Posted on

OWASP ZAP

With millions of web applications out there, it is only natural to see increased attacks on these web applications from hacker communities. OWASP i.e. Open Web Application Security Project aims to help web developers with the knowledge of various security threats and also to produce tools and technologies to help with tightening the security of their web applications. ZAP is one such tool from OWASP and helps with penetration testing.

Representative image depicting hacker attack on the webapp which can be emulated using OWASP ZAP

Penetration Testing aka pen-testing is a type of testing where the tester tests the application with the goal to break into the system to steal data just like a hacker. It involves the manipulation of requests at various levels (header, payload etc) and thereby finding a way through the server application to data. This is where ZAP comes into the picture – to help testers do all the manipulations easily.

ZAP – Zed Attack Proxy

ZAP is a free and open-source pen-testing tool maintained under OWASP. It is built in Java and is designed specifically for testing web apps. As a seasoned software engineer can guess, this proxy is a “man-in-the-middle” proxy. It is deployed between the tester’s browser and the web app under test. Entire traffic from the browser flows through this proxy. This enables the proxy to make necessary changes to the request to facilitate the testing.

How ZAP works? Image Source: https://www.zaproxy.org/getting-started/

Availability and Usage of OWASP ZAP

ZAP is available on all the major operating systems and is not tied with any single OS. More importantly, it is also available on Docker making life easy for the testers. There is a marketplace where one can find various plugins which is accessible from the ZAP client itself.

A tester can run the automated scan by providing the URL to attack. ZAP will crawl the application using its built-in spider and then provide the results at the end of the scan. Based on the severity the developers can schedule fixing the identified issues.

One can easily integrate ZAP with Jenkins for your CI/CD pipeline. You can also integrate it with Selenium along with your automation testing.

Reference Links:

Related Keywords:

Security, CSRF, Sidejacking, XSS, Reverse-Proxy

Posted on

CSRF

CSRF stands for Cross Site Request Forgery. It is a type of attack in which victim ends up executing unwanted actions on a web application unknowingly. This vulnerability has been in the top 10 vulnerabilities list that is published by OWASP (Open Web Application Security Project). Although the threat level has been reduced over the years, this one is still maintaining the top 10 position.

Continue reading “CSRF”

Posted on

Sidejacking

A few days back we saw what Cryptojacking is and how the hackers steal your CPU cycles without you knowing about it. Hacking has been constantly on the rise as internet penetration is growing. Hackers always expect to find someone not following security practice and to con him/her. Let’s learn about another old trick which hackers use to steal information from an unsecured network – known as Sidejacking.

Continue reading “Sidejacking”