Intergrating pentesting Applications in OWSAP ZAP


The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

Some of ZAP’s functionality:

  • Intercepting Proxy
  • Traditional and AJAX spiders
  • Automated scanner
  • Passive scanner
  • Forced browsing
  • Fuzzer
  • Dynamic SSL certificates
  • Smartcard and Client Digital Certificates support
  • Web sockets support
  • Support for a wide range of scripting languages
  • Plug-n-Hack support
  • Authentication and session support
  • Powerful REST based API
  • Automatic updating option

Integrated and growing marketplace of add-ons

In this quick tutorial, We can check how to automate web penetration testing using OWASP ZAP’s application integration settings. This makes running many applications such as integration settings. This makes running many applications such as Burpsuite, SQLMap, NMap, Nikto, SSLScan and others much more efficient and easier to manage.

Setting up 3rd party application settings

In OWASP ZAP, select the “Applications” setting from OWASP ZAP’s “Options” menu

Screenshot from 2015-04-16 03:04:44

Add a new application

Set the application options by clicking the “Add” button in the “Application Settings” and add your command for the application (see below for a list of example applications and syntax)


List of Applications and their parameters:

SQLMap (proxy+cookie+postdata) /usr/bin/sqlmap –proxy -u %url% –cookie “%cookie%” –data “%postdata%” -f –batch –dbs

SQLMAP (crawl+cookie) /usr/bin/sqlmap –proxy -u %url% –cookie “%cookie%” -f –batch –crawl=5 –dbs

SQLMap (proxy+cookie+get) /usr/bin/sqlmap –proxy -u %url% –cookie “%cookie%” -f –batch –dbs

SQLMap (proxy+get) /usr/bin/sqlmap –proxy -u %url% -f –batch –dbs

SQLMap (proxy+postdata) /usr/bin/sqlmap –proxy -u %url% –data “%postdata%” -f –batch –dbs

WFuzz (Login Bruteforce) /usr/bin/wfuzz -p -c -z file,/pentest/lists/http_default_users.txt -z file,/pentest/lists/http_default_pass.txt -b “%cookie%” -d “username=FUZZ&password=FUZ2Z&submit=Login” %url%

Nikto /usr/bin/nikto -useproxy -host %url%

NMap /usr/bin/nmap -sV -O %host% %port%

Arachni /usr/bin/arachni %url% –report=html

Bed HTTP Fuzzer /usr/bin/bed -s HTTP -t %host% -p %port%

CMSMap /usr/bin/ -t %host%

DNSDict6 /usr/bin/dnsdict6 %host% /pentest/lists/dns/namelist.txt -4

SSLScan /usr/bin/sslscan –no-failed %host%

WPScan /usr/bin/wpscan –url %url% –proxy

DNSEnum /usr/bin/dnsenum –enum -w %host% -f /penetst/lists/dns/namelist.txt

Whois /usr/bin/whois -h %host% -p %port%


Setting up Burpsuite Integration

To integrate OWASP ZAP with Burpsuite, set a new proxy listener port in Burpsuite (ie. port 8080) as shown below.


After, change the connection settings in OWASP ZAP to match the host:port set above. This will forward and route all traffic proxied through ZAP to Burpsuite.


Set your browser proxy settings to use OWASP ZAP’s local proxy (ie. port 8080).


Navigate to the target application

After your web browser is setup to use OWASP ZAP, navigate to the target web application (ie. to capture the request.

Run a 3rd party application from ZAP


Select the application to run by right-clicking on the URL you want to test and selecting the application from the “Run application” menu

Screenshot from 2015-04-13 20:35:51

Review results of the application from the “Output” tab

After the command has finished running, click the “Output” tab in ZAP to view the applications results.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Didier Stevens

(blog \'DidierStevens)


Red Teamer and Security Addict

Digital Hacker

Digital Hacker


IT Security Research and Services


About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

%d bloggers like this: