OWASP ZAP – Web Application Security Testing Tool

Hey Folks, today we are going to present a beneficial tool for bug bounty hunters which is specially designed to check the security of any web application. OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It has become one of the most widely-used open source tools for dynamic application security testing (DAST), maintained by OWASP.If you want to know more deeply about this project, then you can also read from here.

Let’s get to the point 😛 !!

Installation of OWASP ZAP

In our case we are using kali linux operating system. First you have to download it from here and then take it to a favorable place from where you can operate it easily. After performing all these steps boot the scanner using the bash command.

bash ZAP*.sh

After running the bash script, the GUI interface immediately becomes active. To setup this tool you have to click on “Next“.

Now accept the agreement and proceed.

Now click on install button to continue the installation.

Hmm 🙂 !! We have to be patient as the installation may take some time to complete.

Nice 😛 !! Even after being an open source tool, it has a lot of features that we never find even in paid tools. Let’s explore the features of this tool.

Different Modes

As of version 2.5.0, ZAP can be used in one of four modes:

Safe Mode : Safe mode will avoid anything potentially dangerous.
ATTACK mode : ATTACK mode will aggressively try to attack new URLs as soon as they are discovered.
Protected mode : When pen testing is desired on sites you have permission to test, Protected mode can be used.
Standard mode : Standard mode allows for all types of attacks.

Formats of Reports

As you can see in the image below that this tool has several options (formats) available to save the result.

Lists of Tools

As you can see how many different-2 types of tools are available to penetrate any web application. All the important things of this tool have been displayed and now we need to move towards the attack.

Automate Scan

We are going to first consider the automated scan feature of this tool.

Alright 😛 !! All we have to do is just give the URL of the web application and select the browser.

Results – Spider

As we know the spider scan is used to crawl the entire website along with content and hyperlinks.

AJAX Spider

The AJAX Spider allows you to crawl web applications written in AJAX in far more depth than the native Spider.

Alerts ( Vulnerability )

In the alerts section we can see security issues or vulnerabilities found in web applications.

Site Content

Apart from this, you can also obtains all the configuration files of the web server.

Reporting

The most awaited and impressive features of this tool is that it allows us to create complete scan reports on its own.

About the Author

Shubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Contact on Linkedin.

Shubham Goyal

A keen learner and passionate IT student. He has done Web designing, CCNA, RedHat, Ethical hacking, Network & web penetration testing. Currently, he is completing his graduation and learning about Red teaming, CTF challenges & Blue teaming.