Penetration Testing with OWASP ZAP

 

Penetration Testing with OWASP ZAP

In this blog, I will be giving instructions on how to perform penetration testing with OWASP ZAP. OWASP (Open Worldwide Application Security Project) is a nonprofit foundation that aims to improve software security. OWASP ZAP (Zed Attack Proxy) is a penetration testing tool that tests a web application's security.
Penetration testing is a simulated attack performed to examine the security of a computer system. The same tools and techniques as attackers are used to explore vulnerabilities in the system that can impact businesses. This can help organizations find weaknesses in their system. There are 5 stages of penetration testing: 
1. Planning and reconnaissance
2. Scanning
3. Gaining access
4. Maintaining access
5. Analysis  
The purpose of this blog is to show how to use this tool to scan vulnerabilities. The key objective of this content is to use the  the Java Runtime Environment to install ZAP and test a web application. I will be providing screenshots throughout the process to provide a clearer understanding. 
Please note: ZAP should only be used on websites that you have permission to attack.

STEP 1. INSTALL JAVA RUNTIME ENVIRONMENT

Using Windows, download the x64 Installer. I accessed https://www.oracle.com/java/technologies/downloads/ 

STEP 2. INSTALL ZAP

Installing ZAP for Windows (64) Installer

STEP 3. TESTING A WEB APPLICATION

I will pen testing Google Gruyere; this is a website (intentionally full of security bugs) designed for individuals learning about application security. 
The unique ID is hidden

In ZAP, select "Quick Start", then select "Automated Scan", then enter the website in the "URL to attack" tab, then select "Attack"
Then expand "Sites" to see the discovered URLs

STEP 4. VIEW THE RESULTS

The Alerts tab shows the detected vulnerabilities. The color of the flag indicates the vulnerability's risk type

In conclusion, this project displayed the pen testing of a web application. JAVA and ZAP were installed. ZAP was used to test the website and the results displayed the vulnerabilites. Again, it is important to note that only websites with permission to attack should be tested. You can learn more about ZAP at https://www.zaproxy.org/

Comments

Post a Comment

Popular posts from this blog

Using Kali Linux to Set Up User and Group Accounts and to Encrypt/Decrypt Files

Image
In this blog, I will be detailing how to install Kali Linux, set up a group account, a user account, and to encrypt and decrypt a file. In this fictional scenario, user Jane Doe will be added to the group, Analysts, where she will send an encrypted file (named testfile) via an encrypted email. Kali Linux is an operating system that is useful for information security tasks, including penetration testing, digital forensics, and security research. I will be using the Oracle VM VirtualBox to run Kali Linux. The purpose of this blog is to show how to use Linux commands to create accounts and encrypt/decrypt files. STEP 1: DOWNLOAD VIRTUAL MACHINE AND KALI LINUX  I am using the Oracle VM VirtualBox. This can be downloaded at  https://www.virtualbox.org /   Kali Linux can be downloaded at  https://www.kali.org/get-kali/#kali-platform    (I downloaded the Virtual Machines; VirtualBox 64-bit as recommended) STEP 2: LOG INTO KALI LINUX AND OPEN THE TERMINAL The default username and password will
Read more