Overview of OWASP Zed Attack Proxy (ZAP)
What’s OWASP Zed Attack Proxy (ZAP)?
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
Key Features of OWASP Zed Attack Proxy (ZAP)
- Open source
- Cross platform (it even runs on a Raspberry Pi!)
- Easy to install (using a multi-platform installer builder)
- Completely free (no paid for ‘Pro’ version)
- Ease of use a priority
- Comprehensive help pages
- Fully internationalized
- Translated into over 20 languages
- Community based, with involvement actively encouraged
- Under active development by an international team of volunteers
Key Features of Application
Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets. Active scanning is an attack on those targets. You should NOT use it on web applications that you do not own. It should be noted that active scanning can only find certain types of vulnerabilities. Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. Manual penetration testing should always be performed in addition to active scanning to find all types of vulnerabilities.
2. Anti CSRF Tokens
Anti CSRF tokens are (pseudo) random parameters used to protect against Cross Site Request Forgery (CSRF) attacks. However they also make a penetration testers job harder, especially if the tokens are regenerated every time a form is requested.
ZAP detects anti CSRF tokens purely by attribute names – the list of attribute names considered to be anti CSRF tokens is configured using the Options Anti CSRF screen. When ZAP detects these tokens it records the token value and which URL generated the token. Other scanners, like active scanner, have options which cause ZAP to automatically regenerate the tokens when required.
3. Passive Scan
ZAP by default passively scans all HTTP messages (requests and responses) sent to the web application being tested. Passive scanning does not change the requests nor the responses in any way and is therefore safe to use. Scanning is performed in a background thread to ensure that it does not slow down the exploration of an application.
4. Scan Policy
A scan policy defines exactly which rules are run as part of an active scan. It also defines how these rules run influencing how many requests are made and how likely potential issues are to be flagged. You can define as many scan policies as you like and select the most appropriate one when you start the scan via the Active Scan Dialog. You can define the default scan policy to be used for active scans and for the Attack mode via the Options Active Scan screen.
The spider is a tool that is used to automatically discover new resources (URLs) on a particular Site. It begins with a list of URLs to visit, called the seeds, which depends on how the Spider is started. The Spider then visits these URLs, it identifies all the hyperlinks in the page and adds them to the list of URLs to visit and the process continues recursively as long as new resources are found.