Premise

In this video walk-through, we covered OWASP ZAP web application vulnerability scanner to perform vulnerability scanning on a lab environment provided by TryHackMe as part of TryHackMe Introduction to OWASP ZAP room.

Room Introduction

Learn how to use OWASP ZAP from the ground up. An alternative to BurpSuite. OWASP Zap is a security testing framework much like Burp Suite. It acts as a very robust enumeration tool. It’s used to test web applications.

Get OSCP Certificate Notes

The Complete Practical Web Application Penetration Testing Course

Introduction to OWASP ZAP

OWASP ZAP is a popular tool used for finding vulnerabilities in web applications.

The walkthrough covers automated scans, where users simply enter the target URL (e.g., DVWA, a vulnerable web application) and ZAP performs a scan to identify vulnerabilities.

Manual scanning requires configuring a proxy and setting it up in the browser to intercept and analyze traffic manually.

The video explains how to configure the local proxy server in Firefox and OWASP ZAP.

You also need to install SSL certificates into the browser to allow ZAP to properly intercept HTTPS traffic.

Benefits of using OWASP ZAP

  • Automated Web Application Scan: This will automatically passively and actively scan a web application, build a sitemap, and discover vulnerabilities. This is a paid feature in Burp.
  • Web Spidering: You can passively build a website map with Spidering. This is a paid feature in Burp.
  • Unthrottled Intruder: You can bruteforce login pages within OWASP as fast as your machine and the web-server can handle. This is a paid feature in Burp.
  • No need to forward individual requests through Burp: When doing manual attacks, having to change windows to send a request through the browser, and then forward in burp, can be tedious. OWASP handles both and you can just browse the site and OWASP will intercept automatically. This is NOT a feature in Burp.

Credentialed Vulnerability Scans

Authenticated Scans allow ZAP to log into web applications and scan protected areas.

To do this, users extract session cookies and configure ZAP to use them, which enables deeper scanning beyond public web pages.

The primary task in this tutorial is brute forcing login credentials on DVWA.After manually submitting dummy credentials, ZAP captures the login page request and the user configures the fuzzing process, where a wordlist is used to brute force the password.

Once the brute force attack finishes, ZAP identifies the correct username and password combination (in this case, admin).

Using Extensions and Add-ons

The video discusses installing add-ons, such as Python scripting and Community Scripts, to extend ZAP’s functionality.

The Hunt.py script is installed, which adds additional vulnerability detection capabilities, like detecting SQL Injection, XSS (Cross-Site Scripting), file inclusion vulnerabilities, and more.

Performing a Vulnerability Scan with Hunt.py

After enabling the Hunt.py script, the user re-runs the scan, and ZAP is able to detect more vulnerabilities, including reflected XSS, stored XSS, SQL injection, file inclusion, and command injection vulnerabilities.

Room Answers

What does ZAP stand for?

What IP do we use for the proxy?

Use ZAP to bruteforce the DVWA ‘brute-force’ page. What’s the password?

 
 

Video Walk-through

 

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles