Security Testing – OWASP ZAP: A review

Recently, I was asked by our lead developer to look into security testing so that we can get a general idea about how secure the systems we develop really are. The idea was to first look into security testing in general, and then find a tool to scan a web application under development.

I came across multiple tools. I would like to put them all in two categories. The first kind were too complex to install and understand. They came with multiple dependencies where you have to install ten other things for one software to run on your system. Even once installed, they did not appear to be very user-friendly.

The other type were commercial tools with quite high costs. They offered very good results with in-depth scanning. They basically seemed to be focusing on highly security critical systems. Now, you would think that they would offer some trial versions for testing systems that are not all that detailed, but turns out, majority of them come with crappy trial versions which only allow scanning their specified test sites.

Amongst all this chaos, I happened to somehow stumble upon OWASP Zed Attack Proxy commonly knows as OWASP ZAP. It is an open-source, free to use software with no deceiving PRO versions. It is easy to install and has no dependencies whatsoever except that you should have Java installed, which doesn’t even really count. It is supported by multiple platforms including Windows, Linux and MAC OS. All you have to do is go to the download page and select the installation file against your respective platform. Run the installation file when it has finished downloading, and it will guide you through the installation steps.

You can use the ZAP icon to open the software whenever you need to use it. The best thing about it, in my opinion, is that it has a very clever UI which makes this software usable for beginners as well as experts. If you still don’t understand any part of it, there are some very helpful tutorial videos available on their website.

Screenshot 2016-04-15 01.56.22

ZAP provides support for automated as well as manual penetration testing. Newbies or people who just want to get a general idea of their website’s security and not spend too much time on it can just run the automated tests and review the results. Security testing experts on the other hand, can utilize the many features of ZAP and use it to perform more in-depth penetration testing.

For automated testing, you can either explore your web app manually and then have the tool automatically scan your web app, or you can have ZAP first spider your app to find all the links and then scan it. The app I was testing was a very comprehensive app so I explored it manually first and then had ZAP spider it to look for any links that I might have missed. If your app is large in size, it takes some time in finishing the scan, but on the positive side, you don’t have to do anything yourself, it does the scanning on its own and you can utilize that time to do any other task at hand.

As for manual testing, I am no expert of penetration testing but ZAP has some very useful tools which can be used to manually test your web app in more detail. ZAP is used as an intercepting proxy, enabling you to see the requests being made and responses being received. ZAP’s built-in Fuzzer can be used for parameter manipulation. It’s passive scanning feature lets you scan the app using a background thread without directly targeting the app or slowing down the exploration of the app. More details about ZAP’s awesomeness can be found at: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Functionality

 

To sum it all up, whether you are a beginner or a slightly experienced penetration tester, if you do not have large resources (time and money) for your security testing, then ZAP is a very good option to consider. It’s easy to use and has a wide variety of features which you can build upon for more efficient testing. It is my go-to software whenever I need to test a web app’s security!

One thought on “Security Testing – OWASP ZAP: A review

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s