OWASP ZAP get started

Posted on 2016-09-24
Last Modified: 2016-09-25
Dear Experts.

I am tasked to secure the site for one company and to prove that I did a good job.
I feel I need a small push to get started with ZAP.

Getting started with ZAP seems very obscure.

What is the difference between extensitons and plugins?

How can I see what has been sent and responded if alert indicates a vulnerability in Alerts?

    For example, after running ZAP on specific URL, there are:
            Cross Site Scripting
                POST: http://....
                    Attack --><script>...
                    Evidence --><script>...
    This short log makes no sense: what was a scenario of the attack?
    What was a full request and full response?

Where one can see what happened behind specific alert, history records? Which sort of atacks were conducted, which plugins were used.

What is a content of plugin and their scenario?

Zest script are included when to click add-on menu. But were are they? How to see a specific one? How to edit it?

What is "Fuzz Locations tab"? Where is it? Very obscure.
This term is found in Help/Fuzzer/Dialog

7. I am nearly sure that the site under my test has certain Ruby bufferoverflow vulnerability, but how can I prove it by including
the vulnerability code into ZAP plugins ( or find this plugin in OWASP forum ) and run the test?

Thank you.
Question by:Bitlab
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 64

Accepted Solution

btan earned 500 total points
ID: 41814455
Will be good that you check out the ZAP wiki. I included some in my inputs below.

1. Extension is no longer available and replaced with adds on. They are actually Java packages that extend the existing functionality within OWASP ZAP (via "File / Load Add-on file..." menu option). 
The Plugins are typically referring to the capability coverage in each of the adds on. For example, taking this structure example, you can define first the adds on introduced (like a scan engine) and its plugins coming with it (like active / passive scan rules & type enabled etc)
However, these term may be used quite loosely and interchangeably.

2/3/4.  The reporting should have some info (reports-->"Generate Alerts Report") and need to have manual exporting of the traffic exchanges (reports-->"Export Responses to Files") hence not that straightforward.

Ideally, the single report should include each alerts details and request/response for better appreciation. You may want to check out BIRT report template

5. From ZAP info, it stated Zest is an experimental specialized scripting language (also known as a domain-specific language) developed by the Mozilla security team and is intended to be used in web oriented security tools. It is included by default with ZAP.
New Script Button
• Navigate to the Scripts tree tab
• Press the 'New Script...' button
• Type in a suitable name for your script in the 'New Script' dialog
• Select the script type (see the Scripts add-on help page for more details)
• Select the Zest script engine
• Select one of the templates (if relevant)
• Press the 'Save' button

Any type of Zest script can be created this way.
In short, it is kind of scripting means to automate certain action - and form a macro actions analogous to iMacro extension to web browser recording user surfing interactive and replay it ..

6. Fuzz location is where it allows you to select the payload processors to use with all payload generators. In short, it just means to say this is where you can select or change the payload processors to use with specific payload generators - e.g. via location processor (select/change) -> payload processor (select/change) -> payload generator (raw traffic)
Built in payload processors include:
• Base64 Decode
• Base64 Encode
• Expand (to a minimum specified length)
• JavaScript Escape
• JavaScript Unescape
• MD5 Hash
• Postfix String
• Prefix String
• SHA-1 Hash
• SHA-256 Hash
• SHA-512 Hash
• Trim
• URL Decode
• URL Encode
7. ZAP has active scan to surface buffer overflow though not specific to Ruby. See the Active Scan extension - see the list of its coverage

Since ruby has that known vulnerability, maybe there may be some specific inputs that can trigger it and the fuzzer in ZAP for you to configure the specific payload can be useful via the
Payload generators generate the raw attacks that the fuzzer submits to the target application.

The following types of generators are provided by default:
• File - select any local file for one off attacks
• File Fuzzers - select any combination of the fuzzing files registered with ZAP, eg via add-ons like fuzzdb
• Regex - generate attacks based on regex patterns
• Strings - raw strings, which can be entered manually ir pasted in
• Script - custom scripts that can generate any payloads required

You can write custom payload generator scripts - these can supply any payloads that you need.

Author Comment

ID: 41815140
Btan, thank you for your work.

I have to rate it well, but because I feel I am rather at the beginning of the question, than to the end of an answer, I will repost my follow up in the step-2 question:

OWASP ZAP get started. Step 2.

Author Closing Comment

ID: 41815153
Thank you.

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question