This blog is NOT OFFICIAL website of Kali Linux. We just share Tutorials to learn Cybersecurity.

ZAP -- Most Used Web Vulnerability Scanner

Home

OWASP ZAP is a multipurpose scanning tool that helps a lot penetration testers and bug bounty hunters for finding vulnerabilities on web app. ZAP stands for Zed Attack Proxy. It is loaded with proxy, active and passive vulnerability scanners, fuzzer, spider, HTTP request sender & many more.

zap kali linux zed attack proxy

In this detailed guide we are going to learn a lot of things of ZAP in easy language.

Opening and Updating ZAP

First of all we need to open and update ZAP on our Kali Linux. So we can find it on our Kali Linux Application Menu > Web Application Analysis > ZAP, or we can search for it on the menu, As shown in the following screenshot.

zap in kali linux application menu

Then we click on it and it opens the ZAP application's front page as shown in the following screenshot:

ZAP welcome screen

Here we can press CTRL+U and update all add-ons by clicking "Update All". In the following screenshot we can see that our this system already updated everything.

Sometimes on some laptops we have noticed that the update screen takes the total screen and we are not able to see the "Update All" option. In that case we just make the window smaller and then drag it up [simple!].

fixing ZAP update window

After finishing the update we need to configure the proxy on browser to run ZAP.

Configuring Network Proxy for ZAP

This quite similar to setup proxy for Burp and WebScarab. We need open our browser (with Kali Linux we got Firefox browser as default). On Firefox we need to open Menu and navigate to Preferences. On the General tab, we scroll down and click on Network Settings.

firefox network settings

It opens a new window, we need to set manual proxy here. We need to set the "Manual proxy configuration", HTTP proxy should be 127.0.0.1 (localhost) and the port is 8080. As shown in the following screenshot:

manual proxy settings

This is how we can set the manual proxy on Firefox browser. We can check manual proxy settings for other browsers. FoxyProxy add-on can easily switch between proxies.

Then if we navigate to a website from our browser and we got security warning from our browser, as shown in the following screenshot:

Firefox warning
This is basically happens for the security certificate. Here we need to click on "Advanced". Then we need to click on "Accept risk and continue", as shown in the following screenshot then the certificate for ZAP will be added for this site.
Accept the risk and continue

Scan for Sensitive Files and Folders using ZAP

After setting ZAP as a proxy, we can scan a website or web application using it. We open a website on our browser and ZAP will react to this action by shows the host's name on the upper-left panel. We just need to right click on the host name, and choose "Attack" > "Forced Browse Directory". As shown in the following screenshot:

ZAP forced browse directory ataack on kali linux

Then it will start finding directories by using a default word list for directory. We can see the result on the following screenshot:

ZAP's scan for files and folder is started

In the above screenshot we can see that the directory attack has been started. If it contains any sensitive information then wee can easily got it from here.

If we need to use any other custom word list for directory brute-force (this attack is a type of brute-force) then we need to go to Tools > Options (or we can open this by CTRL+ALT+O) and go to Forced Browse tab and select our custom word list.

Custom forced directory wordlists

By following that process we can add our custom word list for finding files and folders using ZAP.

Copy Website using ZAP Spider

Downloading a full site to a directory in our system leaves us with a static copy of the information; this means that we have the output produced by different requests, but we neither have such requests nor the response states of the server. To have a record of that information, we have spiders, such as the one integrated in OWASP ZAP.

We need to run the ZAP and browser have configured the browser for proxy. Then we navigate to target website (We are targeting our own site) from browser and ZAP respond to it.

ZAP respond to our website

Now we can see our website on the above screenshot. We need to right click for options, then we need to navigate to Attack > Spider. As shown in the following screenshot:

ZAP choosing spider a website

After selecting the spider we got a window as shown in the following screenshot:

starting spider using ZAP

Here we just need to click on the "Start Scan" to start spider on our website. After started we can see that it is started on the bottom panel of ZAP.

spider is started on ZAP

We also can see the structure of our website on the upper left panel of ZAP. We also can see the request methods (GET/POST) there. We can click there and see the request send by the spider and the response comes from the server.

ZAP request and response

On the right side, we can see the full request made, including the parameters used by ZAP.

How the spider works in ZAP?

Like any other crawler, ZAP's spider follows every link it finds in every page on the web application included in the scope requested and the links inside it. Also, ZAP's spider follows the form responses, redirects, & URLs included in robots.txt & sitemap.xml files. It then stores all the requests & responses for later analysis and use. This is very similar to Burp's Spider.

After crawling a website or web application, we may want to use the stored requests to perform some tests. Using ZAP's capabilities, we will be able to do the following, among other things:

  1. Repeat the requests that modify some data.
  2. Perform active and passive vulnerability scans.
  3. Fuzz the input variables looking for possible attack vectors.
  4. Replay specific requests in the web browser.

Automatically Scans for Vulnerabilities using ZAP

OSWAP ZAP is a tool that helps us to complete various tasks, automatically scanning a target website is one of them.

To use this feature we need to go set the manual proxy on our browser and open the site as we did previously.

Whenever ZAP respond to it and shows it on the Sites panel (upper left panel) we right click on the site and navigate to Attack > Active Scan , as shown in the following screenshot:

Active Scan using ZAP

Then a window will popup in front of us. At this point we need to fill some information to start the scan. The "Show Advanced Options" will give us more configuration.

ZAP active scan popup

Here also can configure our scan in terms of Scope (where to start the scan, on what context and many more ), Input Vectors (select if we want to test values in GET and POST requests, headers, cookies and other options), Custom Vectors (add specific characters or words from the original request as the attack vectors), Technology (what kind of technology specific tests we want to perform) and Policy (choose configuration parameters for specific tests).

After setting up every thing we can just start the scan by clicking on "Start Scan". In the following screenshot we can see our scan results.

Active scan ZAP results

In the above screenshot we can see that that scan is finished and we got 9 new alerts. On the "🚩Alerts" tab we got details about the alerts.

ZAP Alerts

We can see that we got some very serious security loophole on our vulnerable localhost server. This is how we can run security test on a web server or website using ZAP. Found it critical read the next one.

We can export the scan result in CSV, HTML or XML format.

Easy Auto Scanning for Vulnerability using ZAP

Suppose we are very beginner on Kali Linux or ZAP then we just open ZAP and choose "Automated Scan" on Quick Start. Then a popup window will comes up. Here we just put the URL and click on "⚡Attack". The following screenshot shows it.

Automated scan on ZAP

The attack will be started and we can see the output and Alerts.

ZAP automated alerts
We can see the results of the scan. Now this is live we don't add any manual proxy configuration for our system.

Hope we got a clear idea how Zed Attack Proxy works on our Kali Linux system and how we can run various test using it. This huge tool can be used as a fuzzer and it also can do much more, that we can't cover in single article. Try it and see what it can do.

Liked our articles? Then make sure to subscribe us by e-mail and get notified whenever we publish new articles. It's free. Also we post updates on GitHub and Twitter, make sure to follow us there.

For any kind of help we are always ready to help. Just leave a comment in the comment section. We always reply.

author-img
Kali Linux

Comments

1 comment
Post a Comment
  • AnonymousJanuary 26, 2023 at 3:28 PM

    Thank you for the helpful article!! :)

    Delete Comment
    google-playkhamsatmostaqltradent