The Zed Attack Proxy (ZAP) is one of the most widely-used open source tools for dynamic application security testing (DAST). Maintained by OWASP, ZAP has built a huge community of people creating new features and add-ons that make it incredibly versatile.
You could say we’re a little bit in love with this tool here at we45. For years we’ve been using it for manual pen-testing and automated application scans, and we’ve become intimately familiar with some of its most useful features. It’s about time we show you why we think it’s so cool.
So here’s our personal list of the 7 best features that make ZAP such a great tool for appsec testing.
1. AJAX spidering
AJAX spidering is performed during a penetration test to discover requests on an AJAX-rich web apps, which can't be discovered with a regular spidering tool. The AJAX spidering window can be accessed via ZAP -> Tools -> AJAX Spider (on ZAP’s menu bar). The tool has configuration parameters such as maximum depth to crawl, maximum crawl states, maximum duration and other options to prevent the possibility of infinite crawling.
Image - An example of AJAX Spider Options
During our penetration tests, we use the regular spidering tool first to identify URLs of the application being tested. Running the AJAX spider after the regular spidering has helped us get a better map of all application resources in scope. ZAP gives you the option to automatically open the application via browser using Selenium and explore the application through an event-driven dynamic crawling engine. This eliminates the need for a manual walkthrough of the application to capture AJAX requests.
2. ZAP Jenkins Plugin
As more and more companies move towards DevSecOps or pursue Agile security testing methods, integrating DAST tools into their CI/CD pipeline manager such as Jenkins is becoming pretty common. Having a plugin is essential for such integrations.
The Jenkins Plugin enables integration of security testing within the CI/CD pipeline. Through the the Jenkins plugin, we’ve helped our customers integrate ZAP seamlessly into the DevOps pipeline, allowing teams to run automated scans per release. The plugin enables several ZAP operations within the pipeline such as Spider Scans, AJAX Spidering, Active Scan, Managing Sessions, Defining Context and correlate results.
Upcoming Webinar: Automate ZAP & Burp testing on Jenkins with Cypress
A fuzzer is a security tool used to inject a variety of payloads to force the application to go to an undesired state, possibly exposing a potential vulnerability. In ZAP, a tester can choose from a wide range of open source fuzzing payload lists through sources like Dirbuster, FuzzDB and JbroFuzz. All of these are built into ZAP making it easier to unearth vulnerabilities than ever before.
Image - Fuzzer Dialog
A pen-tester can either choose to upload a manual list of payloads or generate payloads by writing his/her own custom scripts. The ZAP Fuzzer is also highly customisable with controls like fuzzing location (in the request), number of concurrent threads, delay in fuzzing and many more options.
The fuzzer also has the ability to automatically refresh Anti-CSRF tokens in applications where the tokens regenerate per form request. When detecting an Anti-CSRF token, ZAP automatically records the token and the associated URL. ZAP thereby regenerates the token whenever necessary, preventing missing/invalid token errors.
4. Websocket Testing
Testing Websockets is critical, given how pervasive its implementations are across applications. With ZAP, intercepting, analysing or tampering with the websocket traffic between the client and server couldn’t get easier. The websocket Message editor can be accessed via Tools>>WebSocket Message Editor under the ZAP Menu. The editor can be used to tamper with the Opcodes, Direction, or the message and sent back to the server.
Image - WebSocket Message Editor
ZAP also gives details of the opcode of each message — Text, Binary, Close, Ping or Pong. The messages can then be filtered based on opcodes or the channels for further scrutiny. The websocket message can also be sent to the fuzzer for subsequent payload injection.
For instance, we were once testing a client's visual collaboration platform, which was an application based on websockets. By changing the direction of the message and tampering with the parameters in the message via the message editor, we were able to identify a vulnerability in the application that resulted in complete denial of service for all users using the application interface.
5. Highly Scriptable
A lot of security testing can be automated with scripts, which reduces time spent on manual testing and allows the tester to focus on other important tasks.
Learn More: A Guide to Scripting in OWASP ZAP
The scripts supported include Stand-alone, Active Rules, Proxy Rules etc. We’ve created Zest scripts using ZAP’s “record scripts” feature to perform automated walkthroughs of an application, proxy the requests through ZAP, run scans and export the results for subsequent aggregation and correlation.
6. Flexible Scan Policy Management
ZAP provides the flexibility to compose a scan policy based on the requirement of the tester for every application. The Scan Policy Manager can be found at Analyse>>Scan Policy Manager under the menu bar.
For a pen-tester, it is essential to optimise the scanner depending on the ability of the target application to keep up with its operational performance (and not result in a DoS). It's therefore critical to consider a scanner machine's processing and bandwidth capabilities while designing scan policies.
Image - Scan Policy Manager
The scan policy can be altered to include or exclude the kind of test to perform. ZAP even lets you configure the definition of parameters such as Threshold (how likely it is that a potential vulnerability to be flagged), and Strength (the number of requests for each of the tests).
Pen-testers often need to test scenarios that they might encounter frequently across target applications. ZAP allows you to design a custom scan policy, that can be exported as a template. This scan policy can then be imported back into ZAP and reused.
7. Interacting With ZAP Programmatically via the REST API
ZAP has a really well defined and documented API which makes it easier to be accessed programmatically by a wide range of tools, platforms or custom scripts.
Image - ZAP API UI
The ZAP API can be used directly via a browser or using programming languages such as Java, Python, Node JS, .NET, PHP or Go. ZAP UI can be accessed through the browser at http://zap through the proxy or at http://localhost:<proxy port>.
Even though you find these features in other private and publicly available DAST tools, ZAP encapsulates them (and much more) under a single intuitive and effective open source platform. It’s what makes it the go-to tool to perform both manual and automated security scans.