How to find Website security holes with OWASP ZAP

Website security is always a necessary issue before operating on the Internet. If you want to check if your Website has security holes, use OWASP ZAP – Zed Attack Proxy software to scan for errors.

OWASP ZAP – Zed Attack Proxy is an open source tool that allows you to test the robustness of your application against security vulnerabilities. But what exactly is OWASP ZAP?

How to find Website security holes with OWASP ZAP

In short, this is a vulnerability testing tool that helps programmers and security experts discover Website vulnerabilities. You can perform a variety of tasks through OWASP ZAP, including scanning web requests, using dictionary lists to find files and folders on the web server, and crawling web pages to find all the files and folders on the web server. link and URL. In addition, you can intercept, view, modify, and forward web requests between the browser and the web application using OWASP ZAP.

OWASP ZAP scanning can reveal problems related to SQL injection, broken authentication, exposed sensitive data, broken access control, security misconfiguration, Cross-Site Scripting (XSS), decryption unsafe, components with known vulnerabilities, and any missing security headers.

In this article, we will see how OWASP ZAP works, how to set up ZAP, how to create our own crawlers to scan for vulnerabilities.

How does OWASP ZAP work?

OWASP ZAP is a proxy server that scans all traffic running through it. This proxy server includes automated tools that allow you to block security holes on your website and generate reports from its findings. Here’s a quick diagram of how ZAP works.

How to find Website security holes with OWASP ZAP 18

ZAP creates its attacks by running the ZAP browser on a URL. During this process, ZAP will use its crawlers to collect information about a target application, scan all available pages, and then run the active scanner on it. The active scanner will accurately identify any vulnerabilities using known attack methods on the targets it receives from the scan. Alerts will be issued if potential vulnerabilities are detected and flagged from high to low based on the level of risk.

Setting up ZAP – Zed Attack Proxy

Step 1: To set up OWASP ZAP, you need to install it first. You can visit: zaproxy.org/download to select an installer that is compatible with your operating system.

How to find Website security holes with OWASP ZAP 19

Step 2: Once downloaded, run the installer.

How to find Website security holes with OWASP ZAP 20

Step 3: Read and accept the terms and conditions to continue.

How to find Website security holes with OWASP ZAP 21

Step 4: Select ‘Standard installation’ and click ‘Next’.

How to find Website security holes with OWASP ZAP 22

Step 5: Click ‘Install’ to finish.

How to find Website security holes with OWASP ZAP 23

Step 6: Wait a moment for the program to finish installing.

How to find Website security holes with OWASP ZAP 24

Step 7: Once done, you will be directed to a screen that looks something like this.

How to find Website security holes with OWASP ZAP 25

Create ZAP Spider

To run the first scan, run the newly installed OWASP ZAP. You will be greeted with a screen that looks like this:

How to find Website security holes with OWASP ZAP 26

Once the download is complete, you will get a screen that looks like the image below. In the main ‘Quick Start’ view, you can choose between ‘Automated Scan’ and ‘Manual Explore”. For this tutorial, select ‘Automated Scan’.

How to find Website security holes with OWASP ZAP 27This option will give you a page like the image below. You can run it on your application by pointing the destination URL to the localhost your application is currently running on.

This is an example of when in the scan phase.

How to find Website security holes with OWASP ZAP 28

Once done, you can click on the ‘Alerts’ tab to see all potential vulnerabilities.

How to find Website security holes with OWASP ZAP 29

Based on the example and scan results above, we can see that the problems detected are not serious and can be easily fixed, such as X-Frame-Options and Anti-CSRF Tokens.

The impact of a vulnerability can be assessed by the number of specific alerts. For example, cross-domain JavaScript source file inclusion seems to be a bug of some sort. However, if we dig deeper, we find that the risk is classified as low because of the reliable source.

Here’s a screenshot of one of the flagged warnings and reports generated for the cross-domain JavaScript source file inclusion error. Right below is a solution on how to reduce this vulnerability based on this bug.

How to find Website security holes with OWASP ZAP 30

Conversely, if we want to start vulnerability testing based on severity, OWASP ZAP will automatically rank it from highest to lowest in the ‘Alerts’ file list. The top warning on the list is ‘Vulnerable JS Library’. The report is marked as medium risk because the jQuery used is not the latest version.

How to find Website security holes with OWASP ZAP 31

A slightly deeper search of jquery-2.1.4 tells us that this target site is vulnerable to Cross-site Scripting (XSS) attacks via elements from untrusted sources. This is because in the JQuery version, DOM manipulation methods can execute untrusted code.

Conclude

The Quick Scan function of OWASP ZAP – Zed Attack Proxy will not “hack” your Web. However, it will give you an overview of the security issues and vulnerabilities your website is facing.

Using OWASP ZAP during the programming phase can also help us improve our security processes by identifying problems before they grow too large over time. It is easier to fix a potential vulnerability when it is small than when it is large and affects the entire developed application.

One thing to keep in mind is that if you run OWASP ZAP on a more mature application with lots of legacy code, you may get a large number of warnings. This is normal, especially if security is not part of the growth mindset at first. As long as you prioritize your vulnerabilities and find ways to address them, it will increase the security of your application.

In addition to running the function Quick Scan manually every time, you can also automate it into your workflow via Docker Packaged Scans, GitHub Actions or automation frameworks.

Leave a Reply