference)
  5. Click attack button ⚡