ZA Proxy run scan

Installing ZAP
Download and install ZAP 2.7.0 standard from https://github.com/zaproxy/zaproxy/wiki/Downloads

Setting up a proxy on ZAP and Browser
To monitor security threats to our application we need to set OWASP as a proxy and will browse the application through OWASP proxy.
To use the ZAP Proxy we will need to first install ZAP’s  CA root certificate in our browser.

How to Generate Certificate:
Open OWASP ZAP. From the top bar, go to Tools menu> Options>Dynamic SSL Certificate and click on generate and save the certificate. Now import the certificate in the browser.

Configuring proxy in OWASP – Go to tools ->Options->Local proxy and we can configure the port there for which we are setting the proxy (i.e. 8081)

Change browser proxy: Open the browser and set the proxy option to the manual proxy configuration and give a port on which your application will run.

Recording the application flow
Parts of the application which we want to scan need to be captured in ZAP via the proxy we have set up above. This will be enabled focused testing of specific application flows.

Using the browser, we have to set up the proxy, browse the application areas we have identified to test. Once we have done this we should be able to see the browsed URLs in a tree structure under the Site menu on the left pane in ZAP. If your application uses multiple domains (internal or external) they will be listed separately. we may remove those which are not applied using the delete option.

Configuring ZAP to Perform the scan
Now that we have the major application flow inside zap, we can set up the active scan configuration in ZAP.

Select the domain or specific URL we want to perform the security scan and set it as default context by right-clicking and selecting Include in Context. From the drop-down below the File Menu, select the Protected Mode.

Sites->Domain->Include in context ->Default Context

By setting protected mode we are enabling ZAP to perform dangerous actions only on the URLs that are included in the context.

Set the spider and the maximum depth to crawl
Setting up a spider means crawling a website one page at a time, gathering and storing the relevant information.

Right-click on the part we want to test and select the Option ->Attack->Spider

Set the maximum depth to scroll as 9 and start a spider scan.

Perform Active Scan
This is the final step of this process, here we can select a specific URL/Website and perform the active scan.

Now we will right-click on the URL on the left pane under the Sites menu and select the Option Attack ->Active Scan

In the Active Scan Pane, we can select/deselect the technologies we are using by clicking the checkbox in the technology pan

In Policy Tab we can select some specific kind of vulnerability on which we want to perform a security scan, the rest others we can set to OFF.

For example, we can only select Injection and cross-site scripting under it. We can of the rest other things which are not there in our testing scope.

Once the active scan is completed 100%, the vulnerability and security threats to the application will be reflected in the bottom pane under the Alert Section.




Recent Comments

No comments

Leave a Comment