Penetration Testing Using Zap

What is Penetration Testing ?

Penetration testing, also called pen testing , is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.

What is Owasp Zap ?

OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner.

When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.

ZAP was added to the ThoughtWorks Technology Radar in May 2015 in the Trial ring, ZAP was originally forked from Paros, another pentesting proxy. Simon Bennetts, the project lead, stated in 2014 that only 20% of ZAP’s source code was still from Paros.

Some of the built in features include:

Intercepting proxy server, Traditional and AJAX Web crawlers, Automated scanner, Passive scanner, Forced browsing, Fuzzer, WebSocket support, Scripting languages, and Plug-n-Hack support. It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added. The GUI control panel is easy to use.

Download ZAP

To download zap, click here, on this page installers are available for different operating systems, download ZAP according to your system requirements.

Penetration Testing On APIs-

Step 1: Configure Postman-

Open Owasp Zap and click on Tools→Options→Local Proxies, you will be redirected to following screen-

These are the settings for ZAPs proxy server that you will be using to route Postman requests through. You will need to know the address and port in order to set Postman to redirect requests through ZAPs proxy server. 

Now that you have the address and port for the proxy, open Postman and go to ‘Settings’ in the top menu bar and select the ‘Proxy’ tab. You should now see the following screen:

Enter address and port picked from ZAP in “Proxy Server” column.

ZAP uses self signed certificate(SSL) to capture request and response and this ZAP’s SSL is not trusted by Postman so whenever request is sent you won’t receive the response, for this to work, we need to disable the ‘SSL certificate verification’ so go to Settings-> General-> Disable ‘SSL certificate verification’

Step 2- Send request from Postman-

Send the requests from Postman and it will be captured in Zap

Step 3- Run Scan

Go to “History” tab in the bottom in Zap→ select the request Url→ right click on it and run active scan

Penetration Testing On Web Portal-

Step 1: Configure Browser-

Open Owasp Zap and click on Tools→Options→Local Proxies, you will be redirected to following screen-

These are the settings for ZAPs proxy server that you will be using to route Postman requests through. You will need to know the address and port in order to set Postman to redirect requests through ZAPs proxy server. 

Now that you have the address and port for the proxy, open Browser and go to ‘Preferences’ in the  menu bar and select the ‘Settings’ button of Network settings. Either set it to localhost or 127.0.0.1 and port to 8080 same as Zap.

You should now see the following screen:

Enter address and port picked from ZAP in “HTTP Proxy” column.

ZAP uses self signed certificate(SSL) to capture request and response, this ZAP’s SSL is not trusted by Browsers so whenever request is sent, you won’t receive the response, for this to work, we need to disable the ‘SSL certificate verification’ so go to Settings-> General-> Disable ‘SSL certificate verification’

Step 2- Send request from Browser-

Browse through your website, all urls will be captured in zap

Step 3- Run Scan

Go to “History” tab in the bottom in Zap→ select the request Url→ right click on it and run active scan

Generate Report-

Go to “Reports” in top menu bar→ Click on the option you prefer→ a report will be generated accordingly