OWASP ZAP get started

Dear Experts.

I am tasked to secure the site for one company and to prove that I did a good job.
I feel I need a small push to get started with ZAP.

Getting started with ZAP seems very obscure.

What is the difference between extensitons and plugins?

How can I see what has been sent and responded if alert indicates a vulnerability in Alerts?

    For example, after running ZAP on specific URL, there are:
            Cross Site Scripting
                POST: http://....
                    Attack --><script>...
                    Evidence --><script>...
    This short log makes no sense: what was a scenario of the attack?
    What was a full request and full response?

Where one can see what happened behind specific alert, history records? Which sort of atacks were conducted, which plugins were used.

What is a content of plugin and their scenario?

Zest script are included when to click add-on menu. But were are they? How to see a specific one? How to edit it?

What is "Fuzz Locations tab"? Where is it? Very obscure.
This term is found in Help/Fuzzer/Dialog

7. I am nearly sure that the site under my test has certain Ruby bufferoverflow vulnerability, but how can I prove it by including
the vulnerability code into ZAP plugins ( or find this plugin in OWASP forum ) and run the test?

Thank you.
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
Will be good that you check out the ZAP wiki. I included some in my inputs below.

1. Extension is no longer available and replaced with adds on. They are actually Java packages that extend the existing functionality within OWASP ZAP (via "File / Load Add-on file..." menu option). https://github.com/zaproxy/zap-extensions/wiki/V1Extensions 
The Plugins are typically referring to the capability coverage in each of the adds on. For example, taking this structure example, you can define first the adds on introduced (like a scan engine) and its plugins coming with it (like active / passive scan rules & type enabled etc)  https://github.com/zaproxy/zap-extensions/wiki/AddOnStructure
However, these term may be used quite loosely and interchangeably.

2/3/4.  The reporting should have some info (reports-->"Generate Alerts Report") and need to have manual exporting of the traffic exchanges (reports-->"Export Responses to Files") hence not that straightforward. https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport

Ideally, the single report should include each alerts details and request/response for better appreciation. You may want to check out BIRT report template

5. From ZAP info, it stated Zest is an experimental specialized scripting language (also known as a domain-specific language) developed by the Mozilla security team and is intended to be used in web oriented security tools. It is included by default with ZAP.
New Script Button
• Navigate to the Scripts tree tab
• Press the 'New Script...' button
• Type in a suitable name for your script in the 'New Script' dialog
• Select the script type (see the Scripts add-on help page for more details)
• Select the Zest script engine
• Select one of the templates (if relevant)
• Press the 'Save' button

Any type of Zest script can be created this way.
In short, it is kind of scripting means to automate certain action - and form a macro actions analogous to iMacro extension to web browser recording user surfing interactive and replay it ..

6. Fuzz location is where it allows you to select the payload processors to use with all payload generators. In short, it just means to say this is where you can select or change the payload processors to use with specific payload generators - e.g. via location processor (select/change) -> payload processor (select/change) -> payload generator (raw traffic)
Built in payload processors include:
• Base64 Decode
• Base64 Encode
• Expand (to a minimum specified length)
• JavaScript Escape
• JavaScript Unescape
• MD5 Hash
• Postfix String
• Prefix String
• SHA-1 Hash
• SHA-256 Hash
• SHA-512 Hash
• Trim
• URL Decode
• URL Encode
7. ZAP has active scan to surface buffer overflow though not specific to Ruby. See the Active Scan extension - see the list of its coverage

Since ruby has that known vulnerability, maybe there may be some specific inputs that can trigger it and the fuzzer in ZAP for you to configure the specific payload can be useful via the
Payload generators generate the raw attacks that the fuzzer submits to the target application.

The following types of generators are provided by default:
• File - select any local file for one off attacks
• File Fuzzers - select any combination of the fuzzing files registered with ZAP, eg via add-ons like fuzzdb
• Regex - generate attacks based on regex patterns
• Strings - raw strings, which can be entered manually ir pasted in
• Script - custom scripts that can generate any payloads required

You can write custom payload generator scripts - these can supply any payloads that you need.
BitlabAuthor Commented:
Btan, thank you for your work.

I have to rate it well, but because I feel I am rather at the beginning of the question, than to the end of an answer, I will repost my follow up in the step-2 question:

OWASP ZAP get started. Step 2.
BitlabAuthor Commented:
Thank you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.