Today let’s take a look at quick and easy website vulnerability checks with the OWASP Zed Attack Proxy, or “OWASP ZAP” for short.
Introduction and Setup
OWASP ZAP is a web application penetration testing tool that has some great features. It is a very easy to use scanner that allows you to do manual or automatic website security checks. In this tutorial we will learn how to use the automatic attack feature.
For this tutorial we will be using Kali Linux and Metasploitable 2 virtual machines. Metasploitable 2 is purposefully vulnerable virtual machine that contains tons of vulnerabilities to find and exploit. I just used VMWare player for this tutorial running on a Windows 7 host.
- Download both virtual machines and open them in VMWare player.
- Kali Linux username and password is root/admin
- Metasploitable username and password is msfadmin/msfadmin
Before we get started and as always, never use any security tools to scan or test a network that you do not own or have permission to do so. Also do not put Metasploitable 2 on a system that has open access to the internet as it is very vulnerable!
Automatic Security Scan Tutorial
1. After booting Metasploitable and logging in, run the command “ifconfig” to get the system’s IP address.
2. Start Kali Linux, which will boot to the graphical user interface.
3. Start OWASP ZAP:
In the Kali Linux menu, you can find OWASP ZAP in the top ten security menu (If it is not there, update to the latest version of Kali):
OWASP ZAP will open to the main menu.
4. Now, simple input the Metasploitable system’s IP address (192.168.1.133 in my case) into the ‘URL to attack’ box and select, “Attack”:
That’s it, OWASP ZAP will then begin to spider the website:
It will also list any security issues it finds and place them under the “Alerts” tab. Clicking on the tab will show the following alerts:
Wow, that is a lot of alerts! Each folder contains different types of security issues. For this tutorial, let’s just check out the “Path Traversal” folder.
Click to expand it.
Go ahead and click on the very first alert:
On the right side you will see an explanation of the issue:
It is tagged as a red flag “High” level warning. OWASP ZAP then explains the error:
“The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal…
The most basic Path Traversal attack uses the “../” special-character sequence to alter the resource location requested in the URL. Although most popular web servers will prevent this technique from escaping the web document root, alternate encodings of the “../” sequence may help bypass the security filters. These method variations include valid and invalid Unicode-encoding (“..%u2216” or “..%c0%af”) of the forward slash character, backslash characters (“..\”) on Windows-based servers, URL encoded characters “%2e%2e%2f”), and double URL encoding (“..%255c”) of the backslash character…“
Basically this means that we can view files or folders on the webserver just by using a special sequence. And OWASP ZAP gives us the exact command to enter:
The command above will list a webpage on the Metasploitable server. If we enter this URL in a web browser on our Kali system, it will go to the Metasploitable server and pull up a certain webpage, the “?page=” part followed by the webpage to display.
The page requested in the alert is “%2Fetc%2Fpasswd”. Now this may not look like much, but if you are familiar with Linux, the command becomes “/etc/passwd”, which is the location of the server’s password file!
Entering this command in the web browser in Kali (using your Metasploitable IP address) will return this:
You see what appears to be a normal web page control interface, but if you look in the center window you see this information:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash bind:x:105:113::/var/cache/bind:/bin/false postfix:x:106:115::/var/spool/postfix:/bin/false ftp:x:107:65534::/home/ftp:/bin/false postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false distccd:x:111:65534::/:/bin/false user:x:1001:1001:just a user,111,,:/home/user:/bin/bash service:x:1002:1002:,,,:/home/service:/bin/bash telnetd:x:112:120::/nonexistent:/bin/false proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false snmp:x:115:65534::/var/lib/snmp:/bin/false
The contents of the Linux password file – Obviously not something you want displayed on your webpage!
For every alert that OWASP-ZAP finds, it also includes a solution to protect your system from the vulnerability found. As seen below:
Automatic scanning is just one feature of OWASP-ZAP, but you can see how easy it us to find and correct some serious vulnerabilities very quickly. OWASP-ZAP is a great tool for both penetration testers and software coders!
If you are interested in learning more about Kali Linux and basic computer security testing, check out my book, “Basic Security Testing with Kali Linux 2” available on Amazon.com.