The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Some of ZAP’s functionality:
- Intercepting Proxy
- Traditional and AJAX spiders
- Automated scanner
- Passive scanner
- Forced browsing
- Dynamic SSL certificates
- Smartcard and Client Digital Certificates support
- Web sockets support
- Support for a wide range of scripting languages
- Plug-n-Hack support
- Authentication and session support
- Powerful REST based API
- Automatic updating option
Integrated and growing marketplace of add-ons
In this quick tutorial, We can check how to automate web penetration testing using OWASP ZAP’s application integration settings. This makes running many applications such as integration settings. This makes running many applications such as Burpsuite, SQLMap, NMap, Nikto, SSLScan and others much more efficient and easier to manage.
Setting up 3rd party application settings
In OWASP ZAP, select the “Applications” setting from OWASP ZAP’s “Options” menu
Add a new application
Set the application options by clicking the “Add” button in the “Application Settings” and add your command for the application (see below for a list of example applications and syntax)
List of Applications and their parameters:
SQLMap (proxy+cookie+postdata) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –cookie “%cookie%” –data “%postdata%” -f –batch –dbs
SQLMAP (crawl+cookie) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –cookie “%cookie%” -f –batch –crawl=5 –dbs
SQLMap (proxy+cookie+get) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –cookie “%cookie%” -f –batch –dbs
SQLMap (proxy+get) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% -f –batch –dbs
SQLMap (proxy+postdata) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –data “%postdata%” -f –batch –dbs
WFuzz (Login Bruteforce) /usr/bin/wfuzz -p 127.0.0.1:1080 -c -z file,/pentest/lists/http_default_users.txt -z file,/pentest/lists/http_default_pass.txt -b “%cookie%” -d “username=FUZZ&password=FUZ2Z&submit=Login” %url%
Nikto /usr/bin/nikto -useproxy 127.0.0.1:1080 -host %url%
NMap /usr/bin/nmap -sV -O %host% %port%
Arachni /usr/bin/arachni %url% –report=html
Bed HTTP Fuzzer /usr/bin/bed -s HTTP -t %host% -p %port%
CMSMap /usr/bin/cmsmap.py -t %host%
DNSDict6 /usr/bin/dnsdict6 %host% /pentest/lists/dns/namelist.txt -4
SSLScan /usr/bin/sslscan –no-failed %host%
WPScan /usr/bin/wpscan –url %url% –proxy 127.0.0.1:1080
DNSEnum /usr/bin/dnsenum –enum -w %host% -f /penetst/lists/dns/namelist.txt
Whois /usr/bin/whois -h %host% -p %port%
Setting up Burpsuite Integration
To integrate OWASP ZAP with Burpsuite, set a new proxy listener port in Burpsuite (ie. port 8080) as shown below.
After, change the connection settings in OWASP ZAP to match the host:port set above. This will forward and route all traffic proxied through ZAP to Burpsuite.
Set your browser proxy settings to use OWASP ZAP’s local proxy (ie. port 8080).
Navigate to the target application
After your web browser is setup to use OWASP ZAP, navigate to the target web application (ie. 192.168.31.20) to capture the request.
Run a 3rd party application from ZAP
Select the application to run by right-clicking on the URL you want to test and selecting the application from the “Run application” menu
Review results of the application from the “Output” tab
After the command has finished running, click the “Output” tab in ZAP to view the applications results.