OWASP-Zed-Attack-Proxy-ZAP
Description
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Installation
Following installation has been tested under Ubuntu 10.04 and Kubuntu 10.04 but the tool should be compatible with other versions.
Prerequisites
You need to install Java. To install it under *ubuntu distributions, proceed as follows:
$ cd /etc/apt/ $ sudo vim sources.list
Uncomment following repositories:
deb http://fr.archive.ubuntu.com/ubuntu/ lucid-updates multiverse deb-src http://fr.archive.ubuntu.com/ubuntu/ lucid-updates multiverse deb http://archive.canonical.com/ubuntu lucid partner deb-src http://archive.canonical.com/ubuntu lucid partner
Then install sun-java6-plugin:
$ sudo apt-get update $ sudo apt-get install sun-java6-plugin
Installation of ZAP
$ cd /data/src/ $ wget http://zaproxy.googlecode.com/files/ZAP_1.2.0_Linux.tar.gz $ sudo mkdir -p /opt/zap/ $ sudo tar xvzf ZAP_1.2.0_Linux.tar.gz -C /opt/zap/ $ cd /opt/zap/
Usage
Start ZAP Proxy
To start ZAP Proxy, simply go to your installation directory and launch the script as follows:
$ cd /opt/zap/ $ sh zap.sh
If you have successfully installed ZAP Proxy, you should have such a screen:
Menu
- File
- New Session
- Open Session
- Save As
- Properties
- Exit
- Edit
- Find
- Enable Session Tracking (Cookie)
- Reset Session State
- Search
- Next
- Previous
- Encode/Decode/Hash
- View
- Enable Image in History
- Analyse
- Scan Policy
- Report
- Generate Report
- Export Messages to File
- Export Response to File
- Export All URLs to File
- Compare with another Session
- Tools
- Filter
- Encode/Decode/Hash
- Manual Request Editor
- Options
- Help
- About OWASP ZAP
- Check for Updates
- OWASP Zap User Guide
Icons Toolbar
Thank you for your comprehension.
Sites
Thank you for your comprehension.
Request/Response/Break
Thank you for your comprehension.
History / Search / Breakpoint / ...)
Thank you for your comprehension.
Status bar
Thank you for your comprehension.
Example
The following video tutorial shows how to use basic functionalities of ZAP Proxy, tested against Dawn Vulnerable Web Application (DVWA): http://www.youtube.com/watch?v=44fCfucYQVI