Book Image

Zed Attack Proxy Cookbook

By : Ryan Soper, Nestor N Torres, Ahmed Almoailu
Book Image

Zed Attack Proxy Cookbook

By: Ryan Soper, Nestor N Torres, Ahmed Almoailu

Overview of this book

Maintaining your cybersecurity posture in the ever-changing, fast-paced security landscape requires constant attention and advancements. This book will help you safeguard your organization using the free and open source OWASP Zed Attack Proxy (ZAP) tool, which allows you to test for vulnerabilities and exploits with the same functionality as a licensed tool. Zed Attack Proxy Cookbook contains a vast array of practical recipes to help you set up, configure, and use ZAP to protect your vital systems from various adversaries. If you're interested in cybersecurity or working as a cybersecurity professional, this book will help you master ZAP. You’ll start with an overview of ZAP and understand how to set up a basic lab environment for hands-on activities over the course of the book. As you progress, you'll go through a myriad of step-by-step recipes detailing various types of exploits and vulnerabilities in web applications, along with advanced techniques such as Java deserialization. By the end of this ZAP book, you’ll be able to install and deploy ZAP, conduct basic to advanced web application penetration attacks, use the tool for API testing, deploy an integrated BOAST server, and build ZAP into a continuous integration and continuous delivery (CI/CD) pipeline.

Related Content you might be interested in

Current Title:

Small book image
Zed Attack Proxy Cookbook
Ryan Soper | Nestor N Torres | Ahmed Almoailu
Mar, 2023 | 284 pages
No titles found
Table of Contents (14 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Sections
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Chapter 1: Getting Started with OWASP Zed Attack Proxy
Chapter 1: Getting Started with OWASP Zed Attack Proxy
Downloading ZAP
Setting up the testing environment
Setting up a browser proxy and certificate
Testing the ZAP setup
Free Chapter
2
Chapter 2: Navigating the UI
Chapter 2: Navigating the UI
Technical requirements
Persisting a session
Menu bar
Toolbar
The tree window
Workspace window
Information window
Footer
Encode/Decode/Hash dialog
Fuzzing with Fuzzer
3
Chapter 3: Configuring, Crawling, Scanning, and Reporting
Chapter 3: Configuring, Crawling, Scanning, and Reporting
Technical requirements
Setting scope in ZAP
Crawling with the Spider
Crawling with the AJAX Spider
Scanning a web app passively
Scanning a web app actively
Generating a report
4
Chapter 4: Authentication and Authorization Testing
Chapter 4: Authentication and Authorization Testing
Technical requirements
Testing for Bypassing Authentication
Testing for Credentials Transported over an Encrypted Channel
Testing for Default Credentials
Testing Directory Traversal File Include
Testing for Privilege Escalation and Bypassing Authorization Schema
Testing for Insecure Direct Object References
5
Chapter 5: Testing of Session Management
Chapter 5: Testing of Session Management
Technical requirements
Testing for cookie attributes
Testing for cross-site request forgery (CSRF)
Testing for logout functionality
Testing for session hijacking
6
Chapter 6: Validating (Data) Inputs – Part 1
Chapter 6: Validating (Data) Inputs – Part 1
Technical requirements
Testing for reflected XSS
Testing for HTTP verb tampering
Testing for HTTP Parameter Pollution (HPP)
Testing for SQL Injection
7
Chapter 7: Validating (Data) Inputs – Part 2
Chapter 7: Validating (Data) Inputs – Part 2
Technical requirements
Testing for code injection
Testing for command injection
Testing for server-side template injection
Testing for server-side request forgery
8
Chapter 8: Business Logic Testing
Chapter 8: Business Logic Testing
Technical requirements
Test ability to forge requests
Test for process timing
Testing for the circumvention of workflows
Testing upload of unexpected file types with a malicious payload
9
Chapter 9: Client-Side Testing
Chapter 9: Client-Side Testing
Technical requirements
Testing for DOM-based cross-site scripting
Testing for JavaScript execution
Testing for HTML injection
Testing for client-side URL redirect
Testing cross-origin resource sharing
Testing WebSockets
10
Chapter 10: Advanced Attack Techniques
Chapter 10: Advanced Attack Techniques
Technical requirements
Performing XXE attacks
Working with JSON Web Tokens
Performing Java deserialization attacks
Password brute-force via password change
Web cache poisoning
11
Chapter 11: Advanced Adventures with ZAP
Chapter 11: Advanced Adventures with ZAP
Technical requirements
How to use the ZAP GUI local API to scan a target
How to use the ZAP API via Docker
Utilizing ZAP DAST testing with Jenkins
Installing, configuring, and running the ZAP GUI OAST server
12
Index
Index
Why subscribe?
13
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

The tree window

In this recipe, we are going to go over the ZAP Proxy tree window and what each section of the tree window does.

Getting ready

For you to be able to go over this recipe, you will need to have ZAP installed on your computer. It should also be started and running.

How to do it…

In the Sites tree window, ZAP displays the sites that you have accessed and can be tested. ZAP can only attack the sites that are displayed. The sites tree window consists of two tabs: the Sites tab and the Scripts tab (shown once the + sign is selected):

Figure 2.8 – Sites tree

Figure 2.8 – Sites tree

The Sites tab

The Sites tab is where the sites being tested will be displayed. It contains two trees: the Contexts tree and the Sites tree.

The Sites tree is where the tested sites will be listed. ZAP can only attack the sites that are in the sites tree. A unique node will be displayed for sites based on the HTTP request method and the parameter name being used.

In the Contexts tree, you can group URLs together. The best practice is to have a context for each application being tested:

Figure 2.9 – Sites tree

Figure 2.9 – Sites tree

There are also four options that can be used:

  • Red target: Displays only the sites that are in scope
  • Window with green plus sign: Creates a new context
  • Window with white arrow on the left: Imports context
  • Window with white arrow on the right: Exports context

The Scripts tab

Once you click on the + icon (Figure 2.10), a new menu pops open allowing you to select the Scripts tab.

Figure 2.10 – The plus icon

Figure 2.10 – The plus icon

The Scripts tab opens a tree menu with two other optional tabs. The first tab is the Scripts tab, which shows you the scripts that you already have in ZAP, organized by the type of script. The second tab is the Templates tab tree, which contains the templates that can be used to create scripts.

Figure 2.11 – The Scripts tab

Figure 2.11 – The Scripts tab

In addition to the Scripts and Templates tabs, there are three options in the Scripts tree tab:

  • File folder: Used to load scripts from the local file storage
  • Floppy disc: Used to save a script to the local file storage
  • Scroll with +: Used to create a new script

Another prominent feature of ZAP is the Workspace window. In the next recipe, we’ll look deeper into these options.

How it works…

The entire purpose of the tree window is to help testers know what web applications have been captured, in scope or out of scope, and to quickly view the varying paths discovered during enumeration phases or fuzzing directories. It’s important here to start setting your Sites into Contexts for work later so testing is specific to your scope, as well as cutting back on some of the noise that is generated with websites connecting to other resources.

Previous Section
End of Section 6
Next Section