The Zed Attack Proxy (ZAP) is an open source tool maintained under Open Web Application Security Project (OWASP) that has a huge community of developers speedily offering new modules or add-ons. The features and capabilities of ZAP has been instrumental in performing manual penetration tests as well as automated scans here at we45. In this article, I will be throwing some light on some features that make ZAP the go-to tool for any security tester.
AJAX spidering
AJAX spidering is performed during a penetration test to discover requests on an AJAX-rich web application, which cannot be discovered with the regular Spidering tool. The AJAX spidering window can be accessed via ZAP -> Tools ->AJAX Spider (on ZAP’s menu bar). The tool has configuration parameters such as maximum depth to crawl, maximum crawl states, maximum duration and other options to prevent the possibility of infinite crawling.
Image - An example of AJAX Spider Options
During our penetration tests, we use the regular spidering tool first to identify URLs of the application being tested. Running the AJAX spider after the regular spidering has helped us get a better map of all application resources in scope. ZAP gives the option to automatically open the application via browser using Selenium and explore the application through an event-driven dynamic crawling engine. This eliminates the need for a manual walkthrough of the application to capture AJAX requests.
FuzzingA fuzzer is a security tool used to inject a variety of payloads to force the application to go to an undesired state, possibly exposing a potential vulnerability. In ZAP, a tester can choose from a wide range of open source fuzzing payload lists through sources such as Dirbuster, FuzzDBand JbroFuzz that are inbuilt within ZAP making it easier to unearth vulnerabilities than ever before.
Image - Fuzzer Dialog
A pen-tester can either choose to upload a manual list of payloads or generate payloads by writing his/her own custom scripts . The ZAP Fuzzer is also highly customisable with controls such as fuzzing location (in the request), number of concurrent threads, delay in fuzzing and many other options. The fuzzer also has the ability to automatically refresh Anti-CSRF tokens in applications where the tokens regenerate per form request. When detecting an Anti-CSRF token, ZAP automatically records the token and the associated URL. ZAP thereby regenerates the token whenever necessary preventing missing/invalid Token errors.
Websocket TestingTesting of Websockets is very critical in today’s day and age with its pervasive implementations across applications.. With ZAP, intercepting ,analysing or tampering the websocket traffic between the client and server can’t be any easier!. The websocket Message editor can be accessed via Tools>>WebSocket Message Editor under the ZAP Menu. The editor can be used to tamper with the Opcodes, Direction, or the message and sent back to the server. ZAP also gives details of the opcode of each message - Text, Binary, Close, Ping or Pong. The messages can then be filtered based on opcodes or the channels for further scrutiny. The websocket message can also be sent to the fuzzer for subsequent payload injection.
Image - WebSocket Message Editor
For instance, we were once testing a client's visual collaboration platform, which was an application based on websockets. By changing the direction of the message and tampering the parameters in the message via the message editor, we were able to identify a vulnerability in the application that resulted in complete denial of service for all users using the interface of the application.
Flexible Scan Policy ManagementZAP provides the flexibility to compose a scan policy based on the requirement of the tester for every application. The Scan Policy Manager can be found at Analyse>>Scan Policy Manager under the menu bar.
Image - Scan Policy Manager
For a pentester, it is essential to optimize the scanner depending on the ability of the target application to keep up with its operational performance (and not result in a DoS). It is therefore critical to consider a scanner machine's processing and bandwidth capabilities while designing scan policies.
The scan policy can be altered to include or exclude the kind of test to perform. Definition of parameters such as Threshold - which defines how likely a potential vulnerability would be flagged and the Strength - which defines the number of request for each of the tests can be configured in ZAP.
Many times a pen-tester needs to test scenarios that he/she might encounter frequently across target applications. ZAP allows one to design a custom scan policy, that can be exported as a template. This scan policy can then be imported back into ZAP and re-used.
Interacting With ZAP Programmatically via the REST API
With the increase in web services and microservices, security has never been more significant. ZAP has a very well defined and documented API which makes it easier to be accessed programmatically by a wide range of tools, platforms or custom scripts. ZAP API can be used directly via. the Browser or using programming languages such as Java, Python, Node JS, .NET, PHP and Go. ZAP UI can be accessed through the browser at http://zap through the proxy or at http://localhost:<proxy port>.
Image - ZAP API UI
This feature has particularly helped us in integrating some of ZAP’s core functionality into our Vulnerability Testing Orchestration and Correlation Platform. .
ZAP Jenkins PluginAs more and more companies move towards DevSecOps or pursue Agile security testing methods, integrating DAST tools into their CI/CD pipeline manager such as Jenkins is becoming a norm. Having a plugin is essential for such integrations.
ZAP’s Jenkins Plugin enables integration of security testing within the CI/CD pipeline. Through the the Jenkins plugin, we’ve helped our customers integrate ZAP seamlessly into the DevOps pipeline, allowing teams to run automated scans per release. The plugin enables several ZAP operations within the pipeline such as Spider Scans, AJAX Spidering, Active Scan, Managing Sessions, Defining Context and correlate results..
Highly scriptableA lot of security testing can be automated with scripts, which reduces time spent on manual testing, while giving the tester more time to focus on other important tasks.
ZAP is one of the most extensible/scriptable tools that support any scripting language that allows JSR 223 scripting. ZAP has the feature to run scripts that can be embedded within it to access internal data structures & functionalities through the ZAP Script Add-on. It supports multiple scripting languages which include Javascript, Zest, Python, Groovy and Ruby. The scripts supported include Stand-alone, Active Rules, Proxy Rules etc. We’ve created Zest scripts using ZAP’s “record scripts” feature to perform automated walkthroughs of an application, proxy the requests through ZAP, run scans and export the results for subsequent aggregation and correlation.
While these features could be available in other private and publicly available DAST tools, ZAP encapsulates these features (and much more) under a single intuitive and effective open source platform, making it THE Go-To- Tool to perform both manual and automated security scans.
