OWASP ZAP (Zed Attack Proxy) is an open source web application security scanner. We can configure it to find security vulnerabilities in web applications in the developing phase.
How to configure ZAP Proxy to monitor security threats for our application
Step 1: Installing ZAP
Download and install ZAP 2.7.0 standard from https://github.com/zaproxy/zaproxy/wiki/Downloads
Step 2: Setting up a proxy on ZAP and Browser
To monitor security threats to our application we need to set OWASP as a proxy and will browse the application through OWASP proxy.
To use the ZAP Proxy we will need to first install ZAP’s CA root certificate in our browser.
How to Generate Certificate:
Open OWASP ZAP. From the top bar, go to Tools menu> Options>Dynamic SSL Certificate and click on generate and save the certificate. Now import the certificate in the browser.
Configuring proxy in OWASP – Go to tools ->Options->Local proxy and we can configure the port there for which we are setting the proxy (i.e. 8081)
Change browser proxy: Open the browser and set the proxy option to the manual proxy configuration and give a port on which your application will run.
Step 3: Recording the application flow
Parts of the application which we want to scan need to be captured in ZAP via the proxy we have setup above. This will be enabled focused testing of specific application flows.
Using the browser, we have to set up the proxy, browse the application areas we have identified to test. Once we have done this we should be able to see the browsed URLs in a tree structure under the Site menu on the left pane in ZAP. If your application uses multiple domains (internal or external) they will be listed separately. we may remove those which are not applicable using delete option.
Step 4: Configuring ZAP to Perform the scan
Now that we have the major application flow inside zap, we can set up the active scan configuration in ZAP.
Select the domain or specific URL we want to perform the security scan and set it as default context by right-clicking and selecting Include in Context. From the drop-down below the File Menu, select the Protected Mode.
Sites->Domain->Include in context ->Default Context
By setting protected mode we are enabling ZAP to perform dangerous actions only on the URLs that are included in the context.
Step 5: Set the spider and the maximum depth to crawl
Setting up spider means crawling a website one page at a time, gathering and storing the relevant information.
Right click on the part we want to test and select the Option ->Attack->Spider
Set the maximum depth to scroll as 9 and start a spider scan.
Step 6: Perform Active Scan
This is the final step of this process, here we can select a specific URL/Website and perform the active scan.
Now we will right click on the URL on the left pane under Sites menu and select the Option Attack ->Active Scan
In the Active Scan Pane, we can select/deselect the technologies we are using by clicking the checkbox in the technology pan.
In Policy Tab we can select some specific kind of vulnerability on which we want to perform security scan, rest others we can set to OFF.
Example: we can only select Injection and cross-site scripting under it. We can OFF the rest other things which are not there in our testing scope.
Once the active scan is completed 100%, the vulnerability and security threats to the application will be reflected in bottom pane under the Alert Section.
OWASP ZAP is an effective and free security tool which can easily be installed and configured. We can secure our web application and monitor all kind of security threats by using it up front. It enables us to build a secure web application.