Automatic Web App Security Testing with OWASP ZAP

OWASP Zed Attack Proxy (ZAP) or ZaProxy, as it is also called, is an exceptional tool for both security testers and developers to test web application security. In this tutorial we will take a quick look at how to use a couple common features in the latest version of ZAP, including the quick attack and the Man-in-the-Middle Proxy scan and fuzzing features.

For this article, I used Mutillidae as a test target and ran ZAP from a Kali Linux system. As always, never use tools like this against systems that you do not have permission to do so.

Quick Scan & Attack

To start the quick scan, simply enter the address of your target (a Mutillidae system here) in the “URL to attack” input box and click the “Attack” button.

ZaProxy Quick Scan

This will spider the entire target website and then active scan it for vulnerabilities. The scan progress and pages found will be displayed in the bottom window. When it is finished press “Alerts” to see any security issues with the website:

ZaProxy Quick Scan 1

And as you can see, ZAP found multiple issues with the website! Each folder contains different types of security issues, color coded for severity. Clicking on the folder will reveal individual issues that you can select for additional information. ZAP is wonderful because it not only lists an in-depth explanation of the problem, but it also gives you recommendations on resolving the issue.

This is nice, but we can do a much more in-depth scan and even perform fuzzing attacks using ZAP’s proxy function.

Proxy Scan and Fuzzing

Start ZAP and then set your browser internet proxy settings to Localhost:8080. Then surf to the target webpage and login. Surf to a few other pages if you like, entering data as you go, the more site interaction the better. When done, return to ZAP, highlight the website in the “Sites” window, right click on it and select “Attack”, and then “Active Scan”:

ZaProxy Active Scan

ZAP will perform an in-depth scan of the page, including the new information obtained with the ZAP proxy. When the scan is done, click on the Alerts folder:

ZaProxy Active Scan 1

Notice we now have more alerts including SQL Injection issues. Let’s see what SQL attacks would work against the target.

In the sites Window, select the login webpage, right click on it and select, “Attack” and then “Fuzz…” This will open the fuzzer screen. It lists the header text in the top left box, the target query with selectable text in the bottom left box and the fuzz location/tool window on the right.

  • In the bottom left window, highlight the name you used to login as a keyword. I used the username, “test”.
  • Now click “Add” in the right Window:

OWASP Fuzzing

  • A Payloads box pops up showing the value of “test”. Click “Add” again to select our attack payloads.
  • In the drop down box that says ‘Type:’ select, “File Fuzzers”:

OWASP Fuzzing 1

  • Now click the triangle next to “jbrofuzz” to expand the options:

OWASP Fuzzing 2

  • Notice the large amount of different attack types you can use! We just want to try SQL Injection for now, so check the “SQL Injection Box”, and click “Add”.

You will now be back at the payload screen. Notice that at this point you could add multiple keywords and numerous payloads if you wanted to create a very complex attack. But for now we just want to attack the keyword ‘test’ with SQL Injections.

  • Click “OK” to continue.
  • Now just click, “Start Fuzzer” to begin.

This can take a short while to run, but within a few seconds you should already see multiple SQL injection attacks and their statuses shown in the status window:

OWASP Fuzzing 3

So fairly quickly we were able to scan a site for a host of SQL injections issues. Add to that the ability to select multiple keywords and payloads and you have a very powerful web application testing tool!

Quick and Easy Website Vulnerability Scans with OWASP-ZAP

OWASP ZAP Main

Today let’s take a look at quick and easy website vulnerability checks with the OWASP Zed Attack Proxy, or “OWASP ZAP” for short.

Introduction and Setup

OWASP ZAP is a web application penetration testing tool that has some great features. It is a very easy to use scanner that allows you to do manual or automatic website security checks. In this tutorial we will learn how to use the automatic attack feature.

For this tutorial we will be using Kali Linux and Metasploitable 2 virtual machines. Metasploitable 2 is purposefully vulnerable virtual machine that contains tons of vulnerabilities to find and exploit. I just used VMWare player for this tutorial running on a Windows 7 host.

