OWASP ZAP

🔰 1. What is OWASP ZAP?

OWASP ZAP (Zed Attack Proxy) is a free, open-source tool maintained by OWASP to find vulnerabilities in web applications.

✅ Features:

• Manual & automated testing

• Active & passive scanning

• Browser proxy

• Authentication-based scanning

• API & CLI support

• Powerful scripting

---

🔧 2. Installation

Option A: GUI (Windows/macOS/Linux)

• Download: https://www.zaproxy.org/download/

• Run and launch ZAP

• Start in Standard Mode

Option B: Docker (Recommended for Automation)

docker pull owasp/zap2docker-stable

Option C: Headless CLI (for automation)

docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -port 8080

---

🎛️ 3. ZAP Modes of Operation

Mode	Use Case
Manual	Security research, exploring targets
Automated	Passive/active scan with minimal input
Headless	Automation scripts and cron jobs
API Mode	Interact via REST APIs
Scripting	Custom scan rules and logic

---

🧪 4. Manual Testing with ZAP GUI

4.1. Setup Proxy

1. Go to ZAP > Tools > Options > Local Proxy: Port 8080

2. In your browser, set proxy to 127.0.0.1:8080

3. For HTTPS:

   • Download ZAP's Root CA: Tools > Options > Dynamic SSL Certificates

   • Import it into browser trusted authorities

---

4.2. Explore the Target Website

• Open your target site in browser

• It will show up under Sites in ZAP

• ZAP passively scans as traffic flows

---

4.3. Spider (Crawl) the Website

• Right-click on the site > Attack > Spider

• It follows links and builds a structure

• Can be unauthenticated or authenticated (with login session in place)

---

4.4. Active Scan (Attack Mode)

• Right-click on the target site > Attack > Active Scan

• ZAP will inject payloads to detect:

  • SQLi

  • XSS

  • CSRF

  • Broken Auth

  • Insecure Headers

---

4.5. View Alerts

• Go to Alerts tab:

  • Filter by Risk (High, Medium, Low, Info)

  • Click each alert for details, evidence, and remediation

---

4.6. Forced Browse (Directory Brute-Force)

• Use Forced Browse tab

• Choose a wordlist (e.g., /usr/share/wordlists/dirbuster)

• Run to discover hidden files/folders (e.g., /admin, /backup)

---

🔐 5. Authenticated Scanning (Manual or Automated)

Step-by-step for Form-based login:

1. Create Context: Right-click site > Include in Context > New Context

2. Define Authentication:

   • Tools > Options > Authentication

   • Choose “Form-based” > Enter Login URL & parameters (username={%username%}&password={%password%})

3. Add Users:

   • Context > Users > Add > Enter credentials

4. Start scan with the context & user selected

✅ Tip: Use ZAP HUD (Heads Up Display) to record login sequences.

---

🤖 6. Automated Scanning with GUI

1. Go to Quick Start tab

2. Enter target URL

3. Click Automated Scan

4. ZAP performs spidering + active scan

5. View results in Alerts

---

⚙️ 7. Automated Testing (Headless CLI Mode)

ZAP provides Python-based scripts for automation:

• zap-baseline.py: Passive scan only

• zap-full-scan.py: Spider + active scan

• zap-api-scan.py: For OpenAPI (Swagger) definitions

---

7.1. Passive Scan Example (zap-baseline)

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \
  -t https://example.com -r baseline_report.html

7.2. Full Scan Example (zap-full-scan)

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py \
  -t https://example.com -r full_report.html

7.3. API Scan for Swagger (zap-api-scan)

docker run -v $(pwd):/zap/wrk/:rw owasp/zap2docker-stable zap-api-scan.py \
  -f openapi -t https://example.com/swagger.json -r apiscan_report.html

---

📡 8. Using ZAP REST API

Start ZAP in daemon mode

zap.sh -daemon -port 8080 -config api.disablekey=true

Sample API Request

curl "http://localhost:8080/JSON/core/view/alerts/?baseurl=https://target.com"

Common API Endpoints:

API Call	Purpose
/spider/action/scan/	Start spidering
/ascan/action/scan/	Start active scan
/core/view/alerts/	Get alerts
/core/action/shutdown/	Stop ZAP

Docs: http://localhost:8080/UI/core/

---

🔬 9. Scripting in ZAP

ZAP scripting adds custom behavior.

Script Types:

Type	Purpose
Active Rules	Custom attack payloads
Passive Rules	Custom passive detectors
Auth Scripts	Handle JavaScript or token-based login
HTTP Sender	Modify request/response

Example: Passive Script (Log Headers)

function scan(ps, msg, src) {
    print('Request Headers:\n' + msg.getRequestHeader());
}

Create: Scripts > New > Passive Rule

---

📄 10. Exporting Reports

ZAP supports exporting to:

• HTML

• JSON

• XML

• Markdown

GUI:

• File > Export Report > Choose format

CLI:

zap-full-scan.py -t https://example.com -r report.html -J report.json

---

🧪 11. Test Applications (Practice Targets)

DVWA (Damn Vulnerable Web App)

docker run --rm -it -p 80:80 vulnerables/web-dvwa

Juice Shop (OWASP)

docker run --rm -p 3000:3000 bkimminich/juice-shop

---

✅ 12. Best Practices

Practice	Why it matters
Use Contexts	Manage authentication/scope easily
Only scan authorized targets	Legal & ethical considerations
Perform passive scan first	Safe scan to start with
Include login & logout detection	Detect session handling bugs
Periodically update add-ons	New attack vectors added often
Review all High-Risk alerts	Focus on top-priority fixes
Always confirm with manual tests	Avoid false positives

---

📚 13. Resources to Learn More

• 🔗 ZAP Docs

• 🎥 OWASP ZAP YouTube

• 📘 ZAP Cheat Sheet

• 🧪 ZAP in Action Labs

---