ZAP
This guide provides detailed instructions on setting up, configuring, implementing, and troubleshooting ZAP API for web application security testing. It covers all necessary steps with relevant screenshots and examples to help students understand the usage of ZAP for the class project.
-
Download Java JDK from the official Oracle download page. Choose the version that corresponds to your system (e.g., Windows, macOS, Linux).
-
Install Java following the on-screen instructions.
-
Open a new Command Prompt and check the Java version:
java -version
For macOS:
- Visit the official ZAP download page.
- Select the appropriate version for macOS:
- Intel (amd64)
- Apple Silicon (aarch64)
For Windows:
- Download the ZAP installer:
- Choose the Windows (64-bit) or Windows (32-bit) installer based on your system.
After downloading, follow the installation prompts:
-
On macOS, open the downloaded
.dmgfile and drag ZAP into the Applications folder. -
On Windows, run the installer and follow the on-screen instructions to complete the installation.
-
Run the following command to verify the version:
zap --version -
This will output the version of ZAP installed,
e.g., OWASP ZAP 2.11.1
1. Open ZAP: Start the ZAP application.
2. Configure Proxy Settings:
- Go to Options > Network > Local Servers/Proxies.
- Ensure that localhost is set with Port 8081 (default).
-
Open Firefox and go to Settings > Network Settings > Manual proxy configuration.
-
Set the HTTP Proxy to 127.0.0.1 and Port to 8081.
-
Ensure the checkbox for Use this proxy server for all protocols is checked.
1.Open Firefox and visit a test website (e.g., https://sec.cse.csusb.edu/team1).
2.In ZAP, go to Sites or History tab to see traffic being intercepted.
- Open ZAP, go to Manual Explore, enter the URL of the website, and start crawling.
- After spidering, click the Active Scan button to scan for vulnerabilities on the identified pages.
-
Passive scanning monitors traffic between the browser and application without impacting the site's functionality.
-
Typical vulnerabilities detected include:
- Missing Security Headers
- Insecure Cookies
- Information Leakage
- After scanning, you can generate an HTML report by going to Reports > Generate Report.
- Choose the format and location to save the file.
- ZAP will categorize the vulnerabilities found (e.g., XSS, SQL Injection) under the Alerts tab. Each alert has detailed descriptions and recommended fixes.
Example:
- Fig1: The summery of the alerts in side the report
- Fig2: The fig represents the types of alerts, Risk level and no of instances.
- Fig3: The fig represents the alert Missing click-jacking header.
- Results: Vulnerabilities with varying severity levels (low, medium, high, critical) are shown in the Alerts tab.
- Customizing the Scan Policy: You can adjust the scan policy by enabling or disabling specific attack types.
- You can view detailed information about each alert, including the risk level and possible exploitations.
- Viewing Alerts of the website inside ZAP tool
If ZAP fails to open, go to System Preferences > Security & Privacy > Allow Anyway under the General tab.
-
Double-check your browser’s proxy settings:
- Ensure
127.0.0.1and Port8081are configured correctly in both Firefox and ZAP.
- Ensure
- Access Denied: Right-click the ZAP executable and select Run as Administrator.
- The official documentation provides detailed explanations on ZAP’s features, configuration, and usage:
- ZAP User Guide