  • Download both virtual machines and open them in VMWare player.
  • Kali Linux username and password is root/admin
  • Metasploitable username and password is msfadmin/msfadmin

Before we get started and as always, never use any security tools to scan or test a network that you do not own or have permission to do so. Also do not put Metasploitable 2 on a system that has open access to the internet as it is very vulnerable!

Automatic Security Scan Tutorial

1. After booting Metasploitable and logging in, run the command “ifconfig” to get the system’s IP address.

2. Start Kali Linux, which will boot to the graphical user interface.

3. Start OWASP ZAP:

In the Kali Linux menu, you can find OWASP ZAP in the top ten security menu (If it is not there, update to the latest version of Kali):

OWASP ZAP Menu

OWASP ZAP will open to the main menu.

4. Now, simple input the Metasploitable system’s IP address (192.168.1.133 in my case) into the ‘URL to attack’ box and select, “Attack”:

Attack

That’s it, OWASP ZAP will then begin to spider the website:

spider

It will also list any security issues it finds and place them under the “Alerts” tab. Clicking on the tab will show the following alerts:

Owasp ZAP Alerts

Wow, that is a lot of alerts! Each folder contains different types of security issues. For this tutorial, let’s just check out the “Path Traversal” folder.

Click to expand it.

Go ahead and click on the very first alert:

Transversal Alert

On the right side you will see an explanation of the issue:

Path Traversal Vulnerable

It is tagged as a red flag “High” level warning. OWASP ZAP then explains the error:

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal…
The most basic Path Traversal attack uses the “../” special-character sequence to alter the resource location requested in the URL. Although most popular web servers will prevent this technique from escaping the web document root, alternate encodings of the “../” sequence may help bypass the security filters. These method variations include valid and invalid Unicode-encoding (“..%u2216” or “..%c0%af”) of the forward slash character, backslash characters (“..\”) on Windows-based servers, URL encoded characters “%2e%2e%2f”), and double URL encoding (“..%255c”) of the backslash character…

Basically this means that we can view files or folders on the webserver just by using a special sequence. And OWASP ZAP gives us the exact command to enter:

http://192.168.1.133/mutillidae/?page=%2Fetc%2Fpasswd

The command above will list a webpage on the Metasploitable server. If we enter this URL in a web browser on our Kali system, it will go to the Metasploitable server and pull up a certain webpage, the “?page=” part followed by the webpage to display.

The page requested in the alert is “%2Fetc%2Fpasswd”. Now this may not look like much, but if you are familiar with Linux, the command becomes “/etc/passwd”, which is the location of the server’s password file!

Entering this command in the web browser in Kali (using your Metasploitable IP address) will return this:

Path Traversal Attack Results

You see what appears to be a normal web page control interface, but if you look in the center window you see this information:

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash bind:x:105:113::/var/cache/bind:/bin/false postfix:x:106:115::/var/spool/postfix:/bin/false ftp:x:107:65534::/home/ftp:/bin/false postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false distccd:x:111:65534::/:/bin/false user:x:1001:1001:just a user,111,,:/home/user:/bin/bash service:x:1002:1002:,,,:/home/service:/bin/bash telnetd:x:112:120::/nonexistent:/bin/false proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false snmp:x:115:65534::/var/lib/snmp:/bin/false

The contents of the Linux password file – Obviously not something you want displayed on your webpage!

Conclusion

For every alert that OWASP-ZAP finds, it also includes a solution to protect your system from the vulnerability found. As seen below:

Path Traversal Attack Solution

Automatic scanning is just one feature of OWASP-ZAP, but you can see how easy it us to find and correct some serious vulnerabilities very quickly. OWASP-ZAP is a great tool for both penetration testers and software coders!

If you are interested in learning more about Kali Linux and basic computer security testing, check out my book, “Basic Security Testing with Kali Linux 2” available on Amazon.com.