How to test application with ZAP – Part Three

We are finally prepared to use the ZAP tool to perform some security testing in this part of the ZAP series.

If you are new to this topic, please check out the rest of the previous articles.

We will use DVWA (Damn Vulnerable Web Application) for this part of the series.

DVWA is a PHP/MySQL web application that is used to help security professionals to learn and test using security tools while staying clear of legal implications. It possesses many common vulnerabilities, so you don’t need to waste your time to set up the application from scratch.

To follow along with the testing, you will need to install DVWA. There is a great guide on installing it in a Linux environment (you should use the one we set up in the first part of the series (Kali machine). You can find it on this site.

We will divide this part of the series to cover a few topics:

· Setting up Dynamic SSL certificates

· Automated Scan – How to use Ajax Spider?

· Recommendations for Add-ons

· HUNT extensions for OWASP ZAP

Setting up Dynamic SSL certificates

We want to start testing the application, but the application possesses an SSL certificate, and we get the following error:

If you want to read more about Dynamic SSL certificates, check out this site.

Without importing ZAP Certificates in the browser, ZAP cannot handle simultaneous Web request forwarding and intercepting. So, we will need to set it up!

First, go to the menu tab Tools -> Options -> Dynamic SSL Certificates, generate and save the certificate file. 

Now we need to go to the browser we will use for the testing, I am using Brave, and we need to configure its settings. Go to the Privacy and Security section and use CTRL + F and look for “cert”, when you find the Manage certificates section, choose the Authorities tab and click on import and choose the certificate we saved from ZAP (when browsing to the cert file if you don’t see it, choose All files from dropdown).

The following window will appear, choose to trust the certificate (first option as it is in the picture).

That is it; you are ready to proceed!

How to use Ajax Spider?

By Owasp: The Ajax Spider is an add-on that integrates in ZAP a crawler of AJAX rich sites called Crawljax. You can use it in conjunction with the traditional spider for better results. It uses your web browser and proxy.

For more information about the add-on, you can check out OWASPs official site.

In the Marketplace, we choose Ajax Spider to install it first.

There are a few ways to do an automated scan, first and quickest is going to Quick start and choosing Automated Scan and then choosing the URL of the application you want to scan and clicking on the Attack button.

*In this step, you can also choose if you want to use traditional spider and/or Ajax. If the application you are testing is written using AJAX, you will definitely want to mark Ajax spider. Still, you can also mark the traditional one so you can cover the testing completely. The easiest way to use Ajax Spider is with HTMLUnit. If you don’t see it in the dropdown you would need to install it. Here is the place you can check out if you want to install it in Ubuntu.

After the scan (if you are using DVWA application) you will see the list of vulnerabilities in the results, such as in the following picture:

Recommendations for add-ons

From the toolbar choose Manage Add-ons (Add-ons Marketplace). You will see Installed and Marketplace tabs. We would like to add new add-ons, so we choose Marketplace.

This is the recommended list of add-ons:

• Directory List v2.3 (Provides files with directory names to be used with Forced Browse or Fuzzer add-on.)

• Directory List v2.3 LC (Provides files with lower case directory names to be used with Forced Browse or Fuzzer add-on.)

• FuzzDBFiles (Provides the FuzzDB files which can be used with the ZAP fuzzer. Some files which cause anti-virus software to flag or remove files have been split off into the FuzzDB Offensive add-on available via the ZAP Marketplace.)

• FuzzDBOffensive (FuzzDB web backdoors and attack files which can be used with the ZAP fuzzer or for manual penetration testing.)

• Python Scripting (The Python Scripting add-on allows you to integrate Python scripts in ZAP. When you create a new script, you will be given the option to use Python, as well as the option to choose from various Python templates.)

• JSON View (Provides a Request/Response panel view that shows JSON bodies nicely formatted.)

• JWT Support (Detect JWT requests and scan them)

• ViewState (ASP/JSF ViewState Decoder and Editor)

• Community Scripts (Useful ZAP scripts written by the ZAP community)

If you would need some other add-ons check out the list of add-ons on the ZAP official site and Github ZAP extensions. On the ZAP official site list, there is no information for new add-on JWT support; you can get more information about it on this site.

If you choose to download extension from Github you can also download add-ons and import them manually by clicking the File option in the toolbar and choosing Load Add-on File…” menu option (CTRL + L).

HUNT extensions for OWASP ZAP

There is one interesting extension you can check out, it is called Bugcrowd HUNT extensions, and it can be found on this site.

To use this extension, first, you need to be sure that you installed from Market Add-ons: Python Scripting and Community Scripts. Then, in ZAP options, choose Passive Scanner and mark “Only scan messages in scope” (enabled).

In the ZAP tree, click on the plus icon and add Scripts, new window will open, then expand Passive Rules and right-click on Hunt.py script and choose to Enable Scripts.

When you scan the application next time, this script will be included. The application will passively be scanned for SQLi, LFI, RFI, Path Traversal, OS Command Injection, Insecure Direct Object Reference, Logic & Debug Parameters, and Server-Side Template Injection.

You can finally start playing around and start scanning applications! Scan only your stuff or apps like DVWA so you don’t get into trouble!

Conclusion

We finally got to the stage where we started using ZAP. We have scratched the surface of its possibilities, but we will continue with ZAPs features in the next part of the series.

Hang tight!

#ZAP #AjaxSpider #DynamicSSL #HUNT

Cover photo by Markus Winkler