The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular open-source security tools, actively maintained by the Open Web Application Security Project (OWASP). It is designed to help developers and security professionals find security vulnerabilities in web applications during the development and testing phases. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Key Features:

  • Automated Scanning: Detects a wide range of security vulnerabilities automatically.
  • Intercepting Proxy: Allows inspection and modification of HTTP/HTTPS traffic between the browser and web application.
  • Spider: Crawls the web application to discover its structure and content.
  • Fuzzer: Tests inputs with various payloads to uncover hidden vulnerabilities.
  • Plug-n-Hack: Integrates security tools with modern browsers.

Installing OWASP ZAP

1. Download OWASP ZAP:

  • Navigate to the official OWASP ZAP download page
  • Choose the appropriate version for your operating system (Windows, macOS, or Linux).
  • Download and run the installer.
Download OWASP ZAP

2. Installation Steps:

  • Follow the installation instructions, accepting the license agreement and choosing the installation directory.
  • After installation, launch OWASP ZAP.
OWASP ZAP Launching

3. First Launch Configuration:

  • Upon first launch, you can choose to persist the ZAP session, which is useful for saving your scan progress and results.
  • Configure local proxy settings, typically set to localhost:8080.

Setting Up OWASP ZAP for Development

  1. Configuring ZAP:
    • Open OWASP ZAP.
    • Go to the “Options” menu (gear icon) to configure essential settings such as local proxy, authentication methods, and user configurations.
  2. Integrating ZAP with Development Tools:
    • Web Browser Integration:
      • Configure your browser to use ZAP as a proxy. For example, in Chrome:
        • Go to Settings > Advanced > System > Open proxy settings.
        • Set the HTTP proxy to localhost and the port to 8080.
  3. Installing Necessary Add-ons:
    • Enhance ZAP’s functionality by installing add-ons. Go to the Marketplace tab and install useful add-ons like “Advanced Scan,” “Active Scan Rules,” and more.

Developing Passive Scans with Selenium Java

  1. Setting Up Selenium:
    • Create a Maven Project:
      • Open your IDE (e.g., IntelliJ IDEA, Eclipse) and create a new Maven project.
      • Specify the project name and location.
    • Add Dependencies:

Add the Selenium dependencies to your pom.xml file:
xml
Copy code

<!-- https://mvnrepository.com/artifact/org.zaproxy/zap-clientapi -->		


<dependency>
			<groupId>org.zaproxy</groupId>
			<artifactId>zap-clientapi</artifactId>
			<version>1.14.0</version>
		</dependency>
		<dependency>
			<groupId>org.testng</groupId>
			<artifactId>testng</artifactId>
			<version>7.6.1</version>
			<scope>compile</scope>
		</dependency>
		<dependency>
			<groupId>org.seleniumhq.selenium</groupId>
			<artifactId>selenium-java</artifactId>
			<version>4.16.1</version>
		</dependency>
		<!--
		https://mvnrepository.com/artifact/io.github.bonigarcia/webdrivermanager  -->
		<dependency>
			<groupId>io.github.bonigarcia</groupId>
			<artifactId>webdrivermanager</artifactId>
			<version>5.6.3</version>
		</dependency>
		<!--
		https://mvnrepository.com/artifact/org.seleniumhq.selenium/selenium-firefox-driver  -->
		<dependency>
			<groupId>org.seleniumhq.selenium</groupId>
			<artifactId>selenium-firefox-driver</artifactId>
			<version>4.16.1</version>
		</dependency>
	</dependencies>
	<build>
		<pluginManagement>
			<plugins>
				<plugin>
					<groupId>org.apache.maven.plugins</groupId>
					<artifactId>maven-surefire-plugin</artifactId>
					<version>3.0.0-M8</version>
					<configuration>
						<suiteXmlFiles>
							<suiteXmlFile>./src/test/testng.xml</suiteXmlFile>
						</suiteXmlFiles>
					</configuration>
				</plugin>
			</plugins>
		</pluginManagement>
	</build>

Configuring Selenium to Use ZAP:

Create a ZapUtil class for both passive and active scans:

