{"id":59067,"date":"2022-10-24T09:19:18","date_gmt":"2022-10-24T01:19:18","guid":{"rendered":"https:\/\/version-2.com\/?p=59067"},"modified":"2022-12-02T18:13:42","modified_gmt":"2022-12-02T10:13:42","slug":"how-to-test-application-with-zap-part-three","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2022\/10\/how-to-test-application-with-zap-part-three\/","title":{"rendered":"How to test application with ZAP – Part Three"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

We are finally prepared to use the ZAP tool to perform some security testing in this part of the ZAP series.<\/p>

If you are new to this topic, please check out the rest of the previous articles.<\/p>

We will use DVWA (Damn Vulnerable Web Application) for this part of the series.<\/p>

DVWA is a PHP\/MySQL web application that is used to help security professionals to learn and test using security tools while staying clear of legal implications. It possesses many common vulnerabilities, so you don\u2019t need to waste your time to set up the application from scratch.<\/p>

To follow along with the testing, you will need to install DVWA. There is a great guide on installing it in a Linux environment (you should use the one we set up in the first part of the series (Kali machine). You can find it on this site<\/a>.<\/p>

We will divide this part of the series to cover a few topics:<\/p>

\u00b7 Setting up Dynamic SSL certificates<\/p>

\u00b7 Automated Scan – How to use Ajax Spider?<\/p>

\u00b7 Recommendations for Add-ons<\/p>

\u00b7 HUNT extensions for OWASP ZAP<\/p>

<\/p>

Setting up Dynamic SSL certificates<\/em><\/h4>

We want to start testing the application, but the application possesses an SSL certificate, and we get the following error:<\/p>

If you want to read more about Dynamic SSL certificates, check out this site<\/a>.<\/p>

Without importing ZAP Certificates in the browser, ZAP cannot handle simultaneous Web request forwarding and intercepting. So, we will need to set it up!<\/p>

First, go to the menu tab Tools -> Options -> Dynamic SSL Certificates, generate and save the certificate file. <\/p>

Now we need to go to the browser we will use for the testing, I am using Brave, and we need to configure its settings. Go to the Privacy and Security section and use CTRL + F and look for \u201ccert\u201d, when you find the Manage certificates section, choose the Authorities tab and click on import and choose the certificate we saved from ZAP (when browsing to the cert file if you don\u2019t see it, choose All files from dropdown).<\/p>

<\/p>

<\/p>

The following window will appear, choose to trust the certificate (first option as it is in the picture).<\/p>

That is it; you are ready to proceed!<\/p>

<\/p>

How to use Ajax Spider?<\/em><\/h4>

By Owasp: The Ajax Spider is an add-on that integrates in ZAP a crawler of AJAX rich sites called Crawljax. You can use it in conjunction with the traditional spider for better results. It uses your web browser and proxy.<\/em><\/p>

For more information about the add-on, you can check out OWASPs official site<\/a>.<\/p>

In the Marketplace, we choose Ajax Spider to install it first.<\/p>

There are a few ways to do an automated scan, first and quickest is going to Quick start and choosing Automated Scan and then choosing the URL of the application you want to scan and clicking on the Attack button.<\/p>

*In this step, you can also choose if you want to use traditional spider and\/or Ajax. If the application you are testing is written using AJAX, you will definitely want to mark Ajax spider. Still, you can also mark the traditional one so you can cover the testing completely. The easiest way to use Ajax Spider is with HTMLUnit. If you don\u2019t see it in the dropdown you would need to install it. Here is the place<\/a> you can check out if you want to install it in Ubuntu.<\/p>

After the scan (if you are using DVWA application) you will see the list of vulnerabilities in the results, such as in the following picture:<\/p>

<\/p>

Recommendations for add-ons<\/em><\/h4>

From the toolbar choose Manage Add-ons (Add-ons Marketplace). You will see Installed and Marketplace tabs. We would like to add new add-ons, so we choose Marketplace.<\/p>

This is the recommended list of add-ons:<\/p>