Zed Attack Proxy Project

The official program name is OWASP Zed Attack Proxy Project. As copied from the ZAP page, the program does the is described as: "an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually."

Project URL: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project



Just go to the downloads page and download the correct tar file. Simply extract the tar file and run the .sh file. The .sh file will pop up a GUI based program. You are good to use the program from here.


As the project description describes, the tool is meant to be easy to use. You have the option to just throw a url into it and hit scan and it will do the scans for you. If you need anything like authentication you can treat the tool just like a tool such as Wireshark or Fiddler where your traffic is essentially proxied through the program. To setup the proxy you just use their built in tool to integrate with Firefox. Then browse to the page you want. You'll see the site appear in your sites list. If you need to login to the site first, do so, and then the application will have the same cookies Firefox has and be able to use those. You can now go run the "Spider" and see all the URL's the "scan" will use when scanning. Then create a scan and run the scan on the site.

The scan will generate a lot of requests to your target site so be careful of that.

Once finished you can view the results in the "Alerts" tab.

Word of Warning

This is a penatration testing tool, and using this product against a website you're not authorized to test against can pose legal issues. Please ensure webmasters of the target site are informed of your use of such a tool. The ZAP tool is going to be making A LOT of requests to your target website. Depending on how many links the spider finds to follow there could be a huge amount of requests. One site I tested the tool with yielded close to 2000 requests. The tool is making many requests that also look malicious, trying many invalid, normally attack based URL's. Due to the large amount of requests and likelyhood that the requests will look malicious, this is the reason it is best to inform people of the tests.

-- JustinVisser - 2015-08-13

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2015-08-17 - JustinVisser
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback