OWASP ZAP is a tool that we have already used in this book for various tasks, and among its many features, it includes an automated vulnerability scanner. Its use and report generation will be covered in this recipe.
Before we perform a successful vulnerability scan in OWASP ZAP, we need to crawl the site:
- Open OWASP ZAP and configure the Web browser to use it as proxy.
- Navigate to
192.168.56.102/peruggia/. - Follow the instructions from Using ZAP's spider from Chapter 3, Crawlers and Spiders.
- Go to OWASP ZAP's Sites panel and right-click on the
peruggiafolder. - From the menu, navigate to Attack | Active Scan.
- A new window will pop up. At this point, we know what technology our application and server uses; so, go to the Technology tab and check only MySQL, PostgreSQL, Linux, and Apache:
Here we can configure our scan in terms of Scope (where to start the scan, on what context, and so on), Input Vectors (select if you want to test values in GET and POST requests, headers, cookies, and other options), Custom Vectors (add specific characters or words from the original request as attack vectors), Technology (what technology-specific tests to perform), and Policy (select configuration parameters for specific tests).
- Click on Start Scan.
- The Active Scan tab will appear on the bottom panel and all the requests will appear there. When the scan is finished we can check the results in the Alerts tab:
- If we select an alert, we can see the request made and the response obtained from the server. This allows us to analyze the attack and define if it is a true vulnerability or a false positive. We can also use this information to fuzz, repeat the request in the browser, or to dig deeper into exploitation. To generate an HTML report, as with the previous tools, go to Report in the main menu and then select Generate HTML Report....
- A new dialog will ask for the filename and location. Set, for example,
zap_result.htmland when finished, open the file:
OWASP ZAP has the ability to perform active and passive vulnerability scans; passive scans are unintrusive tests that OWASP ZAP makes while we browse, send data, and click links. Active tests involve the use of various attack strings against every form variable or request value in order to detect if the servers respond with what we can call a "vulnerable behavior".
OWASP ZAP has test strings for a wide variety of technologies; it is useful to first identify the technologies that our target uses, in order to optimize our scan and diminish the probability of being detected or causing a drop in the service.
Another interesting feature of this tool is that we can analyze the request that resulted in the detection of a vulnerability and its corresponding response in the same window and at the moment it is detected. This allows us to rapidly determine whether it is a real vulnerability or a false positive and whether to develop our proof of concept (PoC) or start the exploitation.
We've already talked about Burp Suite. Kali Linux includes the free version only, which doesn't have the active and passive scanning features. It's absolutely recommendable to acquire a professional license of Burp Suite, as it has useful features and improvements over the free version, such as active and passive vulnerability scanning.
Passive vulnerability scanning happens in the background as we browse a Web page with Burp Suite configured as our browser's proxy. Burp will analyze all requests and responses while looking for patterns corresponding to known vulnerabilities.
In active scanning, Burp Suite will send specific requests to the server and check the responses to see if they correspond to some vulnerable pattern or not. These requests are specially crafted to trigger special behaviors when an application is vulnerable.
