The Zed Attack Proxy (ZAP) is one of the most widely-used open source tools for dynamic application security testing (DAST). Maintained by OWASP, ZAP has built a huge community of people creating new features and add-ons that make it incredibly versatile.  

You could say we’re a little bit in love with this tool here at we45. For years we’ve been using it for manual pen-testing and automated application scans, and we’ve become intimately familiar with some of its most useful features. It’s about time we show you why we think it’s so cool. 

So here’s our personal list of the 7 best features that make ZAP such a great tool for appsec testing.

1. AJAX spidering

AJAX spidering is performed during a penetration test to discover requests on an AJAX-rich web apps, which can’t be discovered with a regular spidering tool. The AJAX spidering window can be accessed via  ZAP -> Tools -> AJAX Spider (on ZAP’s menu bar). The tool has configuration parameters such as maximum depth to crawl, maximum crawl states, maximum duration and other options to prevent the possibility of infinite crawling.

An Example for AJAX Spidering

Image – An example of AJAX Spider Options

During our penetration tests, we use the regular spidering tool first to identify URLs of the application being tested. Running the AJAX spider after the regular spidering has helped us get a better map of all application resources in scope. ZAP gives you the option to automatically open the application  via browser using Selenium and explore the application through an event-driven dynamic crawling engine. This eliminates the need for a manual walkthrough of the application to capture AJAX requests.

2. ZAP Jenkins Plugin

As more and more companies move towards DevSecOps or pursue Agile security testing methods, integrating DAST tools into their CI/CD pipeline manager such as Jenkins is becoming pretty common. Having a plugin is essential for such integrations.

The Jenkins Plugin enables integration of security testing within the CI/CD pipeline. Through the  the Jenkins plugin, we’ve helped our customers integrate ZAP seamlessly into the DevOps pipeline, allowing teams to run automated scans per release. The plugin enables several ZAP operations within the  pipeline such as Spider Scans, AJAX Spidering, Active Scan, Managing  Sessions, Defining Context and correlate results.


Upcoming Webinar: Automate ZAP & Burp testing on Jenkins with Cypress

{{cta(‘a90d91c1-b10e-48e2-bd69-669355f2361f’)}}


 

3. Fuzzing

A fuzzer is a security tool used to inject a variety of payloads to force the application to go to an undesired state, possibly exposing a potential vulnerability. In ZAP, a tester can choose from a wide range of open source fuzzing payload lists through sources like Dirbuster, FuzzDB and JbroFuzz. All of these are built into ZAP making it easier to unearth vulnerabilities than ever before.

Fuzzer Dialog

 Image – Fuzzer Dialog

A pen-tester can either choose to upload a manual list of payloads or generate payloads by writing his/her own custom scripts. The ZAP Fuzzer is also highly customisable with controls like fuzzing location (in the request), number of concurrent threads, delay in fuzzing and many more options.

The fuzzer also has the ability to automatically refresh Anti-CSRF tokens in applications where the tokens regenerate per form request. When detecting an Anti-CSRF token, ZAP automatically records the token and the associated URL. ZAP thereby regenerates the token whenever necessary, preventing missing/invalid token errors.

4. Websocket Testing

Testing Websockets is critical, given how pervasive its implementations are across applications. With ZAP, intercepting, analysing or tampering with the websocket traffic between the client and server couldn’t get easier. The websocket Message editor can be accessed via Tools>>WebSocket Message Editor under the ZAP Menu. The editor can be used to tamper with the Opcodes, Direction, or the message and sent back to the server.

WebSocket Message Editor

Image – WebSocket Message Editor

ZAP also gives details of the opcode of each message — Text, Binary, Close, Ping or Pong. The messages can then be filtered based on opcodes or the channels for further scrutiny. The websocket message can also be sent to the fuzzer for subsequent payload injection.

For instance, we were once testing a client’s visual collaboration platform, which was an application based on websockets. By changing the direction of the message and tampering with the parameters in the message via the message editor, we were able to identify a vulnerability in the application that  resulted in complete denial of service for all users using the application interface.

5. Highly Scriptable

A lot of security testing can be automated with scripts, which reduces time spent on manual testing and allows the tester to focus on other important tasks.

ZAP is one of the most extensible/scriptable tools that support any scripting language that allows JSR 223 scripting. ZAP has the feature to run scripts that can be embedded within it to access internal data structures & functionalities through the ZAP Script Add-on. It supports multiple scripting languages which include Javascript, Zest, Python, Groovy and Ruby. 

Learn More: A Guide to Scripting in OWASP ZAP

The scripts supported include Stand-alone, Active Rules, Proxy Rules etc. We’ve created Zest scripts  using ZAP’s “record scripts” feature to  perform automated walkthroughs of an application, proxy the requests through ZAP, run scans and export the results for subsequent aggregation and correlation.

6. Flexible Scan Policy Management

ZAP provides the flexibility to compose a  scan policy based on the requirement of the tester for every application. The Scan Policy Manager can be found at Analyse>>Scan Policy Manager under the menu bar.

For a pen-tester, it is essential to optimise the scanner depending on the ability of the target application to keep up with its operational performance (and not result in a DoS). It’s therefore critical to consider a scanner machine’s processing and bandwidth capabilities while designing scan policies.

Scan Policy Manager

Image – Scan Policy Manager

The scan policy can be altered to include or exclude the kind of test to perform. ZAP even lets you configure the definition of parameters such as Threshold (how likely it is that a potential vulnerability to be flagged), and Strength (the number of requests for each of the tests).

Pen-testers often need to test scenarios that they might encounter frequently across target applications. ZAP allows you to design a custom scan policy, that can be exported as a template. This scan policy can then be imported back into ZAP and reused.

7. Interacting With ZAP Programmatically via the REST API

ZAP has a really well defined and documented API which makes it easier to be accessed programmatically by a wide range of tools, platforms or custom scripts. 

ZAP API UI

Image – ZAP API UI

The ZAP API can be used directly via a browser or using programming languages such as Java, Python, Node JS, .NET, PHP or Go. ZAP UI can be accessed through the browser at http://zap through the proxy or at http://localhost:<proxy port>.

See More: We’ve integrated ZAP into our new vulnerability correlation platform

Even though you find these features in other private and publicly available DAST tools, ZAP encapsulates them (and much more) under a single intuitive and effective open source platform. It’s what makes it the go-to tool to perform both manual and automated security scans.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.