Tuesday, 28 September 2010

Exploring a web application with ZAP

This post explains how to explore the web application you are testing using the Zed Attack Proxy (ZAP).

Download and install ZAP

You will need to download ZAP from http://code.google.com/p/zaproxy/downloads/list.
There are downloads available for Windows, Mac OS and Unix / Linux like operating system.
You will need to have Java 1.6 or higher also installed.

Once you have downloaded and installed ZAP, start it up.
On Windows an icon will have been created on your desktop and an entry added to the start menu.
On other operating systems use the zap.sh command line script.

Change your browser to use ZAP as a proxy

Change your browser to use ZAP as a proxy, so that all of the requests and responses to and from your application go via ZAP.
See Configuring Proxies help page or your browser's documentation if you are unsure of how to do this.
By default ZAP will listen on http://localhost:8080.
If necessary this can be changed via the Options connection screen.

Now try to connect to your application using your browser.
If you can not connect to it then check your proxy settings again. You will need to check your browser's proxy settings, and also ZAP's proxy settings. Its also worth checking that the application that you are trying to test is running!

When you have successfully connected to your application you will see one or more lines in ZAP's Sites and History tabs.
Note that most of ZAP's tabs provide additional functionality that can be accessed via 'right click' menus.

Explore your application

Use your browser to explore all of the functionality provided by the application.
Follow all links, press all buttons and fill in and submit all forms.
Some automated security scanners just require you to login to your application and then explore it for you.
I do not recommend this approach.
It is much more effective to manually explore the application.
You are much more likely to submit valid data that will expose new functionality.
The automated scanner can supply the bad data in an attempt to compromise your application.

Save the ZAP session

Once you have manually explored the application it would be a good time to save the ZAP session so that you can look at it again.
If your application has multiple roles then you should explore it with each role and save the sessions in separate files.

What ZAP shows you

ZAP records all of the requests you make to the application and all of the responses you receive from it.
The Sites tab shows you a hierarchic representation of your requests, while the History tab shows them in the order you made them.
The History tab also shows you the HTTP response code, the time the request took and any Tags or Notes.
Tags are added automatically for pages that contain things like forms, hidden fields and scripts via the Passive Scanner.
These rules can be changed via the Options Passive Scan screen.
You can also tag requests manually.
Notes can contain much more information - they are for extra information that you want to record and are not generated automatically.
Clicking on an entry in either tab will show the details on the Request and Response tabs.
The History tab provides a filter dialog which allows you to restrict the requests listed to just the ones you are currently interested in.
The Search tab allows you to search for regular expressions in all of the URLs, requests and responses.

ZAP shows you all of the requests and responses that are going on 'under the covers' of your application.
This may be particularly revealing if the application uses AJAX requests to get information in the background.

Next we shall look at the automated tools the ZAP provides...


  1. Where can I find information pertaining to the rules regarding SQL Injection and Oracle SQL Injection Enumeration during active testing?

    I have to finish pentesting an app *quickly* and have these alerts coming up. I see the SQL Injection, but do not think that it is a problem in the app.

    What is the rule?

    Is it just that SQL was injected into parameters (I can see that in the POST request) but the page still returned a 200 status?

    Also, the current db user name: is being reported, yet I do not see it anywhere in the request or response.

    Is this a false positive or is it trying to tell me something else?

  2. Web application development is a specialized area of software development involved in developing as well as maintaining software applications, which are utilized for creating web pages or deploying web-based solutions. Currently such development utilizes a wide range of programming languages such as Java and PHP for developing the required application. The availability of multiple language choices allows software development companies to ensure that these applications are compatible with a wide range of platforms, servers and systems.
    Web Application Developers