OWASP ZAP Tutorial - Part 3: Scanning
As you may or may not know, OWASP ZAP can perform two different levels of scanning: passive scanning and active scanning. Our tutorial will focus on active scanning, but I think it is worthwhile to have a brief discussion about passive scanning. Passive scanning is the scanning that takes place when ZAP is interacting with a web application through any other process other than an active scan. What this means is that simply opening a web application and proxying it through ZAP will give you at least a partial scan of that application. This is pretty cool because it helps us identify some low-hanging fruit when we are simply interacting with the site. Any findings identified by active and passive scans are displayed under the Alerts tab in the pane at the bottom of the ZAP interface.
The alerts tab shows all of the vulnerabilities that were identified by the passive scan and it provides a great deal of detail about the vulnerability as well as potential solutions for remediating it. Whenever you use ZAP, you should pay attention to the data in this screen.
Active scanning is what most people think of when they envision a traditional web application scan. The ZAP proxy runs a number of automated scripts against a target URL with the intention of identifying vulnerabilities. Unlike passive scans, active scans can be quite intensive and can even cause a site to go down. Whenever you are actively scanning a web application, monitor the responsiveness of the site. If the site becomes slow or unresponsive, you should probably kill the scan and alter your settings so as to minimize the impact on the target application.
Running an active scan is fairly simple. These steps assume that you have completed the activities in the previous posts in this series. If you have not and if you are not familiar with ZAP, I highly recommend that you read Posts 1 and 2 before continuing.
- Make sure that you have your browser and ZAP running. Make sure that the browser is proxying traffic through ZAP.
- In the Target pane in ZAP (left side of the screen), right-click on your target's URL and choose Attack > Active Scan.
- In the scan configuration window that appears, simply verify that the scope is properly set (remember Equador).
You may also want to look at the Policy tab in this window. It is here that you can set the Attack Strength threshold. For most initial scans, the default setting (medium) is probably fine. If you are concerned about knocking down a site, you can even change them to "low" for the initial scans. When done, click the Start Scan button.
"But wait!" you cry, "there are all kinds of settings here! What about them?"
This tutorial isn't about how to customize scans for your application; that would be different for every site that you scan. This tutorial is about how to kick off a generic scan in ZAP. For more details on scanning in ZAP, click here and you can find out much more information than I can provide in a single blog post.
- When the scan starts, you can monitor its progress and check to see what types of attacks it is performing. To do this, click on the icon that looks like a chart in the Active Scan tab in the bottom pane of the ZAP interface.
- In that same window, you can also monitor the responsiveness of the target web application. If you notice that the number of responses per second is quite low or at zero, that would be a good time to kill the scan. This would indicate that the responsiveness of the site has become quite slow and it may be struggling to keep up with the number of requests that the scanner is throwing at it. A healthy system's responses should look like the Rocky Mountains.
That's about all there is to scanning. Like I said before, this tutorial is to give you the basics for getting started. If you would like more detail on scanning with ZAP, I recommend checking out OWASP's documentation which can be found here.
A Note on Reporting
ZAP also has the ability to generate reports on the fly. I wouldn't use these reports to give to a client or an executive, but they are useful for reviewing information and sharing data with other technical people. To generate reports for a scan, use the Report menu at the top of the screen. There are lots of reporting format options, including HTML and PDF. Unfortunately, OWASP doesn't have a lot of documentation on reporting, but lucky for us it is fairly straight forward. Just the same, I will try to do a post on ZAP reporting in the future.