How to use OWASP ZAP – Open Source Vulnerability Scanner

Overview

OWASP ZAP is an open-source web application vulnerability scanner that runs on Java11+. It has features such as spidering, passive scanning, active scanning, fuzzing, automation, API and more.

ZAP is available on operating systems such as Windows, Linux, Mac and cross platforms. You can download ZAP from here. If you are using Kali Linux, it comes preinstalled.

In this article, we will discuss how to use ZAP, its features and results to take note of.

How to use ZAP

ZAP can be executed through the Automated Scan or the Manual Explore option.

Automated Scan

This method is an automatic scan. It is the main feature of ZAP.

First, enter the URL to attack, and select a spider to use (traditional or ajax).

Next, click attack and let it run to completion or whenever you want to stop the scan. A scan can take anywhere from 5mins to 12hours (sometimes even days) depending on the web application you are scanning.

Spider (Passive Scan) – Zap will first spider the web application to find all the available web pages on the web application. The spidering also includes the passive scan process.

Active Scan – After completing the spidering, Zap will do an active scan, attacking all the pages the spider found. These attacks are XSS Injections, SQL injections, directory browsing, and so on.

Alerts – Any vulnerabilities (from the passive and active scan) found will be displayed on the Alert page. We can also find the total number of vulnerabilities per severity at the bottom left.

Each vulnerability has a flag icon to indicate the severity/risk of the vulnerability. This is the legend of the severity rating for each vulnerability:

Upon selecting a vulnerability,  (for example Cross Site Scripting)

Details about it are displayed such as severity, evidence, description, solution and etc. This information will be crucial for you to patch the vulnerability found on the web application.

The evidence vulnerability will be highlighted in the response packet.

Manual Scan

The Manual Explore is where the user will manually browse the web application with a browser provided by ZAP and afterwards manually attack specific pages. On the pages that are being browsed, ZAP will scan for vulnerabilities. The vulnerabilities found will be in the “Alert” tab. This method is possibly used if the web application is very large (too long a runtime) or if the user only wants to scan for vulnerabilities on specific pages.

To use the manual explore, enter the URL of the target and select your preferred browser type. Then click the “Launch Browser” button.

A browser will pop up on your screen with the target web application. This is where you can manually browse the pages of the web application.

The pages you browse will be logged on ZAP. You can then right-click on each page to execute scans or attacks.

Important Points to look at for each Vulnerability

  • URL (location of the attack in the web application)
  • Risk (severity of the vulnerability)
  • Attack (the successful attack used)
  • Evidence (evidence of the successful attack)
  • Description (description of the vulnerability type )
  • Solution (how to patch the vulnerability)
  • Reference (provides URLs for further information about the vulnerability)
  • Alert tags (shows which top 10 OWASP it is part of)

Reporting formats

ZAP provides many reporting templates and file formats for you to store your scan.

Templates Types

  • High-Level Report
  • Modern HTML
  • Risk and Confidence

File Formats

  • HTML
  • PDF
  • JSON
  • Markdown (TXT)

Here is an example of the HTML report:

If you are not satisfied with their report templates, you can always make your own report template that ZAP can use. You can find out more in the ZAP Desktop User Guide.

Conclusion

ZAP is a great open-source tool for vulnerability scanning that can help you quickly find vulnerabilities and misconfiguration while reducing the workload for penetration testers. In the ZAP marketplace, you can find even more features to improve your scans. As ZAP has a strong community that continuously provides updates and implements feedback, it is a very reliable tool. We have covered only the basics of using ZAP so I implore you to explore further on how to use the OWASP ZAP application.

Find out more about ZAP

Related Articles

Optimizing ZAP Scan 

ZAP Command Line

How to Automate OWASP ZAP – Automation Framework

5 Popular Open Source Tools for Reconnaissance

Leave a Reply

Your email address will not be published. Required fields are marked *