Intergrating pentesting Applications in OWSAP ZAP

Owasp-ZaProxy

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

Some of ZAP’s functionality:

  • Intercepting Proxy
  • Traditional and AJAX spiders
  • Automated scanner
  • Passive scanner
  • Forced browsing
  • Fuzzer
  • Dynamic SSL certificates
  • Smartcard and Client Digital Certificates support
  • Web sockets support
  • Support for a wide range of scripting languages
  • Plug-n-Hack support
  • Authentication and session support
  • Powerful REST based API
  • Automatic updating option

Integrated and growing marketplace of add-ons

In this quick tutorial, We can check how to automate web penetration testing using OWASP ZAP’s application integration settings. This makes running many applications such as integration settings. This makes running many applications such as Burpsuite, SQLMap, NMap, Nikto, SSLScan and others much more efficient and easier to manage.

Setting up 3rd party application settings

In OWASP ZAP, select the “Applications” setting from OWASP ZAP’s “Options” menu

Screenshot from 2015-04-16 03:04:44

Add a new application

Set the application options by clicking the “Add” button in the “Application Settings” and add your command for the application (see below for a list of example applications and syntax)

Screenshot-1

List of Applications and their parameters:

SQLMap (proxy+cookie+postdata) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –cookie “%cookie%” –data “%postdata%” -f –batch –dbs

SQLMAP (crawl+cookie) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –cookie “%cookie%” -f –batch –crawl=5 –dbs

SQLMap (proxy+cookie+get) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –cookie “%cookie%” -f –batch –dbs

SQLMap (proxy+get) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% -f –batch –dbs

SQLMap (proxy+postdata) /usr/bin/sqlmap –proxy http://127.0.0.1:1080 -u %url% –data “%postdata%” -f –batch –dbs

WFuzz (Login Bruteforce) /usr/bin/wfuzz -p 127.0.0.1:1080 -c -z file,/pentest/lists/http_default_users.txt -z file,/pentest/lists/http_default_pass.txt -b “%cookie%” -d “username=FUZZ&password=FUZ2Z&submit=Login” %url%

Nikto /usr/bin/nikto -useproxy 127.0.0.1:1080 -host %url%

NMap /usr/bin/nmap -sV -O %host% %port%

Arachni /usr/bin/arachni %url% –report=html

Bed HTTP Fuzzer /usr/bin/bed -s HTTP -t %host% -p %port%

CMSMap /usr/bin/cmsmap.py -t %host%

DNSDict6 /usr/bin/dnsdict6 %host% /pentest/lists/dns/namelist.txt -4

SSLScan /usr/bin/sslscan –no-failed %host%

WPScan /usr/bin/wpscan –url %url% –proxy 127.0.0.1:1080

DNSEnum /usr/bin/dnsenum –enum -w %host% -f /penetst/lists/dns/namelist.txt

Whois /usr/bin/whois -h %host% -p %port%

Screenshot-3

Setting up Burpsuite Integration

To integrate OWASP ZAP with Burpsuite, set a new proxy listener port in Burpsuite (ie. port 8080) as shown below.

Screenshot-4

After, change the connection settings in OWASP ZAP to match the host:port set above. This will forward and route all traffic proxied through ZAP to Burpsuite.

Screenshot-5

Set your browser proxy settings to use OWASP ZAP’s local proxy (ie. port 8080).

Screenshot-7

Navigate to the target application

After your web browser is setup to use OWASP ZAP, navigate to the target web application (ie. 192.168.31.20) to capture the request.

Run a 3rd party application from ZAP

Screenshot-10

Select the application to run by right-clicking on the URL you want to test and selecting the application from the “Run application” menu

Screenshot from 2015-04-13 20:35:51

Review results of the application from the “Output” tab

After the command has finished running, click the “Output” tab in ZAP to view the applications results.

Screenshot-8

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Digital Hacker

Digital Hacker

StormSecurity

IT Security Research and Services

govolution

About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

P.M.C.S.P. Blog

Articles about Physics, Math, Computer Security & Programming and more

%d bloggers like this: