Owasp-ZaProxy

 

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

 

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

 

 

Some of ZAP’s functionality:

 

  • Intercepting Proxy
  • Traditional and AJAX spiders
  • Automated scanner
  • Passive scanner
  • Forced browsing
  • Fuzzer
  • Dynamic SSL certificates
  • Smartcard and Client Digital Certificates support
  • Web sockets support
  • Support for a wide range of scripting languages
  • Plug-n-Hack support
  • Authentication and session support
  • Powerful REST based API
  • Automatic updating option

 

 

Integrated and growing marketplace of add-ons

 

In this quick tutorial, We can check how to automate web penetration testing using OWASP ZAP’s application integration settings. This makes running many applications such as integration settings. This makes running many applications such as Burpsuite, SQLMap, NMap, Nikto, SSLScan and others much more efficient and easier to manage.

 

 

 

Setting up 3rd party application settings

 

In OWASP ZAP, select the “Applications” setting from OWASP ZAP’s “Options” menu

 

Screenshot from 2015-04-16 03:04:44

 

 

Add a new application

 

Set the application options by clicking the “Add” button in the “Application Settings” and add your command for the application (see below for a list of example applications and syntax)

 

Screenshot-1

 

 

List of Applications and their parameters:

 

SQLMap (proxy+cookie+postdata) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –cookie “%cookie%” –data “%postdata%” -f –batch –dbs

 

SQLMAP (crawl+cookie) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –cookie “%cookie%” -f –batch –crawl=5 –dbs

 

SQLMap (proxy+cookie+get) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –cookie “%cookie%” -f –batch –dbs

 

SQLMap (proxy+get) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% -f –batch –dbs

 

SQLMap (proxy+postdata) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –data “%postdata%” -f –batch –dbs

 

WFuzz (Login Bruteforce) /usr/bin/wfuzz -p 127.0.0.1:1080 -c -z file,/pentest/lists/http_default_users.txt -z file,/pentest/lists/http_default_pass.txt -b “%cookie%” -d “username=FUZZ&password=FUZ2Z&submit=Login” %url%

 

Nikto /usr/bin/nikto -useproxy 127.0.0.1:1080 -host %url%

 

NMap /usr/bin/nmap -sV -O %host% %port%

 

Arachni /usr/bin/arachni %url% –report=html

 

Bed HTTP Fuzzer /usr/bin/bed -s HTTP -t %host% -p %port%

 

CMSMap /usr/bin/cmsmap.py -t %host%

 

DNSDict6 /usr/bin/dnsdict6 %host% /pentest/lists/dns/namelist.txt -4

 

SSLScan /usr/bin/sslscan –no-failed %host%

 

WPScan /usr/bin/wpscan –url %url% –proxy 127.0.0.1:1080

 

DNSEnum /usr/bin/dnsenum –enum -w %host% -f /penetst/lists/dns/namelist.txt

 

Whois /usr/bin/whois -h %host% -p %port%

 

Screenshot-3

 

 

Setting up Burpsuite Integration

 

To integrate OWASP ZAP with Burpsuite, set a new proxy listener port in Burpsuite (ie. port 8080) as shown below.

 

Screenshot-4

 

After, change the connection settings in OWASP ZAP to match the host:port set above. This will forward and route all traffic proxied through ZAP to Burpsuite.

 

 

Screenshot-5

 

Set your browser proxy settings to use OWASP ZAP’s local proxy (ie. port 8080).

 

Screenshot-7

 

 

Navigate to the target application

 

After your web browser is setup to use OWASP ZAP, navigate to the target web application (ie. 192.168.31.20) to capture the request.

 

Run a 3rd party application from ZAP

 

Screenshot-10

 

 

Select the application to run by right-clicking on the URL you want to test and selecting the application from the “Run application” menu

 

 

Screenshot from 2015-04-13 20:35:51

 

 

Review results of the application from the “Output” tab

 

After the command has finished running, click the “Output” tab in ZAP to view the applications results.

 

Screenshot-8

 

Advertisements