loading...
Cover image for Scanning web application with OWASP ZAP

Scanning web application with OWASP ZAP

c0d3b0t profile image Senik Hakobyan Updated on ・3 min read

Penetration Testing Lab (4 Part Series)

1) Build your own penetration testing lab with AWS, Kali Linux and OWASP ZAP - Getting started 2) Scanning web application with OWASP ZAP 3) OWASP ZAP CLI - generating PDF report using Export Report add-on and WkHTMLtoPDF 4) Upload and publish a file on Slack channel with Bash

Hi there!

Days ago I wrote about Kali Linux installation on AWS.

Now let's try and have some scans running with OWASP ZAP ⚡.

Connection

I'm running Kali on AWS so I want to connect to the instance using SSH.

I have the .pem file, so I need to run just few commands.

sudo chmod 400 kali.pem
ssh -i kali.pem ec2-user@your-public-dns

For Windows users there is a good article - Connecting to your Linux instance from Windows using PuTTY

Installation

I expected to have zaproxy preinstalled, but no. So, let's install it. Though I've installed the 2019.4 version of Kali.

Let's run the command and get the zaproxy installed:

sudo apt-get update && sudo apt-get install zaproxy

Hopefully you've completed the installation successfully.

If you run the command zaproxy, you should probably see output like this:

Found Java version 11.0.5
Available memory: 982 MB
Using JVM args: -Xmx245m
0 [main] INFO org.zaproxy.zap.GuiBootstrap  - OWASP ZAP 2.9.0 started 30/05/2020, 14:57:21 with home /home/ec2-user/.ZAP/
2 [main] FATAL org.zaproxy.zap.GuiBootstrap  - ZAP GUI is not supported on a headless environment.
Run ZAP inline or in daemon mode, use -help command line argument for more details.
ZAP GUI is not supported on a headless environment.
Run ZAP inline or in daemon mode, use -help command line argument for more details.

We're using zap on a headless environment, so let's figure out how to use this tool in command line.

For some reason zaproxy -cmd -help command didn't work for me, so I had to figure out another way to run the tool.

The whereis zaproxy command shows us the following output zaproxy: /usr/bin/zaproxy /usr/share/zaproxy.

We're looking for zap.sh file located at /usr/share/zaproxy directory. Windows users should look for zap.bat file.

/usr/share/zaproxy directory

You can simply run it with bash /usr/share/zaproxy/zap.sh command.

Making a globally available command zap

If you're too lazy to type as many characters, then you can make an alias zap to /usr/share/zaproxy/zap.sh
To do that, we need to perform few simple steps and edit the .bashrc file.

  • Open the .bashrc file using vim or nano - nano ~/.bashrc
  • Add the following code to the end of file - alias zap="bash /usr/share/zaproxy/zap.sh"
  • Save the file and quit
  • Run source ~/.bashrc to apply changes, otherwise you need to log out and log in again
  • Run zap -help or zap -version

zap help command

As you can see I'm using version 2.9.0.

If your output is similar to mine, then we're done here! 🚀

Scan

Now we are ready to execute our first scan. Simply, run the following command:

zap -cmd -quickurl http://example.com -quickprogress -quickout ~/out.xml

Replace the "example.com" with whatever host you want to scan.

Here is my console output:

ec2-user@kali:~$ zap -cmd -quickurl http://example.com -quickprogress -quickout ~/out.xml
Found Java version 11.0.5
Available memory: 982 MB
Using JVM args: -Xmx245m
Accessing URL
Using traditional spider
Active scanning
[====================] 100% 
Attack complete
Writing results to /home/ec2-user/out.xml

So, we just ran an attack on example.com host and got the output in XML format - the out.xml file located in /home/ec2-user directory.

Good start. But there is a one problem - I don't want output to be in XML format. I want PDF!

Add-ons

There are lot of useful add-ons in the ZAP Marketplace. We need the one named "Export Report".

ZAP allows us to install add-ons by their ID. Let's install the add-on:

zap -cmd -addoninstall exportreport

What's next?

In the next post I want to figure out the usage of Export Report add-on.

In the end I want to have scheduled scans running automatically and generating me nice PDF reports.

Have a great day! ☀️

Penetration Testing Lab (4 Part Series)

1) Build your own penetration testing lab with AWS, Kali Linux and OWASP ZAP - Getting started 2) Scanning web application with OWASP ZAP 3) OWASP ZAP CLI - generating PDF report using Export Report add-on and WkHTMLtoPDF 4) Upload and publish a file on Slack channel with Bash

Posted on May 31 by:

Discussion

markdown guide