	
public class ZapUtil {


private static ClientApi clientApi;
	public static Proxy proxy;
	private static ApiResponse apiResponse;
	private static final String zapAddress = "127.0.0.1";
	private static final int zapPort = 8080;
	private static final String apiKey = "*******************"; // Please add your own api key from ZAP
	static {
		clientApi = new ClientApi(zapAddress, zapPort, apiKey);
		proxy = new Proxy().setSslProxy(zapAddress + ":" + zapPort).setHttpProxy(zapAddress + ":" + zapPort);
	}
	public static void waitTillPassiveScanCompleted() {
		try {
			apiResponse = clientApi.pscan.recordsToScan();
			String tempVal = ((ApiResponseElement) apiResponse).getValue();
			while (!tempVal.equals("0")) {
				System.out.println("passive scan is in progress");
				apiResponse = clientApi.pscan.recordsToScan();
				tempVal = ((ApiResponseElement) apiResponse).getValue();
			}
			System.out.println("passive scan is completed");
		} catch (ClientApiException e) {
			e.printStackTrace();
		}
	}
	public static void addURLToScanTree(String site_to_test) throws ClientApiException {
		clientApi.core.accessUrl(site_to_test, "false");
		if (getUrlsFromScanTree().contains(site_to_test))
			System.out.println(site_to_test + " has been added to scan tree");
		else
			throw new RuntimeException(site_to_test + " not added to scan tree, active scan will not be possible");
	}
	public static List<String> getUrlsFromScanTree() throws ClientApiException {
		apiResponse = clientApi.core.urls();
		List<ApiResponse> responses = ((ApiResponseList) apiResponse).getItems();
		return responses.stream().map(r -> ((ApiResponseElement) r).getValue()).collect(Collectors.toList());
	}
	public static void performActiveScan(String site_to_test) throws ClientApiException {
		String url = site_to_test;
		String recurse = null;
		String inscopeonly = null;
		String scanpolicyname = null;
		String method = null;
		String postdata = null;
		Integer contextId = null;
		apiResponse = clientApi.ascan.scan(url, recurse, inscopeonly, scanpolicyname, method, postdata, contextId);
		String scanId = ((ApiResponseElement) apiResponse).getValue();
		waitTillActiveScanIsCompleted(scanId);
	}
	private static void waitTillActiveScanIsCompleted(String scanId) throws ClientApiException {
		apiResponse = clientApi.ascan.status(scanId);
		String status = ((ApiResponseElement) apiResponse).getValue();
		while (!status.equals("100")) {
			apiResponse = clientApi.ascan.status(scanId);
			status = ((ApiResponseElement) apiResponse).getValue();
			System.out.println("Active scan is in progress");
		}
		System.out.println("Active scan has completed");
	}
	public static void generateZapReport(String site_to_test) {
		String title = "Demo Title";
		String sites = site_to_test;
		String description = "Demo description";
		String template = "traditional-html-plus";
		String sections = "chart|alertcount|passingrules|instancecount|statistics|alertdetails";
		String theme = "light";
		String includedrisks = "High|Medium|Low";
		String includedconfidences = null;
		String reportfilename = null;
		String reportfilenamepattern = "{{yyyy-MM-dd}}-ZAP-Report-[[site]]";
		String reportdir = System.getProperty("user.dir") + "//reports";
		String display = "true";
		String contexts = null;
		try {
			clientApi.reports.generate(title, template, theme, description, contexts, sites, sections,
					includedconfidences, includedrisks, reportfilename, reportfilenamepattern, reportdir, display);
			System.out.println("Report generation requested");
		} catch (ClientApiException e) {
			e.printStackTrace();
		}
	}
}

Api key-

ZAP Api key

Implementing Passive Scans:

Write Selenium tests to interact with your web application. ZAP will passively scan the HTTP requests and responses generated by these interactions.

java
Copy code

{
public class PassiveScan	


private WebDriver driver;
	private final String urlToTest = "https://www.zaproxy.org/";
	@BeforeMethod
	public void setUp() {
		// Configure the proxy settings
		FirefoxOptions options = new FirefoxOptions();
		options.setProxy(proxy);
		options.setAcceptInsecureCerts(true);
		WebDriverManager.firefoxdriver().setup();
		driver = new FirefoxDriver(options);
	}
	@Test
	public void testPassiveScan() throws InterruptedException {
		driver.get(urlToTest);
		Thread.sleep(10000);
		// Wait for passive scan to complete
		ZapUtil.waitTillPassiveScanCompleted();
	}
	@AfterMethod
	public void tearDown(Method method) throws InterruptedException {
		Thread.sleep(10000);
		generateZapReport(urlToTest);
		driver.quit();
	}
}
  1. Viewing Passive Scan Results:
    • In ZAP, navigate to the “Alerts” tab to view issues detected during the passive scan. This tab provides detailed information about the potential security issues found.

Developing Active Scans with Postman and Selenium Java

Configuring Postman:

  1. Open Postman and create a new collection for your API tests.
  2. For each API request, configure the proxy settings to use ZAP (localhost:8080).
Proxy settings to use ZAP

Collection download link: Git link

Create environment:

ZAP Environment Creation

Running Active Scans:

  1. Set Up Selenium:

Implement Selenium tests for web application interaction:

public class ActiveScan {
   private WebDriver driver;
   private final String urlToTest = "https://www.zaproxy.org/";
   @BeforeMethod
   public void setUp()  {
       // Configure the proxy settings
   	
   	FirefoxOptions options=new FirefoxOptions();
   	options.setProxy(proxy);
   	options.setAcceptInsecureCerts(true);
       WebDriverManager.firefoxdriver().setup();
       driver = new FirefoxDriver(options);
      
   }
  
   @Test
   public void testActiveScan() throws ClientApiException {
       addURLToScanTree(urlToTest);
       performActiveScan(urlToTest);
   }
   @AfterMethod
   public void tearDown(Method method) throws InterruptedException{
   	Thread.sleep(10000);
       generateZapReport(urlToTest);
       driver.quit();
   }
}

2. Viewing Active Scan Results:

  • Go to the “Alerts” tab to view results. Active scans provide detailed insights into vulnerabilities by sending payloads and analyzing responses.

Understanding Passive and Active Scans

  • Passive Scan:
    • A passive scan analyzes HTTP requests and responses as they pass through the proxy without altering the traffic. It’s non-intrusive and safe for live systems. Examples of issues detected include missing security headers, outdated software versions, and weak SSL configurations.
  • Active Scan:
    • An active scan sends payloads to the application to identify vulnerabilities through direct interaction. It’s more intrusive and can affect application performance, so it’s best used in a testing environment. Examples include SQL injection, cross-site scripting (XSS), and file inclusion vulnerabilities.

OWASP ZAP Report

  • Generating Reports:
    • After completing your scans, you can generate detailed reports from ZAP by navigating to Reports > Generate HTML Report.
    • These reports provide a comprehensive view of the security posture of your web application, including all identified vulnerabilities and their details.
ZAP Report Generation

Conclusion

OWASP ZAP is a versatile and powerful tool for integrating security testing into your development lifecycle. By leveraging passive and active scans with Selenium, Java and Postman, you can uncover and address security vulnerabilities early, enhancing your web application’s security posture. This guide provides a comprehensive approach to utilizing ZAP effectively, ensuring you can secure your applications against common and advanced threats.

This page was last edited on 22 August 2024, at 11:30 am