The OWASP Zed Attack Proxy (ZAP) project was created by OWASP as a free security tool for discovering vulnerabilities on web servers and applications with a simple and easy-to-use interface.
OWASP ZAP is pre-installed in Kali Linux. To start, let's perform a web vulnerability scan on our target OWASP BWA virtual machine.
To start with using OWASP ZAP, perform the following steps:
- Open OWASP ZAP and then navigate to Applications | 03 - Web Application Analysis | OWASP-ZAP. On the interface, click on Automated Scan, as shown here:
- Enter the IP address of the OWASP BWA virtual machine and click Attack to begin the security scan:
During the scanning phase, OWASP ZAP will perform spidering on the target. Spidering is a technique in which the web security scanner detects hidden directories and attempts to access them (crawling):
- When the scan is complete, click on the Alerts tab to see all web-based vulnerabilities found and the locations of each on the target:
Upon selecting a vulnerability, OWASP will display both the HTTP head and body when they are returned from the target server:
If you look closely at the preceding screenshot, you will see that OWASP ZAP has highlighted the affected area of the web coding.
- Once a security scan is complete, you can create and export a report. To do this, click on Report | Generate HTML Report. The application will allow you to save the report to your desktop. The following is a sample report created using OWASP ZAP:
Additionally, OWASP ZAP allows you to generate reports in multiple formats based on your requirements. Be sure to explore the other functions of this amazing tool.