With millions of web applications out there, it is only natural to see increased attacks on these web applications from hacker communities. OWASP i.e. Open Web Application Security Project aims to help web developers with the knowledge of various security threats and also to produce tools and technologies to help with tightening the security of their web applications. ZAP is one such tool from OWASP and helps with penetration testing.
Penetration Testing aka pen-testing is a type of testing where the tester tests the application with the goal to break into the system to steal data just like a hacker. It involves the manipulation of requests at various levels (header, payload etc) and thereby finding a way through the server application to data. This is where ZAP comes into the picture – to help testers do all the manipulations easily.
ZAP – Zed Attack Proxy
ZAP is a free and open-source pen-testing tool maintained under OWASP. It is built in Java and is designed specifically for testing web apps. As a seasoned software engineer can guess, this proxy is a “man-in-the-middle” proxy. It is deployed between the tester’s browser and the web app under test. Entire traffic from the browser flows through this proxy. This enables the proxy to make necessary changes to the request to facilitate the testing.
Availability and Usage of OWASP ZAP
ZAP is available on all the major operating systems and is not tied with any single OS. More importantly, it is also available on Docker making life easy for the testers. There is a marketplace where one can find various plugins which is accessible from the ZAP client itself.
A tester can run the automated scan by providing the URL to attack. ZAP will crawl the application using its built-in spider and then provide the results at the end of the scan. Based on the severity the developers can schedule fixing the identified issues.
One can easily integrate ZAP with Jenkins for your CI/CD pipeline. You can also integrate it with Selenium along with your automation testing.
Security, CSRF, Sidejacking, XSS, Reverse-Proxy