OWASP ZAP get started

Posted on 2016-09-24
Medium Priority
Last Modified: 2016-09-25
Dear Experts.

I am tasked to secure the site for one company and to prove that I did a good job.
I feel I need a small push to get started with ZAP.

Getting started with ZAP seems very obscure.

What is the difference between extensitons and plugins?

How can I see what has been sent and responded if alert indicates a vulnerability in Alerts?

    For example, after running ZAP on specific URL, there are:
            Cross Site Scripting
                POST: http://....
                    Attack --><script>...
                    Evidence --><script>...
    This short log makes no sense: what was a scenario of the attack?
    What was a full request and full response?

Where one can see what happened behind specific alert, history records? Which sort of atacks were conducted, which plugins were used.

What is a content of plugin and their scenario?

Zest script are included when to click add-on menu. But were are they? How to see a specific one? How to edit it?

What is "Fuzz Locations tab"? Where is it? Very obscure.
This term is found in Help/Fuzzer/Dialog

7. I am nearly sure that the site under my test has certain Ruby bufferoverflow vulnerability, but how can I prove it by including
the vulnerability code into ZAP plugins ( or find this plugin in OWASP forum ) and run the test?

Thank you.
Question by:Bitlab
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 64

Accepted Solution

btan earned 2000 total points
ID: 41814455
Will be good that you check out the ZAP wiki. I included some in my inputs below.

1. Extension is no longer available and replaced with adds on. They are actually Java packages that extend the existing functionality within OWASP ZAP (via "File / Load Add-on file..." menu option). https://github.com/zaproxy/zap-extensions/wiki/V1Extensions 
The Plugins are typically referring to the capability coverage in each of the adds on. For example, taking this structure example, you can define first the adds on introduced (like a scan engine) and its plugins coming with it (like active / passive scan rules & type enabled etc)  https://github.com/zaproxy/zap-extensions/wiki/AddOnStructure
However, these term may be used quite loosely and interchangeably.

2/3/4.  The reporting should have some info (reports-->"Generate Alerts Report") and need to have manual exporting of the traffic exchanges (reports-->"Export Responses to Files") hence not that straightforward. https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport

Ideally, the single report should include each alerts details and request/response for better appreciation. You may want to check out BIRT report template

5. From ZAP info, it stated Zest is an experimental specialized scripting language (also known as a domain-specific language) developed by the Mozilla security team and is intended to be used in web oriented security tools. It is included by default with ZAP.
New Script Button
• Navigate to the Scripts tree tab
• Press the 'New Script...' button
• Type in a suitable name for your script in the 'New Script' dialog
• Select the script type (see the Scripts add-on help page for more details)
• Select the Zest script engine
• Select one of the templates (if relevant)
• Press the 'Save' button

Any type of Zest script can be created this way.
In short, it is kind of scripting means to automate certain action - and form a macro actions analogous to iMacro extension to web browser recording user surfing interactive and replay it ..

6. Fuzz location is where it allows you to select the payload processors to use with all payload generators. In short, it just means to say this is where you can select or change the payload processors to use with specific payload generators - e.g. via location processor (select/change) -> payload processor (select/change) -> payload generator (raw traffic)
Built in payload processors include:
• Base64 Decode
• Base64 Encode
• Expand (to a minimum specified length)
• JavaScript Escape
• JavaScript Unescape
• MD5 Hash
• Postfix String
• Prefix String
• SHA-1 Hash
• SHA-256 Hash
• SHA-512 Hash
• Trim
• URL Decode
• URL Encode
7. ZAP has active scan to surface buffer overflow though not specific to Ruby. See the Active Scan extension - see the list of its coverage

Since ruby has that known vulnerability, maybe there may be some specific inputs that can trigger it and the fuzzer in ZAP for you to configure the specific payload can be useful via the
Payload generators generate the raw attacks that the fuzzer submits to the target application.

The following types of generators are provided by default:
• File - select any local file for one off attacks
• File Fuzzers - select any combination of the fuzzing files registered with ZAP, eg via add-ons like fuzzdb
• Regex - generate attacks based on regex patterns
• Strings - raw strings, which can be entered manually ir pasted in
• Script - custom scripts that can generate any payloads required

You can write custom payload generator scripts - these can supply any payloads that you need.

Author Comment

ID: 41815140
Btan, thank you for your work.

I have to rate it well, but because I feel I am rather at the beginning of the question, than to the end of an answer, I will repost my follow up in the step-2 question:

OWASP ZAP get started. Step 2.

Author Closing Comment

ID: 41815153
Thank you.

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month10 days, 12 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question