OWASP ZAP Tutorial - Part 3: Scanning

-
Good day, eh. Welcome to Part 3. In this post, we will spend a little time walking through how to perform active scanning with ZAP. I'm gonna level with you, this is probably the easiest part of workin with ZAP, but it is also the most perilous. Web scanners have taken down sites, and if the scope isn't configured properly you could find yourself winning an extended stay at Club Fed (located in beautiful Leavenworth, Kansas). As always, don't scan stuff that isn't yours or that you don't have permission to scan. Got it? Good. Let's move forward.

As you may or may not know, OWASP ZAP can perform two different levels of scanning: passive scanning and active scanning. Our tutorial will focus on active scanning, but I think it is worthwhile to have a brief discussion about passive scanning. Passive scanning is the scanning that takes place when ZAP is interacting with a web application through any other process other than an active scan. What this means is that simply opening a web application and proxying it through ZAP will give you at least a partial scan of that application. This is pretty cool because it helps us identify some low-hanging fruit when we are simply interacting with the site. Any findings identified by active and passive scans are displayed under the Alerts tab in the pane at the bottom of the ZAP interface.


The alerts tab shows all of the vulnerabilities that were identified by the passive scan and it provides a great deal of detail about the vulnerability as well as potential solutions for remediating it. Whenever you use ZAP, you should pay attention to the data in this screen.

Active Scanning

Active scanning is what most people think of when they envision a traditional web application scan. The ZAP proxy runs a number of automated scripts against a target URL with the intention of identifying vulnerabilities. Unlike passive scans, active scans can be quite intensive and can even cause a site to go down. Whenever you are actively scanning a web application, monitor the responsiveness of the site. If the site becomes slow or unresponsive, you should probably kill the scan and alter your settings so as to minimize the impact on the target application.

Running an active scan is fairly simple. These steps assume that you have completed the activities in the previous posts in this series. If you have not and if you are not familiar with ZAP, I highly recommend that you read Posts 1 and 2 before continuing.
  1. Make sure that you have your browser and ZAP running. Make sure that the browser is proxying traffic through ZAP.
  2. In the Target pane in ZAP (left side of the screen), right-click on your target's URL and choose Attack > Active Scan.

  3. In the scan configuration window that appears, simply verify that the scope is properly set (remember Equador).



    You may also want to look at the Policy tab in this window. It is here that you can set the Attack Strength threshold. For most initial scans, the default setting (medium) is probably fine. If you are concerned about knocking down a site, you can even change them to "low" for the initial scans. When done, click the Start Scan button.



    "But wait!" you cry, "there are all kinds of settings here! What about them?"

    This tutorial isn't about how to customize scans for your application; that would be different for every site that you scan. This tutorial is about how to kick off a generic scan in ZAP. For more details on scanning in ZAP, click here and you can find out much more information than I can provide in a single blog post.
  4. When the scan starts, you can monitor its progress and check to see what types of attacks it is performing. To do this, click on the icon that looks like a chart in the Active Scan tab in the bottom pane of the ZAP interface.

  5. In that same window, you can also monitor the responsiveness of the target web application. If you notice that the number of responses per second is quite low or at zero, that would be a good time to kill the scan. This would indicate that the responsiveness of the site has become quite slow and it may be struggling to keep up with the number of requests that the scanner is throwing at it. A healthy system's responses should look like the Rocky Mountains.
That's about all there is to scanning. Like I said before, this tutorial is to give you the basics for getting started. If you would like more detail on scanning with ZAP, I recommend checking out OWASP's documentation which can be found here.

A Note on Reporting

ZAP also has the ability to generate reports on the fly. I wouldn't use these reports to give to a client or an executive, but they are useful for reviewing information and sharing data with other technical people. To generate reports for a scan, use the Report menu at the top of the screen. There are lots of reporting format options, including HTML and PDF. Unfortunately, OWASP doesn't have a lot of documentation on reporting, but lucky for us it is fairly straight forward. Just the same, I will try to do a post on ZAP reporting in the future.




Comments

Post a Comment

Popular posts from this blog

OWASP ZAP Tutorial - Part 2: Crawling

-
Image
If you completed part one of this series, you have now successfully intercepted an HTTP request and response with OWASP ZAP. Don't you feel proud and empowered? I knew you would. But guess what? We're not done yet... not by a damn site. Now it's time to learn how to  crawl  a web application with ZAP. Now I know what you're thinking to your self. Your thinking, "Pablo, why do I need to crawl the site? Can't I just do an outright scan? Won't that crawl the site first anyway?" Well, the answer to your question is "yes," you can just scan the site, which usually starts with a crawl. But here is the deal, maybe you don't want to be noticed, especially if you are doing a test where stealth is important. Have you ever worked on a blue team and had your email inbox explode with alerts because some jackhole decided to scan your company's website? If so, then you understand why running a full scan might not be desirable (you may also wa
Read more

OWASP ZAP Tutorial - Part 1: Intercepting Traffic

-
Image
So you want to use OWASP's Zed Attack Proxy to intercept web requests and responses, but you don't know where to start. ZAP isn't quite as pretty as Burp and there isn't even a proxy tab that you can use to intercept traffic and monkey with the parameters! What is the deal!? OK, OK, OK, just take a chill pill there my friend. Although ZAP is a little different from Burp, I think you will find that it is just as useful, and in some cases perhaps more so. Let's jump in with a little exercise that will help you figure out the basics of this often overlooked gem. Before going any further, I am going to take a moment to warn you about testing web applications without permission; don't do it. Testing a site that is not yours is what a friend of mine has referred to as a "non-extradition country career choice" (thanks Adrien de Beupre). Equador is a lovely country, but you probably don't want to live there. Manually Intercepting HTTP Requests and
Read more