The OWASP Zed Attack Proxy (ZAP) Scanner

OWASP ZAPZAP Logo

Want to try this tool yourself? See our walk-through section for step-by-step instructions on running this scanner!

Description:
The ZED Attack Proxy, or “ZAP” for short is much more than just a web vulnerability scanner. You can get all the details on the OWASP ZAP site but for the scope of this review I’ll be focusing on the active (black box) scanner feature.

Pro’s:

OWASP ZAP is the swiss army knife of web assessment tools. ZAP’s active scanner is integrated in to many of the other functions of the application so it is misleading to discuss ZAP as a scanner only. Having a proxy and these other tools built in is a huge plus.

Since OWASP ZAP is written in Java it is platform independent so assessors who do not want to work on Linux can comfortably use ZAP on Windows.

One of the unique features of ZAP is that its sensitivity and scan aggressiveness can be manually configured. There are three sensitivity settings (high, medium and low). For example, if having a high number of false positives is a problem for you set the alert threshold to high. The risk here obviously is you would increase your false negatives (I.e.: there would be vulnerabilities that you would miss).

If false negatives are a concern, set the ZAP Default Alert Threshold setting to  “low” and set the Default Attack Strength to “insane” (yes, there is an insane setting) and get the full power of the scanner and then manually validate the findings.

Finally, ZAP allows a user to save sessions and persist sessions allowing you to take a break from your testing and come back to it. This is also a helpful feature when you need to confirm fixes and remediation.

Con’s

There are very few things not to like about ZAP. However, the area of ZAP that really holds it back as an enterprise scanner is its reporting capability. ZAP’s only report is an HTML report that creates a new table row for each occurrence. For example, if the scanner found ten occurrences of cross-site scripting ZAP will create a unique row for each of these ten. To make things worse, these ten rows will not be grouped but distributed throughout the report. You can view a sample report here.

True Positives: * * * * *

ZAP’s active (black box) scanning feature did not keep up with some of the other black box scanners in finding a broad range vulnerabilities. ZAP does best on older applications with older vulnerabilities.

 

Reporting Capability: * * * * *

See the Cons section above. For a tool as cool as ZAP its reporting does not match the maturity of the rest of the tool. You can view a sample report here.

 

Test-over-test Consistency * * * * *

ZAP is strong in consistency. Any differences between tests in ZAP is most likely user error. Before initiating the active scanner, be sure to spider the site multiple times. ZAP has the ability to build on previous spider results so spider until there are no new pages found.

 How to use:

For a walk through of launching ZAP from within Kali and configuring a scan click here. Additionally, the creators of the ZED Attack Proxy have released a training video that is highly recommended.

Vega Skipfish Nikto Golisero WebSecurity (iOS)

 

Looking for a BurpSuite walk through? Check out Brand-0’s DVWA Burp walk through on unplannedshutdown.com