As a Web developer, and above all, as someone who is interested in bringing value as soon as possible to my client, one of my main goals is to release the features I developed into production as soon as possible. In order to do so, I have to make sure my application is as secure as it can be before being deployed in a dangerous and full of malicious users production environment.
Thus, I have no choice: I have to get better in finding and fixing security flaws in my apps, I have to be able to test my apps, and to stop making the same errors twice. And I have to be fast doing it.
This is why I started to use OWASP Zed Attack Proxy!
What is ZAP?
ZAP is an OWASP (Open Web Application Security Project) project. OWASP is an online community which goal is to promote security for Web applications in a free and open way. To achieve their goal, they offer for instance vulnerable applications for every one to test and train on, documentations and recommendations, and security testing tools such as ZAP.
ZAP is therefore an open-source Github project. I could not advise you enough to go and visit the repository to read the code, and, if you are interested enough, to contribute to the project.
The interesting thing about ZAP is it is as useful for beginners in security as for professionals! Beginners can use it because it does not require advanced knowledge before you start getting results using it. Actually, you only need to click on one button to attack your application with minimal configuration.
Once you understand how to use it, you can achieve pretty impressive results. Zap is therefore used by professionals in security and is often rewarded. It has been for instance voted as the best security tool in the ToolsWatch (a famous security website) 2015 Top 10. And as I write this post, ZAP just reached 1000 stars on Github!
What can you use ZAP for?
As its name indicates, ZAP is a proxy. It means it will be set between your server and your web browser, and will listen all HTTP requests and responses. You can read and review them, and you can intercept them just after they leave your browser, or just before they come back in. The most interesting part is that you can then modify them. This is pretty useful in order to bypass client only verification for instance.
As ZAP listens to all HTTP requests and responses you will send and receive, it will parse them, store them in a tree representation of your application. It will also take this opportunity to scan them in order to detect the first vulnerabilities.
Whether you developed the application yourself or not, it is highly probable that you will not visit every single link of the application yourself. Whether because you do not know everything about the application, or because it is really too long to visit each page by yourself, it is better to use the spidering tool of ZAP. The goal of this tool is to parse the HTTP responses of the pages you already visited in order to discover new content. Each time it finds a new page, ZAP requests it, and can in turn parse the response. This way, hidden content can be discovered! There again,every new request/response pair is stored in the tree I mentioned earlier. My recommendation is to begin your testing by visiting manually some pages of your application, and then let ZAP list all the rest of its content automatically.
When ou are ready to go further, you may begin the real attack. At this point, ZAP active scanning will enable you to find more vulnerabilities such as SQL injections or XSS. Beware! The attacks will really be executed, so be careful, and do not look for such flaws in production environment. You may also use fuzzing to tamper with some parameters of the requests you’re playing with.
Every vulnerability reported by ZAP will be displayed in the “Alerts” tab. This is probably my favorite feature in ZAP! There, you will gain huge knowledge in Web Security. For each alert, you can learn about the corresponding flaw. Among other things, you will see which parameter can be used for the exploit, what this vulnerability might enable you to do, how to fix it, and some links to follow in order to discover more about it. Alerts are sorted according to their risk and impact. When some low vulnerabilities might not have too much impact for your application, you should really look into the high ones!
When you have found your first vulnerabilities with ZAP, you may want to go further still and make some more powerful and productive testing. For this, you can teach ZAP how your app works, and configure it to make it more accurate. For instance, you could explain to ZAP how it can know whether it is authenticated or not, and how it can be sure to be logged in. This way, even if it follows a logout link or is logged out by the application because of safety mechanisms, it will be able to log in again!
You may also download some community made extensions or scripts (or even write them yourself!) within the application. For example, you may install parameters for better fuzzing, quick start guide, or even a selenium extension. Thereby, there is virtually no limit to what you can achieve with this tool!
Do bad things… for the right reasons
ZAP’s motto above is really meaningful! Everything ZAP enables you to do should be considered as hacking. This means you should never use it against an application that you do not own, or for which you dit not receive specific authorization.
However, you should always test your applications and look for vulnerabilities. First, this is an opportunity to get better and make safer applications for your users! And, more importantly, you do NOT want anybody to find critical flaws in your application. And trust me: if they are accessible on the Web, sooner or later, they will be found.
The only thing left now is for you to download ZAP and go test it! Merry hacking!