The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.


It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.



Some of ZAP’s functionality:


  • Intercepting Proxy
  • Traditional and AJAX spiders
  • Automated scanner
  • Passive scanner
  • Forced browsing
  • Fuzzer
  • Dynamic SSL certificates
  • Smartcard and Client Digital Certificates support
  • Web sockets support
  • Support for a wide range of scripting languages
  • Plug-n-Hack support
  • Authentication and session support
  • Powerful REST based API
  • Automatic updating option



Integrated and growing marketplace of add-ons


In this quick tutorial, We can check how to automate web penetration testing using OWASP ZAP’s application integration settings. This makes running many applications such as integration settings. This makes running many applications such as Burpsuite, SQLMap, NMap, Nikto, SSLScan and others much more efficient and easier to manage.




Setting up 3rd party application settings


In OWASP ZAP, select the “Applications” setting from OWASP ZAP’s “Options” menu


Screenshot from 2015-04-16 03:04:44



Add a new application


Set the application options by clicking the “Add” button in the “Application Settings” and add your command for the application (see below for a list of example applications and syntax)





List of Applications and their parameters:


SQLMap (proxy+cookie+postdata) /usr/bin/sqlmap –proxy -u %url% –cookie “%cookie%” –data “%postdata%” -f –batch –dbs


SQLMAP (crawl+cookie) /usr/bin/sqlmap –proxy -u %url% –cookie “%cookie%” -f –batch –crawl=5 –dbs


SQLMap (proxy+cookie+get) /usr/bin/sqlmap –proxy -u %url% –cookie “%cookie%” -f –batch –dbs


SQLMap (proxy+get) /usr/bin/sqlmap –proxy -u %url% -f –batch –dbs


SQLMap (proxy+postdata) /usr/bin/sqlmap –proxy -u %url% –data “%postdata%” -f –batch –dbs


WFuzz (Login Bruteforce) /usr/bin/wfuzz -p -c -z file,/pentest/lists/http_default_users.txt -z file,/pentest/lists/http_default_pass.txt -b “%cookie%” -d “username=FUZZ&password=FUZ2Z&submit=Login” %url%


Nikto /usr/bin/nikto -useproxy -host %url%


NMap /usr/bin/nmap -sV -O %host% %port%


Arachni /usr/bin/arachni %url% –report=html


Bed HTTP Fuzzer /usr/bin/bed -s HTTP -t %host% -p %port%


CMSMap /usr/bin/cmsmap.py -t %host%


DNSDict6 /usr/bin/dnsdict6 %host% /pentest/lists/dns/namelist.txt -4


SSLScan /usr/bin/sslscan –no-failed %host%


WPScan /usr/bin/wpscan –url %url% –proxy


DNSEnum /usr/bin/dnsenum –enum -w %host% -f /penetst/lists/dns/namelist.txt


Whois /usr/bin/whois -h %host% -p %port%





Setting up Burpsuite Integration


To integrate OWASP ZAP with Burpsuite, set a new proxy listener port in Burpsuite (ie. port 8080) as shown below.




After, change the connection settings in OWASP ZAP to match the host:port set above. This will forward and route all traffic proxied through ZAP to Burpsuite.





Set your browser proxy settings to use OWASP ZAP’s local proxy (ie. port 8080).





Navigate to the target application


After your web browser is setup to use OWASP ZAP, navigate to the target web application (ie. to capture the request.


Run a 3rd party application from ZAP





Select the application to run by right-clicking on the URL you want to test and selecting the application from the “Run application” menu



Screenshot from 2015-04-13 20:35:51



Review results of the application from the “Output” tab


After the command has finished running, click the “Output” tab in ZAP to view the applications results.