OWASP-Zed-Attack-Proxy-ZAP

From aldeid
Jump to: navigation, search
Draft.png
DRAFT
This page is still a draft. Thank you for your understanding.

Description

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Installation

Following installation has been tested under Ubuntu 10.04 and Kubuntu 10.04 but the tool should be compatible with other versions.

Prerequisites

You need to install Java. To install it under *ubuntu distributions, proceed as follows:

$ cd /etc/apt/
$ sudo vim sources.list

Uncomment following repositories:

deb http://fr.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
deb-src http://fr.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
deb http://archive.canonical.com/ubuntu lucid partner
deb-src http://archive.canonical.com/ubuntu lucid partner

Then install sun-java6-plugin:

$ sudo apt-get update
$ sudo apt-get install sun-java6-plugin

Installation of ZAP

$ cd /data/src/
$ wget http://zaproxy.googlecode.com/files/ZAP_1.2.0_Linux.tar.gz
$ sudo mkdir -p /opt/zap/
$ sudo tar xvzf ZAP_1.2.0_Linux.tar.gz -C /opt/zap/
$ cd /opt/zap/

Usage

Start ZAP Proxy

To start ZAP Proxy, simply go to your installation directory and launch the script as follows:

$ cd /opt/zap/
$ sh zap.sh

If you have successfully installed ZAP Proxy, you should have such a screen:

Zap-proxy-001.png

Menu

  • File
    • New Session
    • Open Session
    • Save As
    • Properties
    • Exit
  • Edit
    • Find
    • Enable Session Tracking (Cookie)
    • Reset Session State
    • Search
    • Next
    • Previous
    • Encode/Decode/Hash
  • View
    • Enable Image in History
  • Analyse
    • Scan Policy
  • Report
    • Generate Report
    • Export Messages to File
    • Export Response to File
    • Export All URLs to File
    • Compare with another Session
  • Tools
    • Filter
    • Encode/Decode/Hash
    • Manual Request Editor
    • Options
  • Help
    • About OWASP ZAP
    • Check for Updates
    • OWASP Zap User Guide

Icons Toolbar

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Sites

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Request/Response/Break

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

History / Search / Breakpoint / ...)

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Status bar

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Example

The following video tutorial shows how to use basic functionalities of ZAP Proxy, tested against Dawn Vulnerable Web Application (DVWA): http://www.youtube.com/watch?v=44fCfucYQVI